On Thu, Sep 07, 2023 at 11:30:11PM -0400, Thomas Frohwein wrote:
> Very basic pledge(2) for the whole program. I didn't dive too much into
> the details and maybe this can be refined some more. This is kind of a
> product of me trying a tool I made `abstain` [1] for usefulness of
> pledge(2) execpromises and it helped quickly find that xeyes(1) can run
> with a very limited set of promises. I tested all permutations of
> running xeyes(1) that are listed in the man page and none of them break
> with this configuration.
>
> ok to add?
Runtime testing isn't the better way to work with pledge, as you could easily
miss cases.
Here, you are manipulating a X11 program: does it is still work with distant
DISPLAY ? (hint: no, you missed "inet" promise). So the program will not work
anymore with ssh -X (for the more common example).
"prot_exec" is also suspisious. usually it is required for dlopen() stuff. I
beg
it is a problem due to infering promises from execpromises by parent process
(or
else, libX11 is doing dlopen(3) early).
"rpath" is a bit odd in xeyes(1) normal behaviour (but it will be required on
X11 error, as if I remember well, error codes are "translated" to message by
reading some file).
For me, you are pledging too early (before initialization). It should be done
at
least after calling XtAppInitialize(3).
It will be the main limitation for a tool like `abstain`. pledge(2) should be
called *after* initialization, and not at the beginning of the program.
>
> Index: xeyes.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xeyes/xeyes.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 xeyes.c
> --- xeyes.c 29 Aug 2021 17:50:32 -0000 1.5
> +++ xeyes.c 8 Sep 2023 03:23:51 -0000
> @@ -38,6 +38,8 @@ from the X Consortium.
> #include "Eyes.h"
> #include <stdio.h>
> #include <stdlib.h>
> +#include <unistd.h>
> +#include <err.h>
> #include "eyes.bit"
> #include "eyesmask.bit"
>
> @@ -111,6 +113,8 @@ main(int argc, char **argv)
> Arg arg[2];
> Cardinal i;
>
> + if(pledge("stdio rpath unix prot_exec", NULL) == -1)
> + err(1, "pledge");
> XtSetLanguageProc(NULL, (XtLanguageProc) NULL, NULL);
>
> toplevel = XtAppInitialize(&app_context, "XEyes",
>
Thanks.
--
Sebastien Marie
