Great to see that pledge so far seems to be working out very well for the OpenBSD guys. Looking forward to 5.9!
I am slowly working on a new daemon that is only supposed to take commands via a socket and write files to a particular directory. pledge() saves me from myself.
Long-running interactive software, say mutt, seems harder to pledge. Would it make sense to hack mutt to spawn heavily-pledge childen to handle the dangerous message parsing?
Yes. Something that’s come up is that many programs have an all or nothing design. But that’s what fork is for! :)
Mail parsing and talking to remote servers seem like the dangerous activities. The latter is pretty easy to redesign into a child process. The former is a bit more difficult, since mutt stores mail in “mail format”. But perhaps mail could be parsed, fed over a pipe back to the main process in a simpler serialization format, then written back out as an email in a known good state.