1. 44

  2. 11

    A relevant summary of the background, I thought:


    1. 8



      and my personal favorite:

      xterm pledged by a developer in one evening

      I don’t have enough superlatives to describe how great this patch is, when you look at the bang/buck factor.

      Off to buy another 5.8 CD set, I guess…

      1. 18

        If you’re feeling appreciation for their work, and have a little money, you could also skip the whole CD-and-mailing thing, and just donate directly:


        I donated $1000 recently. Warm-and-fuzzies for supporting some amazing work. And after years of OpenBSD CDs, now all my future installs are guilt-free downloads.

        1. 10

          I donated $1000 recently. Warm-and-fuzzies for supporting some amazing work.

          Thank you!

          1. 2

            Wow, out of your own pocket or through your employers budget? In either case, great job, thanks!

      2. 5

        that const char *request is some deep, rich, next-level, four-dimensional troll aikido that future generations will study as they currently study the Venus de Milo.

        1. 2

          While I very much like the simplicity of the mechanism, I’m also a bit confused at the use of strings rather than or'ed flags or similar.

          1. 19

            Back when this API was called tame instead of pledge (at least, I think it’s the same system; looks basically identical), they covered this. They started with flags, and then migrated to the string API.

            The basic issue is that, using flags, you get at most 64 permissions, and you don’t get any arguments on any of the flags. If you go with some vararg-like structure, you’ve still got a null terminator marking the string conclusion, so that doesn’t help, and user-readable strings make developers grokking what the line does make a lot more sense, and does allow additional attributes if they ever need to. You’re also not really concerned about buffer overflows: if you’re passing in user-defined data for pledge, you’re missing the point, and if you’re not but worried about the string getting altered in memory, you should be calling pledge so early in program execution that nothing can beat you to the punch and alter things. And the format of pledge is dramatically safer than common things C programmers already use, like printf, anyway.

            Is this as powerful as SELinux? Hells no. Can a single normal person sanely understand and use this system really quickly in their own programs? Yep. But I don’t think the strings should actually cause any problem in practice.

            1. 8

              (See this article.)

              1. 1

                yeah, it makes sense if you figure there will be > 63 granular permissions, and as long as you trust and guarantee that strcmp() and strchr() will always have secure, non-buggy libc implementations that don’t use, e.g., locale or anything else from the runtime environment. Which is why I think the trolling is next level.

                1. [Comment removed by author]

                  1. 3

                    yes, I stand corrected, thought pledge had a user space component that called into the syscall after parsing.