|PLEDGE(2)||System Calls Manual||PLEDGE(2)|
pledge — restrict
char *promises, const
system call forces the current process into a restricted-service operating
mode. A few subsets are available, roughly described as computation, memory
management, read-write operations on file descriptors, opening of files, and
networking. In general, these modes were selected by studying the operation
of many programs using libc and other such interfaces, and setting
promises or execpromises.
in an application will require at least some study and understanding of the
interfaces called. Subsequent calls to
reduce the abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with an
SIGABRT, delivering a core file if
possible. A process currently running with pledge has state
‘p’ in ps(1) output; a process
that was terminated due to a pledge violation is accounted by
lastcomm(1) with the ‘P’
A promises value of "" restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
promises or execpromises
specifies to not change the current value.
Some system calls, when allowed, have restrictions applied to them:
FIONCLEXoperations are allowed by default. Various ioctl requests are allowed against specific file descriptors based upon the requests
The promises argument is specified as a string, with space separated keywords:
NULL. As a result, all the expected functionalities of libc stdio work.
clock_getres(2), clock_gettime(2), close(2), closefrom(2), dup(2), dup2(2), dup3(2), fchdir(2), fcntl(2), fstat(2), fsync(2), ftruncate(2), getdents(2), getdtablecount(2), getegid(2), getentropy(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getrtable(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), issetugid(2), kevent(2), kqueue(2), lseek(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2), nanosleep(2), pipe(2), pipe2(2), poll(2), pread(2), preadv(2), pwrite(2), pwritev(2), read(2), readv(2), recvfrom(2), recvmsg(2), select(2), sendmsg(2), sendsyslog(2), sendto(2), setitimer(2), shutdown(2), sigaction(2), sigprocmask(2), sigreturn(2), socketpair(2), umask(2), wait4(2), write(2), writev(2)
AF_INET6domains (though setsockopt(2) has been substantially reduced in functionality):
inetgive back functionality to setsockopt(2) for operating on multicast sockets.
MTIOCTOPoperations against tape drives.
ttyis accompanied with
rpath, revoke(2) is permitted. Otherwise only the following ioctl(2) requests are permitted:
procpromise, this allows a process to fork and execute another program. If execpromises has been previously set the new program begins with those promises, unless setuid/setgid bits are set in which case execution is blocked with
EACCES. Otherwise the new program starts running without pledge active, and hopefully makes a new pledge soon.
PROT_EXECwith mmap(2) and mprotect(2).
BIOCGSTATSoperation for statistics collection from a bpf(4) device.
is called with higher promises or
execpromises, those changes will be ignored and
return success. This is useful when a parent enforces
execpromises but an execve'd child has a different
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
pledge() will fail if:
pledge() system call first appeared in
|July 18, 2021||OpenBSD-current|