Comment by notaplumber1
4 years ago
> I'll definitely be doing more to make the C API as compatible with OpenBSD as possible.
One suggestion I might add, it would be worth trying to compile any of OpenBSD's privilege separated network daemons on Linux (w/ Cosmopolitan Libc, or others). While you may have intended to use this facility primarily for your own APE Binaries, I suspect you'll find that the despite your intentions to make this compatible with the C API definition of pledge(2), in practice, your implementation is incompatible with privsep/privdrop software, for which pledge was designed. It was never intended for application "sandboxing".
pledge() wasn't intended for our awesome sandboxing tool? Well that just goes to show how brilliant the OpenBSD developers are, that folks like myself are finding great uses for their ideas and design that they didn't intend. We might not be able to live up to OpenBSD's model given the way Linux is, but I do believe we're going to have a better and more secure Linux thanks to the influence of OpenBSD.
The idea of a "pledge" utility isn't a novel one, it is my understanding that one was intentionally not provided.
OpenBSD pledges aren’t normally used for child processes, they’re more for “okay this program has super well-defined needs, let’s make sure (in its own source code) that it won’t be able to do anything else”. So a wrapper program wouldn’t really be normal usage.