OpenBSD Journal

tame(2) is now pledge(2)

Contributed by pitrh on from the untamed pledges dept.

The tame(2) privilege restriction syscall has now been renamed to pledge(2) by Theo de Raadt in this commit:

Module name:	src
Changes by:	2015/10/08 19:17:21

Modified files:
	sys/sys        : syscall_mi.h 
	sys/conf       : files 
	sys/kern       : sys_generic.c 
Added files:
	sys/kern       : kern_pledge.c 
Removed files:
	sys/kern       : kern_tame.c 

Log message:
Rename tame() to pledge().  This fairly interface has evolved to be more
strict than anticipated.  It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.

But of course a renaming comes with more work to be committed. One of the early entries in a series of followups was this one:

Modified files:
	lib/libc       : Symbols.list 
	lib/libc/sys   : 
Added files:
	lib/libc/sys   : pledge.2 tame.c 
Removed files:
	lib/libc/sys   : tame.2 

Log message:
tame -> pledge conversion, in libc.  I should crank libc, but am cheating
hoping things go well.  The old symbol is faked via a stupid stub function,
until next major crank when it can be removed.  I am expecting guenther
to scream at me.

Some followups only touched one file, like this one:

Module name:	src
Changes by:	2015/10/08 19:26:40

Modified files:
	include        : unistd.h 

Log message:
tame -> pledge.

while others were seemingly more extensive, like this one, with the long list of base system programs that have been successfully converted to use the interface:

Module name:	src
Changes by:	2015/10/08 19:37:10

Modified files:
	bin/cat        : cat.c 
	bin/chmod      : chmod.c 
	bin/cp         : cp.c 
	bin/date       : date.c 
	bin/dd         : dd.c 
	bin/df         : df.c 
	bin/echo       : echo.c 
	bin/ed         : main.c 
	bin/expr       : expr.c 
	bin/ls         : ls.c 
	bin/md5        : md5.c 
	bin/mkdir      : mkdir.c 
	bin/ps         : print.c ps.1 
	bin/pwd        : pwd.c 
	bin/rm         : rm.c 
	bin/rmdir      : rmdir.c 
	bin/sleep      : sleep.c 
	bin/test       : test.c 
	sbin/dmesg     : dmesg.c 
	sbin/ping      : ping.c 
	sbin/ping6     : ping6.c 
	usr.bin/banner : banner.c 
	usr.bin/basename: basename.c 
	usr.bin/cal    : cal.c 
	usr.bin/col    : col.c 
	usr.bin/colrm  : colrm.c 
	usr.bin/column : column.c 
	usr.bin/comm   : comm.c 
	usr.bin/compress: main.c 
	usr.bin/csplit : csplit.c 
	usr.bin/ctags  : ctags.c 
	usr.bin/cut    : cut.c 
	usr.bin/dc     : dc.c 
	usr.bin/deroff : deroff.c 
	usr.bin/diff   : diff.c 
	usr.bin/diff3  : diff3prog.c 
	usr.bin/dirname: dirname.c 
	usr.bin/expand : expand.c 
	usr.bin/fgen   : fgen.l 
	usr.bin/file   : file.c 
	usr.bin/find   : find.c 
	usr.bin/finger : finger.c 
	usr.bin/fmt    : fmt.c 
	usr.bin/fold   : fold.c 
	usr.bin/from   : from.c 
	usr.bin/getopt : getopt.c 
	usr.bin/grep   : grep.c 
	usr.bin/head   : head.c 
	usr.bin/hexdump: hexdump.c 
	usr.bin/htpasswd: htpasswd.c 
	usr.bin/id     : id.c 
	usr.bin/indent : indent.c 
	usr.bin/join   : join.c 
	usr.bin/jot    : jot.c 
	usr.bin/kdump  : kdump.c ktrstruct.c 
	usr.bin/lam    : lam.c 
	usr.bin/lastcomm: lastcomm.c 
	usr.bin/leave  : leave.c 
	usr.bin/lock   : lock.c 
	usr.bin/logger : logger.c 
	usr.bin/logname: logname.c 
	usr.bin/look   : look.c 
	usr.bin/make   : main.c 
	usr.bin/mktemp : mktemp.c 
	usr.bin/nl     : nl.c 
	usr.bin/nm     : nm.c 
	usr.bin/openssl: openssl.c 
	usr.bin/paste  : paste.c 
	usr.bin/patch  : patch.c 
	usr.bin/pr     : pr.c 
	usr.bin/printenv: printenv.c 
	usr.bin/printf : printf.c 
	usr.bin/readlink: readlink.c 
	usr.bin/rev    : rev.c 
	usr.bin/rs     : rs.c 
	usr.bin/script : script.c 
	usr.bin/sed    : main.c 
	usr.bin/signify: signify.c 
	usr.bin/split  : split.c 
	usr.bin/ssh/sshd: Makefile 
	usr.bin/stat   : stat.c 
	usr.bin/tail   : tail.c 
	usr.bin/tee    : tee.c 
	usr.bin/tftp   : main.c 
	usr.bin/touch  : touch.c 
	usr.bin/tr     : tr.c 
	usr.bin/tty    : tty.c 
	usr.bin/uname  : uname.c 
	usr.bin/unifdef: unifdef.c 
	usr.bin/uniq   : uniq.c 
	usr.bin/units  : units.c 
	usr.bin/unvis  : unvis.c 
	usr.bin/users  : users.c 
	usr.bin/uudecode: uudecode.c 
	usr.bin/uuencode: uuencode.c 
	usr.bin/vis    : vis.c 
	usr.bin/wc     : wc.c 
	usr.bin/what   : what.c 
	usr.bin/who    : who.c 
	usr.bin/whois  : whois.c 
	usr.bin/write  : write.c 
	usr.sbin/acpidump: acpidump.c 
	usr.sbin/arp   : arp.c 
	usr.sbin/bgpd  : rde.c session.c 
	usr.sbin/ntpd  : ntp_dns.c ntpd.c 
	usr.sbin/portmap: portmap.c 
	usr.sbin/tcpdump: privsep.c tcpdump.c 
	usr.sbin/traceroute: traceroute.c 
Added files:
	usr.bin/ssh    : sandbox-pledge.c 
Removed files:
	usr.bin/ssh    : sandbox-tame.c 

Log message:
Change all tame callers to namechange to pledge(2).

The renaming touched several other commits, and we should expect more activity in this area as pledge(2) becomes an ever more visible part of the OpenBSD programming environment.

(Comments are closed)

  1. By Anonymous Coward (2601:186:4102:4919:886a:1238:6ba4:ba6d) on

    > It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.

    I like the name change, as I think 'pledge' conveys a better sense of why the program is telling the OS what behaviour to expect of it.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]