1. 15

  2. 6

    If anybody started reading this and was very, very confused, in the following word, the word “word” is really “passage”, and “passage” means “improved word”. Unlike, of course, just “word” as you know it to mean, in which case I’m referring to a word in a “passage”.

    “First of all, let me clear one important thing that pledge(1) and pledge(2) both are different things according to the man page of OpenBSD. Because parenthesis numbers indicate sections of a man page, like, (2) for system calls etc. So, here, parenthesis numbers are only to differentiate between the old pledge and new pledge or improved pledge, that’s all, nothing related to the parenthesis numbers of man page of OpenBSD.”

    I think there should be a filter for medium posts. Sigh.

    1. 1

      I don’t think that there are lots of confusions now. I know that first pledge(1) and pledge(2) were creating confusions, but then after that, I have changed the title and also written that paragraph for clarification. I too was thinking regarding this confusion, that how should I differentiate between the old pledge and improved pledge, so, I thought it would be great if I will try to explain what is what.

      But, if it is still confusing, then I apologize for my mistake. From on next time, I will keep these things in mind.

      1. 2

        It’s not your explanation that’s confusing—that’s just me being acerbic—it’s the notation itself. Consider using “pledge v.1” or “pledge v.2”, or better yet, “pledge 6.0” or “pledge 6.3” to refer to the OpenBSD version containing the described version. Then you can drop the explanations altogether and focus on the matter at hand.

        (And don’t forget pledge 5.8: tame!)

        1. 1

          Oh yeah, you are right. I can also use “pledge v.1 or pledge v.2 “ or “pledge 6.2”, that’s nice. even I had asked for suggestions for this on Google+, but, no one gave.

          Thank you very much for the clarification. I will update them. :)

    2. 2

      Did they completely abandon paths[]? Filesystem access is typically the thing I want to restrict :(

      1. 3

        Not abandoned but split into a different syscall, pledgepath(2), which is not committed, yet. As Theo mentioned a few months ago:

        The other is pledgepaths. The semantics are still being tuned a bit. Before the first call to pledge() in a process, one can pledgepath() directories. Then later after pledge(), file access operations only work if the traversal of the path crosses one of those pre-declared directories (but better make sure you don’t move a directory, because the kernel remembers and reasons about the vnode of the directory rather than the path). Something similar is being worked on for files, but we are still adjusting that, as well as a flag parameter for the pledgepath() call which may constrain the operations done on such files. As such, pledgepath() will become a filesystem containment mechanism unlike chroot() because paths will still be based upon true /.

      2. 1

        Hey, he stole my puffer! :D

        1. 2

          Yeah, Sorry for that, I should ask you first. I found it on google images. :)

          1. 1

            Np! Was neat seeing it on a site other than mine. Welcome!

            1. 1

              Was neat seeing it on a site other than mine. Welcome! Thanks for the high-quality version image. I have updated the image. :)