Syscall origin verification is orthogonal to pledge and is not really even a sec... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

saagarjha on July 15, 2022 | parent | context | favorite | on: Show HN: Porting OpenBSD Pledge() to Linux

Syscall origin verification is orthogonal to pledge and is not really even a security feature at all without strong CFI. The general consensus right now is that strong CFI is kind of a mythical unicorn that doesn't exist. pledge remains useful even though this is true, so syscall origin verification is not a prerequisite.

knorker on July 15, 2022 [–]

Yeah I said "compare" just as an illustration of the control that OpenBSD can and does exercise over the interface between user space and kernel space.

saagarjha on July 15, 2022 | [–]

Yeah, that is true. IMO seccomp is kind of not useful unless you own the libc.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact