hngopher.com

       [HN Gopher] Porting Linux Pledge to Go
       ___________________________________________________________________
        
       Porting Linux Pledge to Go
        
       Author : zdw
       Score  : 53 points
       Date   : 2023-10-25 18:04 UTC (1 days ago)
        
 (HTM) web link (flak.tedunangst.com)
 (TXT) w3m dump (flak.tedunangst.com)
        
       | jerf wrote:
       | How does pledge interact with multiple threads?
       | 
       | Is it just "it just takes effect at the time of call and it's up
       | to you to synchronize whatever you need to synchronize"? Anything
       | racing with a pledge call in an observable way is clearly
       | tempting fate anyhow.
        
         | LegionMammal978 wrote:
         | Linux pledge is built on top of seccomp, which by default only
         | applies a newly added filter to the current thread, and copies
         | it to all future threads cloned from the current thread. There
         | exists a flag (SECCOMP_FILTER_FLAG_TSYNC) to automatically copy
         | the filter to all other threads of the current process, but the
         | pledge library does not set this flag.
         | 
         | If the flag were used, then each thread's filter tree would be
         | atomically swapped out from its old version, then the thread
         | would be set to be in SECCOMP_MODE_FILTER if it isn't already.
         | Setting the mode causes the SYSCALL_WORK_SECCOMP bit to be set
         | in the thread's syscall_work field, which the thread checks
         | every time it enters a syscall from user mode. Therefore, any
         | currently-running syscall in the thread may or may not go
         | through, but all future syscalls will be subject to the new
         | filter.
         | 
         | If current long-running syscalls are a concern, then I think
         | (but haven't tested) it would be sufficient to define a signal
         | handler without SA_RESTART, then send the corresponding signal
         | to every other thread to interrupt all their syscalls. The
         | handler could even have a counter that gets incremented so that
         | the caller knows when all threads have been interrupted; this
         | is basically how libcs implement a process-wide setuid/setgid
         | on top of Linux's per-thread syscalls.
        
       | sshb wrote:
       | I was always wondering if it's possible to figure pledges in
       | compile-time for Go, e.g., declare in your module "I will never
       | access network" and make compiler verify that. (Wouldn't work for
       | assembly for sure, but probably is okay for most of the modules)
        
         | FiloSottile wrote:
         | You might be interested in Capslock, which attempts to do that
         | through static analysis.
         | https://security.googleblog.com/2023/09/capslock-what-is-you...
        
       | evmar wrote:
       | Skimmed the code, seems like
       | https://humungus.tedunangst.com/r/pledge/v/tip/f/pledge.go ought
       | to call xUnveilEnd() (...right?)
        
         | twiss wrote:
         | Seems like it, though he mentions in the post that you can call
         | pledge (without "unveil") after unveil to prevent further
         | changes (and it'll handle committing the changes on Linux,
         | which isn't necessary on OpenBSD), to achieve the same thing.
        
       ___________________________________________________________________
       (page generated 2023-10-26 23:01 UTC)