Again, from the start, my scenario and example was third party software. Feel free to re-read the thread from the start if you want to confirm that.
I'm not interested in retreading anything. I don't even want to continue discussing anything with you as it is, but I'm willing to see where this goes.
Show how pledge can protect against a remote root compromise in oracle. I doubt it can, you've been insisting pledge is all OpenBSD needs to protect against such attacks.
I'm not answering any more questions or taking any more detours. Stop being intellectually dishonest.
Either admit that you don't know for sure that pledge can protect against a remote root compromise in complex third party software like oracle and simply think it can, or show how it can.
If you can't do that, we're at an impasse and there won't be further discussion. Unless you post some kind of baiting comment I suppose, which wouldn't surprise me at this point.
You exec oracle with an unveil that prevents a compromised oracle from touching any data that you didn't intend, and an exec pledge that removes the ability to open any raw devices other than the ones you handed to it directly.
The program upthread will let you do that.
It won't be as good as Oracle doing its own pledges, of course, because well pledged programs narrow down their pledge set as they run -- but if you have a binary that you can't modify, this is as good as you can do with any security framework. For example, Linux has landed on the same model as pledge when they added landlock, where a program is expected to landlock itself after opening the initial handles to resources.
> You exec oracle with an unveil that prevents a compromised oracle from touching any data that you didn't intend, and an exec pledge that removes the ability to open any raw devices other than the ones you handed to it directly.
And if it needs access to an awful lot of data across the file system or raw devices (which is not uncommon for complex proprietary commercial software), what then?
> It won't be as good as Oracle doing its own pledges, of course
And that's part of the issue, because you can't count on or only use software which is making pledges, and no commercial software will at all.
> but if you have a binary that you can't modify, this is as good as you can do with any security framework.
This is where a MAC framework has a strength and advantage over pledge.
With pledge/unveil and oracle, you likely won't be able to sufficiently restrict access to data or devices to prevent lateral movement and prevent further compromise, as complex programs like that require too much access to function correctly.
With a MAC framework you can. Now the binary has no access to certain parts of the filesystem in a way that is much more secure than a chroot, only has access to syscalls it needs (on par with pledge here), can't execute other binaries, can't make library calls, can't access devices (e.g. tty, network), can't switch user context, can't do anything as root even if root were obtained, can't write to ANY files only append, can't delete ANY files, etc etc etc. You have complete granular control over many more aspects of what to permit or deny.
Pledge and unveil simply can't compare. In some scenarios they may be sufficient, but in most, and certainly in most where an attacker has root, they are not.
> And if it needs access to an awful lot of data across the file system or raw devices (which is not uncommon for complex proprietary commercial software), what then?
The same thing as any other framework. You either grant it access, or you don't. The list of files just gets long.
> And that's part of the issue, because you can't count on or only use software which is making pledges, and no commercial software will at all.
Luckily, you can pledge and unveil from outside the process, as the code above does. Once more, that runs an arbitrary command under pledges and unveils.
The thing lost is the ability reduction in access during the program lifetime, which is something that can only be done with the cooperation of the binary running; you don't have enough information to know when (for example) the code setting up the last network listener needed has been run without the help of the binary. You don't get that in most security frameworks anyways, so this is not a weakness in comparison to them.
> With a MAC framework you can. Now the binary has no access to certain parts of the filesystem in a way that is much more secure than a chroot, only has access to syscalls it needs (on par with pledge here), can't execute other binaries, can't make library calls, can't access devices (e.g. tty, network), can't switch user context, can't do anything as root even if root were obtained, can't write to ANY files only append, can't delete ANY files, etc etc etc. You have complete granular control over many more aspects of what
Yes, that's what you get with pledge and unveil.
If you think otherwise -- I gave you a program that runs any arbitrary binary; please show a demo of a jailbreak.
There is a fundamental difference which you are ignoring or blind to.
With something like pledge, you can't limit anywhere near as much as what you can limit with a MAC framework.
This means with pledge, you can only limit to what the program needs, which may well be enough (and with something like Oracle it's almost guaranteed) for an attacker to escape whatever confines you think you have in place. That simply isn't true for a MAC framework where you can limit to a greater extent and with a lot more granularity.
> Luckily, you can pledge and unveil from outside the process, as the code above does.
That doesn't help even slightly and has no bearing on the point I made.
> Yes, that's what you get with pledge and unveil.
Jesus christ no you don't. Not even close. At this point it's abundantly clear you are not familiar with MAC frameworks at all, and you're just convinced that pledge and unveil are the same thing. That's willful ignorance and nothing more.
> If you think otherwise -- I gave you a program that runs any arbitrary binary; please show a demo of a jailbreak.
You haven't shown that pledge and unveil are as good at SELinux at locking down something like Oracle, you're just claiming it is with hand waiving. pledge and unveil simply don't offer what SELinux does, and you're just dismissing that and insisting they do.
