|PLEDGE(2)||System Calls Manual||PLEDGE(2)|
pledge — restrict
char *promises, const
pledge system call forces the current
process into a restricted-service operating mode. A few subsets are
available, roughly described as computation, memory management, read-write
operations on file descriptors, opening of files, and networking. In
general, these modes were selected by studying the operation of many
programs using libc and other such interfaces, and setting
promises or execpromises.
pledge in an application will
require at least some study and understanding of the interfaces called.
Subsequent calls to
pledge can reduce the abilities
further, but abilities can never be regained.
A process which attempts a restricted operation is killed with an
SIGABRT, delivering a core file if
possible. A process currently running with pledge has state
‘p’ in ps(1)
output; a process that was terminated due to a pledge violation is accounted
by lastcomm(1) with the
A promises value of "" restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
promises or execpromises
specifies to not change the current value.
Some system calls, when allowed, have restrictions applied to them:
FIONCLEXoperations are allowed by default. Various ioctl requests are allowed against specific file descriptors based upon the requests audio, bpf, disklabel, drm, inet, pf, route, tape, tty, video, and vmm.
The promises argument is specified as a string, with space separated keywords:
NULL. As a result, all the expected functionalities of libc stdio work.
clock_getres(2), clock_gettime(2), close(2), closefrom(2), dup(2), dup2(2), dup3(2), fchdir(2), fcntl(2), fstat(2), fsync(2), ftruncate(2), getdents(2), getdtablecount(2), getegid(2), getentropy(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getrtable(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), issetugid(2), kevent(2), kqueue(2), lseek(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2), nanosleep(2), pipe(2), pipe2(2), poll(2), pread(2), preadv(2), pwrite(2), pwritev(2), read(2), readv(2), recvfrom(2), recvmsg(2), select(2), sendmsg(2), sendsyslog(2), sendto(2), setitimer(2), shutdown(2), sigaction(2), sigprocmask(2), sigreturn(2), socketpair(2), umask(2), wait4(2), write(2), writev(2)
AF_INET6domains (though setsockopt(2) has been substantially reduced in functionality):
MTIOCTOPoperations against tape drives.
EACCESS. Otherwise the new program starts running without pledge active, and hopefully makes a new pledge soon.
PROT_EXECwith mmap(2) and mprotect(2).
BIOCGSTATSoperation for statistics collection from a bpf(4) device.
pledge is called with higher
promises or execpromises,
those changes will be ignored and return success. This is useful when a
parent enforces execpromises but an execve'd child
has a different idea.
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
pledge will fail if:
pledge system call first appeared in
|January 21, 2019||OpenBSD-6.5|