Hi list, I have been experimenting with unveil[1] and pledge[2] on Dillo to reduce possible attack surface. Right now these system calls are exclusive to OpenBSD, but there are projects[3] working to bring them to Linux and other systems. Basically, unveil restricts which areas of the filesystem a program can access, and pledge restricts which system calls the program is allowed to make. [1] https://man.openbsd.org/unveil.2 [2] https://man.openbsd.org/pledge.2 [3] https://justine.lol/pledge/ Initial testing indicates that both of these features are working correctly with Dillo. I am including a patch which provides some basic filesystem protection, and limits Dillo to the minimum amount of syscalls possible. If anyone has questions or comments, they are welcome. Regards, Alex --- a/src/dillo.cc Fri Jun 14 22:27:18 2024 +++ b/src/dillo.cc Sat Jul 20 15:16:42 2024 @@ -24,6 +24,7 @@ #include <stdio.h> #include <unistd.h> +#include <err.h> #include <stdlib.h> #include <time.h> #include <sys/types.h> @@ -397,6 +398,24 @@ int main(int argc, char **argv) FILE *fp; srand((uint_t)(time(0) ^ getpid())); + + // Unveil and Pledge + if (unveil("/usr", "rx") == -1) { + err(1, "unveil failed"); + } + if (unveil("/tmp", "rwc") == -1) { + err(1, "unveil failed"); + } + if (unveil("/etc", "r") == -1) { + err(1, "unveil failed"); + } + if (unveil("/home", "rwc") == -1) { + err(1, "unveil failed"); + } + if (pledge("stdio rpath wpath cpath inet unix dns tty proc prot_exec", + NULL) == -1) { + err(1, "pledge failed"); + } // Some OSes exit dillo without this (not GNU/Linux). signal(SIGPIPE, SIG_IGN);