I am compelled to add two throughts about opendev() and pledge:
Beforehands, please read src/lib/libutil/opendev.c
I am not saying opendev is wrong, the design of opening a master
device, doing an ioctl, and then finding the correct device to
actually open was very expedient, DUID development was taking a long
time, and we needed to get this step in place quickly.
Before opendev, all these programs would get to their device by calling
open(). It was atomic, but there was all sorts of gunk around the device
naming and handling. So opendev() arrived, moving a lot of boilerplate
into one library function, and it was still atomic.
Then this diskmap / ioctl got added, and it was... no longer atomic.
Reminds me of something from a long time ago!
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bernstein-on-ttys/security.html
then SVR4 did something to "fix it"...
and then history repeated itself, just a month ago
http://marc.info/?t=145622949700001&r=1&w=2
Now please read fdisk and disklabel source. With pledge, both follow
the pattern of:
pledge
[a bunch of getopt]
opendev
I would argue the pledge call in most of those programs is premature,
and should be placed after the opendev() call. I don't see much being
protected by the early pledge, because that opendev is going to open a
raw disk device. "Premature protection"?
(Years ago, at least fdisk and disklabel had a need to open disks "late",
I think Ken fixed that in all these programs, to allow them to be pledged).
Anyways, I think a study of the programs in the tree that call opendev
is due, and maybe just moving the pledge calls is the solution? Dunno.
