patchelf icon indicating copy to clipboard operation
patchelf copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Restrict system operations on OpenBSD

Open klemensn opened this issue 2 years ago • 0 comments

Use pledge(2)[0] to limit patchelf(1) to read, write and create files. It never deals with TTY, network, process management or other subsystems.

Do so immediately in main() since mainWrapped() itself parses files whilst parsing command line arguments (--rename-dynamic-symbols).

This is to reduce patchelf's attack surface and potential damage when dealing with untrusted ELF programs.

No behaviour change in tests or real world usage observed on OpenBSD/amd64 7.4 (0.18.0 tests: 56/52/2/2 TOTAL/PASS/FAIL/SKIP).

0: https://man.openbsd.org/pledge.2

klemensn avatar Oct 18 '23 22:10 klemensn