> With something like pledge, you can't limit anywhere near as much as what you can limit with a MAC framework.
Go ahead, tell me a specific thing that I can't limit with pledge and unveil. Note that everything you mentioned when discussing Oracle could be done with them.
I've provided code. You haven't even listed a threat model. You just yelled a bit about root escapes, and then when challenged to provide an example, yelled about Oracle. And then yelled a bit about how MAC provides more, without any specifics about which relevant 'more' it provides. (I certainly agree that it's more flexible, more complicated, and more difficult to configure -- but not that it's more secure).
Again, there's example code sitting right there, which can be used for something like Oracle. Prove that there's an escape.
> Go ahead, tell me a specific thing that I can't limit with pledge and unveil. Note that everything you mentioned when discussing Oracle could be done with them.
Sigh. I've listed numerous examples, and like a dipshit you just change a few words in my reply and parrot it back at me, without seemingly comprehended a thing.
At this point you are just displaying zealotry. Even Theo disagrees with you.
> I've provided code.
Fucking exactly. That shows that you are not following the discussion at all, just blindly defending your niche OS.
We were talking about complex third party programs that are hard to lock down. A short code example using pledge is, now make sure you read these next few words and try to absorb them, entirely fucking irrelevant.
We're not talking about software developers trying to prevent exploitation of trusted code, we're talking about trying to lock down untrusted code in the event of a compromise.
> You just yelled a bit about root escapes, and then when challenged to provide an example, yelled about Oracle. And then yelled a bit about how MAC provides more, without any specifics about which relevant 'more' it provides.
No, I gave specific examples, and you just hand waived them and asserted pledge and unveil offer the same capabilities and defenses without bothering to show how.
> Again, there's example code sitting right there, which can be used for something like Oracle
No it fucking can't, at all, it's entirely irrelevant and has no relationship to oracle at all. Are you on the spectrum or something? How are you failing to follow this discussion to this extent? It's honestly baffling.
> We were talking about complex third party programs that are hard to lock down. A short code example using pledge is, now make sure you read these next few words and try to absorb them, entirely fucking irrelevant.
That short code example LOCKS DOWN AN ARBITRARY THIRD PARTY PROGRAM that you pass it as a command line argument. I skipped arg parsing for simplicity, but it does exactly what you're asking for.
> No, I gave specific examples
Can you point to the code you posted that breaks out of the sandbox I gave? I seem to have missed it.
So, I'm going to go ahead and assume you are indeed on the spectrum at this point. Not that it matters. But once again you just parrot a point back at me lol.
> That short code example LCOKS DOWN A COMPLEX THIRD PARTY PROGRAM. The fact that you haven't understood this shows that you're not understanding the discussion.
It doesn't do a fucking thing to lock down Oracle you absolute twit. Oracle won't even start if you try to limit it as though it were Chrome.
Why is it somehow not in the least bit surprising that you a) think that would work and b) think it's a viable solution.
Sigh. This is honestly so fucking stupid.
Pledge can ONLY restrict a program to the syscalls it needs. If the program needs syscalls which can be used to leverage an escape or escalation, pledge is fucking useless. SELinux doesn't have that weakness. That you don't understand this fundamental difference shows you're out of your depth, and that as suspected you're a waste of time to try and educate.
I'm not going to reply to you again given how technically illiterate you are in this context. Given how insecure and religious towards OpenBSD you seem to be, I'm assuming you're going to need to have the last word, and likely will yet again just parrot back a paraphrased version of one of my replies to you...yet again demonstrating your lack of originality or comprehension.
Have fun with that, and I hope having the last word gives you that little boost of self-confidence you seem to be craving to compensate for your clear lack of knowledge.
Yikes—you broke the site guidelines really, really, really badly, dozens of times in this thread. That's definitely not ok and I've banned the account.
I'm sure you know a lot and I normally wouldn't ban an account without warning at least once first, but the way you behaved in this thread was just way too extreme. I know this sort of no-holds-barred flamewar is standard in some systems-oriented communities and I don't have any judgment about that, but HN is much larger and we can't afford to have accounts posting like this—it would lead straight to the self-incineration of this site (by masses of people who likely know a lot less than you do).
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
I'm not interested in retreading anything. I don't even want to continue discussing anything with you as it is, but I'm willing to see where this goes.
Show how pledge can protect against a remote root compromise in oracle. I doubt it can, you've been insisting pledge is all OpenBSD needs to protect against such attacks.
I'm not answering any more questions or taking any more detours. Stop being intellectually dishonest.
Either admit that you don't know for sure that pledge can protect against a remote root compromise in complex third party software like oracle and simply think it can, or show how it can.
If you can't do that, we're at an impasse and there won't be further discussion. Unless you post some kind of baiting comment I suppose, which wouldn't surprise me at this point.