Re: [dev] pledge(2) patches

From: Kamil Cholewiński <>
Date: Mon, 06 Jun 2016 10:02:05 +0200

On Mon, 06 Jun 2016, Ben Woolley <> wrote:
> But then, isn't that what config.h can do? Try it in config.h and see
> how you feel. A lot of OS-specific features are enabled from
> configuration in other software.

The "problem" with pledge, is you have to let the program initialise
completely, and only then drop the privileges. Otherwise it could've
been implemented as a flag on the executable file.

If you'd make this a generic hook, it might get tricky to inject the
right behavior at the right stage, plus the cognitive cost of extra
indirection / abstraction.

Pledge is extremely human-friendly, and about as simple as it can get.
In almost every case, calling it is two lines of code, with xpledge it's
one. Compare with SecComp.

On Sun, 05 Jun 2016, FRIGN <> wrote:
> [...] why not do it like this?
> #ifndef __OpenBSD__
> int pledge(const char *promises, const char *paths[]) { return 0; }
> #endif

This is exactly how I've done it in v2:

> However, there always will remain a bad aftertaste given it's an
> OS-dependent solution.

Agree, however I've also found this:

TLDR: pledge on Linux implemented in terms of SecComp.

SecComp sucks, but so does Linux - if you can swallow all of the added
suck, it's now possible to have pledge on two different platforms. Which
IMO sets a nice precedent - what if libopenbsd was made a bit more
suckless? What if the other OS's followed? What if pledge was
standardised? Etc.

Received on Mon Jun 06 2016 - 10:02:05 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 06 2016 - 10:12:12 CEST