1. 34

  2. 4

    How many of these languages offer enough visibility into what the environment and libraries are doing for pledge to be truly useful/reliable?

    I don’t know that I’d trust myself to shut off access to a big part of the system for, eg, the Haskell runtime, or the Go runtime. I’d be worried that some innocent looking function call would lead to something disallowed happening, and killing the program.

    This feels like a bad enough problem in C or C++ with deep dependency stacks. Adding in thick runtimes, lots of third party dependencies that tend to get updated frequently, would make me feel a bit uneasy about this.

    1. 4

      A few off the cuff answers.

      somebody knows. Ask them.

      Or somehow this community knowledge will emerge.

      Or guess and check.

      The runtime probably isn’t doing that much crazy stuff. Allowing it to allocate memory may be sufficient. Maybe create threads.

      1. 2

        I see this as a reasonable trade-off, and (sort of) the point of “pledge” - by using it, you are trading your convenience as a developer for the safety of your end-users. You will spend a substantial amount of your time exploring and testing all different code paths of your library or app, yet in return, your users have a solid guarantee your application does only the things listed in the pledge.

        1. 1

          A tool which converts a ktrace log to a minimal pledge set might be interesting.

          1. 3

            But probably a bad idea. It usually only takes a little thought to determine what a program does. Exhaustive black box testing would take longer. More importantly, the thought process may reveal a better program design.

            Pledge has always been a simple framework for program experts. Quite different from many alternatives, which are expert frameworks for simple programs. :)

        2. 2

          Any clue if any of these are on the way into ports? I didn’t see any obvious answers on their various webpages.

          (Edit: you people are awesome.)

          1. 5

            Are you asking if there are ports using pledge(2)?

            Yes, there are pledged ports and the number is growing. Chrome for example. You can check which ports define # uses pledge() in their Makefile.

            or if these language bindings found their way into ports?

            Yes, some of them

            If you look at the twitter conversation you will learn that:

            • lang/node contains the pledge binding for node
            • OpenBSD-Pledge is part of the base system

            I didn’t find any others with a quick scan. I do remember some chat on ports@ from a long time ago about ruby I think.

            tl;dr things are getting there :)

            1. 5

              I’m the author of the python version.

              I’m waiting for pledge to stabilize a bit before polishing it. As you can see in the BUGS section of the man page “The path whitelist feature is not available at this time.”

              After that I plan to see how things goes for real usages in python and eventually push it into ports.

              1. 3

                lang/node ships with node-pledge ready and waiting to be used in regular apps.

                I haven’t added the path stuff yet.

                1. 3

                  I wrote the C# implementation - the package manager it’ll go into is probably NuGet. I might also consider wrapping other OpenBSD specific syscalls (like sendsyslog) and putting it into an “OpenBSD#” project, or something.