HI, Remco wrote on Sat, Apr 07, 2018 at 09:23:53AM +0200:
> What about having some sort of function yourlib_pledge_set_promises() > that sets up these requirements ? I think this also has the advantage of > automatically separating pledge specific code (and a man page) from > generic code as well as lessening the chance of users of your library > setting up incorrect promises for your library. Or in light of updates > to your library, users may not need to change their program's pledges > since the updated yourlib_pledge_set_promises function will hopefully be > sufficient to take care of that. Obviously a very stupid idea for several reasons: 1. You need one pledge(2) call per application program, not one pledge(2) call per library used. That call must include the promises required for all functionality the program uses, i.e. the union of promises needed for syscalls done directly from the program itself and syscalls done through each of the libraries. Obviously, that cannot be achieved by doing one call for each library used. 2. Even if a program uses no other libraries, you still have to add the promises required for directly invoked functionality. 3. Even if you require no promises for directly invoked syscalls, a program using a library doesn't necessarily need all the promises potentially required by the library. It depends on which functions from the library are called, and as Kristaps explained, it even makes a difference which arguments are passed to these functions. Just like for programs using nothing but the C library, by the way. Your suggestion is obviously completely contrary to the basic way pledge(2) works and cannot be implemented. Using pledge(2) requires understanding which functionality a program uses. Your proposal boils down to: "You do not need to understand your own program if you simply call a function that performs some unspecified magic which is impossible to perform." Yours, Ingo