OpenBSD
One of the greatest os i've been using for a DMZ by far.
- always up to date
- secure
- RTFM
Pledge and Unveil
The pledge system call in OpenBSD is a mechanism for restricting the system calls that a process can make
int pledge(const char *promises, const char *execpromises);
- promises: a promise argument, which specifies the set of system calls that the process will only use
- optional exception argument (execpromises), which specifies a set of system calls that the process can use even if they are not in the promise set.
#include <unistd.h>
#include <stdlib.h>
#include <err.h>
// . . .
if (pledge("stdio rpath", NULL) == -1){
err(1, "pledge");
// you can only use stdio and rpath syscalls now . . .
// ex: fopen("/var/www/something")
if (pledge("stdio dns", NULL) == -1)
err(1, "pledge");
// now you can only use stdio and dns
// ex: getnameinfo
there's also unveil that restricts a process's access to the filesystem by allowing it to only interact with specific files and directories
int unveil(const char *path, const char *permissions);
for example:
if (unveil("/dev/stdin", "r") == -1) {
err(1, "unveil input");
}
if (unveil("/dev/stdout", "w") == -1) {
err(1, "unveil output");
}
if (unveil("/myfile", "rb") == -1) {
err(1, "unveil file");
}
if (unveil(NULL, NULL) == -1) {
err(1, "unveil all");
} // lock everything else
// you can only use the file/directories listed above . . .
:D