Revision as of 14:21, 19 April 2023 edit 85.64.76.29 (talk) →Other features: OpenBSD 7.3 eliminated the need for manual intervention to enable full disk encryption during installation. ← Previous edit		Revision as of 11:24, 27 September 2023 edit undo 85.64.76.29 (talk) →Other features: Merged paragraphs about pledge(2) and about unveil(2); added explanation of both together; added Firefox as an additional example of a 'pledged'/'unveiled' application. Next edit →
Line 49: In OpenBSD 5.3, support for [[full disk encryption]] was introduced,<ref>{{cite web\|title=OpenBSD 5.3\|url=http://www.openbsd.org/53.html\|website=OpenBSD\|access-date=May 26, 2016}}</ref> but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual intervention anymore.<ref>{{cite web \|title=OpenBSD 7.3 \|url=https://www.openbsd.org/73.html \|website=www.openbsd.org \|access-date=19 April 2023}}</ref><ref>{{cite web \|title=Initial support for guided disk encryption in the installer \|url=https://undeadly.org/cgi?action=article;sid=20230308063109 \|website=undeadly.org \|access-date=19 April 2023}}</ref> OpenBSD 5.9 included support for the then–new <code>pledge</code> [[system call]] (introduced in OpenBSD 5.8 as <code>tame</code> and renamed in 5.9 to <code>pledge</code>) for restricting process capabilities to a minimal subset required for correct operation.<ref>{{cite web\|title=pledge() - a new mitigation mechanism\|url=https://www.openbsd.org/papers/hackfest2015-pledge\|website=OpenBSD\|access-date=May 19, 2018}}</ref> If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the <code>unveil</code> [[system call]] for restricting [[filesystem]] visibility to a minimum level.<ref>{{cite web\|title=unveil — unveil parts of a restricted filesystem view\|url=https://man.openbsd.org/unveil\|website=OpenBSD manual pages\|access-date=2020-05-15}}</ref> <code>pledge</code> and <code>unveil</code> are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since ~~its~~the introduction of <code>pledge</code>, base OpenBSD programs (included [[Out of the box (feature)\|out of the box]] in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been ~~changed~~updated to ~~support~~be confined with <code>pledge</code>, ~~including~~and/or <code>unveil</code>. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the [[Chromium (web browser)\|Chromium]] and [[Firefox]] [[web browser]]s. OpenBSD 6.4 introduced the <code>unveil</code> [[system call]] for restricting [[filesystem]] visibility to a minimum level.<ref>{{cite web\|title=unveil — unveil parts of a restricted filesystem view\|url=https://man.openbsd.org/unveil\|website=OpenBSD manual pages\|access-date=2020-05-15}}</ref> == References ==

OpenBSD security features: Difference between revisions