Remco wrote on Sat, Apr 07, 2018 at 09:23:53AM +0200:

> What about having some sort of function yourlib_pledge_set_promises() 
> that sets up these requirements ? I think this also has the advantage of 
> automatically separating pledge specific code (and a man page) from 
> generic code as well as lessening the chance of users of your library 
> setting up incorrect promises for your library. Or in light of updates 
> to your library, users may not need to change their program's pledges 
> since the updated yourlib_pledge_set_promises function will hopefully be 
> sufficient to take care of that.

Obviously a very stupid idea for several reasons:

 1. You need one pledge(2) call per application program, not one
    pledge(2) call per library used.  That call must include the
    promises required for all functionality the program uses, i.e.
    the union of promises needed for syscalls done directly
    from the program itself and syscalls done through each of the
    libraries.  Obviously, that cannot be achieved by doing one
    call for each library used.

 2. Even if a program uses no other libraries, you still have to
    add the promises required for directly invoked functionality.

 3. Even if you require no promises for directly invoked syscalls,
    a program using a library doesn't necessarily need all the
    promises potentially required by the library.  It depends
    on which functions from the library are called, and as
    Kristaps explained, it even makes a difference which
    arguments are passed to these functions.  Just like for
    programs using nothing but the C library, by the way.

Your suggestion is obviously completely contrary to the basic way
pledge(2) works and cannot be implemented.

Using pledge(2) requires understanding which functionality a program
uses.  Your proposal boils down to:  "You do not need to understand
your own program if you simply call a function that performs some
unspecified magic which is impossible to perform."


Reply via email to