Hacker News new | past | comments | ask | show | jobs | submit login

I get what they mean and its not really crazy talk. The difference between a project in the sense of systemd and project in the sense of OpenBSD is pretty big. If I told you that wget was requiring changes to all user behavior, you would laugh it off and wonder where they got the agency to demand that. Many folks view the people with such agency as the kernel developers and the GNU project not a project such as systemd. They are probably wrong these days. This is different than the pick of a BSD.



Meanwhile openbsd adds pledge(2), patches most of their userspace to support it, and is praised across the board.

If linux tried to add pledge you'd have people coming out of the woodwork claiming that linux was breaking UNIX and requiring "linux specific" patches to every project.


Well, first, its pretty much in the DNA of OpenBSD to try security implementations like pledge.

Second, and much different from what SystemD just did, pledge does not affect any program that doesn't use pledge. From an external caller point of view, each changed user land program should act in the exact way that it did before the change.

A programmer can safely ignore pledge and nothing has changed for them. A user can safely ignore pledge as it shouldn't change their usage.

If Linux (I would guess more appropriately the maintainers of the GNU user land) tried this under those conditions, it would still be an internalized change that shouldn't affect anyone outside the project except in the positive as an exploit mitigator.

The bottom line is: OpenBSD is not requiring changes in other developer's programs or in user usage to continue to run in the same way they have run in the past.


My understanding is that programs which don't call pledge don't break under openbsd, they just don't get the corresponding security improvements.


Pledge was not praised across the board for precisely the reasons you mention. It's optional so no one aiming for portability will implement it, it's not user configurable, permissions are too broad, it's unusable by any application that isn't pledge-aware, etc..

Now SELinux isn't perfect by any meaning, but the key difference is that applications can be SELinux aware if they choose, but you can still have full protection without the application knowing that it exists.

I would much rather try to improve SELinux than try to make pledge work for precisely this reason.


It is also the reason why most common advice is to just turn off SELinux. It blocks valid (although sometimes weird) usage, because someone else decided that 90% of users should not do something.

Developer knows better what program should and should not do and is much more capable to set this kind of rules with pledge.


Lets not forget that SELinux came out of the defensive side of NSA. Its to block attacks to government systems from both outside and inside. In essence it is the concept of "trusted computing" given form.

And that concept in turn means that a general can put a trusted system into hostile territory and trust it to not leak secrets.

And NSA still care for it. Around the time of the last kdbus dustup, someone from NSA voice a worry about how kdbus would compromise certain parts of SELinux.


They can patch in their versions of tools as much as they want. And if some third-party project doesn't want to integrate pledge it works just as well as before.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: