Project

General

Profile

Actions

Feature #2895

closed

OpenBSD pledge support

Added by Emmanuel Roullit almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Currently, on OpenBSD, Suricata runs with unrestricted access to the available system operation.
The amount of allowed system operations can be restricted to a minimum without hindering Suricata operation by leveraging the pledge(2) [1] syscall.

So far, Suricata can run with the following promises:
  • "stdio" to allow read(2) on IPS rules and write(2) on log file
  • "rpath wpath cpath" to allow log rotation
  • "unix" to operate the control unix socket and log unix sockets
  • "dns" to retrieve DNS from recvfrom(2)/sento(2) in IPFW mode
  • "bpf" as suricata uses libpcap, which uses the BIOCGSTATS operation

If you know a use case which requires an extension on the promises list, let me know.

[1]: https://man.openbsd.org/pledge.2

Actions

Also available in: Atom PDF