> Date: Sat, 9 Apr 2016 10:47:14 +0200 > From: Sebastien Marie <sema...@openbsd.org> > > Hi, > > The following diff makes the effect of multiple threads calling > pledge(2) to be serializable. > > It adds a loop (with tsleep(9)) at pledge(2) entrance if another thread > is already inside (due to sleep), changes return to goto statment, and > wakeup other threads at end. > > The check for looping or continue is done using a new flag PLEDGE_BUSY, > which mark a thread of the current process is currently inside > sys_pledge(). > > This diff was done with the help of deraadt@ and guenther@. > > Comments or OK ?
I really hope people won't deliberately write code that allows for simultanious execution of pledge(2) in multiple threads. In fact the only justification for calling pledge(2) in a multi-threaded process is if you wanted to create threads and then call pledge(2) to prevent the creation of more threads. So the purpose of this diff is to prevent an attacker from exploiting the race between multiple pledge(2) calls to circumvent the pledge? Currently that risk isn't really there. Or at least it could be avoided by slightly reorganizing the code. But I guess things get more complicated once the whitelist stuff gets activated. I agree with Ted's remark about using rwlock(9) though.
