PLEDGE(2) | System Calls Manual | PLEDGE(2) |
pledge
— restrict
system operations
#include
<unistd.h>
int
pledge
(const
char *promises, const
char *execpromises);
The
pledge
()
system call forces the current process into a restricted-service operating
mode. A few subsets are available, roughly described as computation, memory
management, read-write operations on file descriptors, opening of files, and
networking. In general, these modes were selected by studying the operation
of many programs using libc and other such interfaces, and setting
promises or execpromises.
Use of
pledge
()
in an application will require at least some study and understanding of the
interfaces called. Subsequent calls to pledge
() can
reduce the abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with an
uncatchable SIGABRT
, delivering a core file if
possible. A process currently running with pledge has state
‘p’ in ps(1)
output; a process that was terminated due to a pledge violation is accounted
by lastcomm(1) with the
‘P’ flag.
A promises value of "" restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
Passing NULL
to
promises or execpromises
specifies to not change the current value.
Some system calls, when allowed, have restrictions applied to them:
FIONREAD
,
FIONBIO
, FIOCLEX
, and
FIONCLEX
operations are allowed by default.
Various ioctl requests are allowed against specific file descriptors based
upon the requests audio
,
bpf
, disklabel
,
drm
, inet
,
pf
, route
,
wroute
, tape
,
tty
, video
, and
vmm
.PROT_EXEC
isn't allowed.pledge
():The promises argument is specified as a string, with space separated keywords:
stdio
NULL
. As a
result, all the expected functionalities of libc stdio work.
clock_getres(2), clock_gettime(2), close(2), closefrom(2), dup(2), dup2(2), dup3(2), fchdir(2), fcntl(2), fstat(2), fsync(2), ftruncate(2), getdents(2), getdtablecount(2), getegid(2), getentropy(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getrtable(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), issetugid(2), kevent(2), kqueue(2), lseek(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2), nanosleep(2), pipe(2), pipe2(2), poll(2), pread(2), preadv(2), pwrite(2), pwritev(2), read(2), readv(2), recvfrom(2), recvmsg(2), select(2), sendmsg(2), sendsyslog(2), sendto(2), setitimer(2), shutdown(2), sigaction(2), sigprocmask(2), sigreturn(2), socketpair(2), umask(2), wait4(2), write(2), writev(2)
rpath
chdir(2), getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2), getfsstat(2)
wpath
getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2)
cpath
rename(2), renameat(2), link(2), linkat(2), symlink(2), symlinkat(2), unlink(2), unlinkat(2), mkdir(2), mkdirat(2), rmdir(2)
dpath
tmppath
lstat(2), chmod(2), chflags(2), chown(2), unlink(2), fstat(2)
inet
AF_INET
and AF_INET6
domains (though
setsockopt(2) has been
substantially reduced in functionality):
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2)
mcast
inet
give back functionality
to setsockopt(2) for
operating on multicast sockets.fattr
utimes(2), futimes(2), utimensat(2), futimens(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchownat(2), lchown(2), fchown(2), utimes(2)
chown
flock
unix
AF_UNIX
domain:
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2)
dns
getpw
inet
operations.sendfd
recvfd
tape
MTIOCGET
and
MTIOCTOP
operations against tape drives.tty
tty
is accompanied with
rpath
,
revoke(2) is permitted.
Otherwise only the following
ioctl(2) requests are
permitted:
TIOCSPGRP
,
TIOCGETA
, TIOCGPGRP
,
TIOCGWINSZ
, TIOCSWINSZ
,
TIOCSBRK
, TIOCCDTR
,
TIOCSETA
, TIOCSETAW
,
TIOCSETAF
, TIOCUCNTL
proc
fork(2), vfork(2), kill(2), getpriority(2), setpriority(2), setrlimit(2), setpgid(2), setsid(2)
exec
proc
promise, this allows a process to fork and
execute another program. If execpromises has been
previously set the new program begins with those promises, unless
setuid/setgid bits are set in which case execution is blocked with
EACCES
. Otherwise the new program starts running
without pledge active, and hopefully makes a new pledge soon.prot_exec
PROT_EXEC
with
mmap(2) and
mprotect(2).settime
ps
vminfo
id
setuid(2), seteuid(2), setreuid(2), setresuid(2), setgid(2), setegid(2), setregid(2), setresgid(2), setgroups(2), setlogin(2), setrlimit(2), getpriority(2), setpriority(2), setrtable(2)
pf
DIOCADDRULE
,
DIOCGETSTATUS
,
DIOCNATLOOK
,
DIOCRADDTABLES
,
DIOCRCLRADDRS
,
DIOCRCLRTABLES
,
DIOCRCLRTSTATS
,
DIOCRGETTSTATS
,
DIOCRSETADDRS
,
DIOCXBEGIN
,
DIOCXCOMMIT
route
wroute
audio
AUDIO_GETPOS
,
AUDIO_GETPAR
,
AUDIO_SETPAR
,
AUDIO_START
, AUDIO_STOP
,
AUDIO_MIXER_DEVINFO
,
AUDIO_MIXER_READ
,
AUDIO_MIXER_WRITE
video
VIDIOC_DQBUF
,
VIDIOC_ENUM_FMT
,
VIDIOC_ENUM_FRAMEINTERVALS
,
VIDIOC_ENUM_FRAMESIZES
,
VIDIOC_G_CTRL
,
VIDIOC_G_PARM
,
VIDIOC_QBUF
,
VIDIOC_QUERYBUF
,
VIDIOC_QUERYCAP
,
VIDIOC_QUERYCTRL
,
VIDIOC_S_CTRL
,
VIDIOC_S_FMT
,
VIDIOC_S_PARM
,
VIDIOC_STREAMOFF
,
VIDIOC_STREAMON
,
VIDIOC_TRY_FMT
,
VIDIOC_REQBUFS
bpf
BIOCGSTATS
operation for statistics
collection from a bpf(4)
device.unveil
error
ENOSYS
.
Also when
pledge
()
is called with higher promises or
execpromises, those changes will be ignored and
return success. This is useful when a parent enforces
execpromises but an execve'd child has a different
idea.
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
pledge
() will fail if:
The pledge
() system call first appeared in
OpenBSD 5.9.
February 25, 2022 | OpenBSD-7.1 |