Pledge changes in 7.9-beta

Contributed by rueda on 2026-03-20 from the not-to-be-confused-with-dlg@ dept.

David Leadbeater (dgl@) posted to ports@ a message, entitled Pledge changes in 7.9-beta, which explains the consequences for porters of the recent pledge(2)/unveil(2) changes in -current (and, to some extent, 7.8). Whilst targeted at porters, it provides a good overview for anyone interested in the changes.

The message reads:

Previously under certain promises it was possible to open certain files
or devices even if the program didn't pledge "rpath" or "wpath". This
behavior has gone away in 7.9-beta; libc uses the special
__pledge_open(2) syscall which cannot be used outside of libc.

We're looking through ports for pledge using ports which might be
affected by this, however if you maintain a port which uses pledge you
can help by testing it on snapshots (and ideally checking for codepaths
which might involve the files below). Feel free to privately send me "x
is ok" or such so as as not to flood ports@.

(You can also help if the port uses pledge but doesn't have the "# uses
pledge()" Makefile comment, I have found some via grepping strings
output for "^stdio", but that won't find them if the code uses a
non-standard pledge order, among other things.)

If a port is opening these files or devices directly (i.e. not as a
result of using the libc interfaces that may open these files) then it
may need updating.

Two common examples seen so far are:

  - Opening /dev/null for various reasons
  - Implementing DNS resolution outside of libc and opening files such
    as /etc/resolv.conf

(but there are others, in particular Go implements most of libc itself
so is particularly affected by this, I'm looking at some ideas to make
that nicer.)

A port will need updating if:

  - It directly opens any of these files after calling pledge()

  - It does not pledge "rpath" and/or "wpath" (wpath relevant for
    /dev/null and /dev/tty only)
  OR
  - It uses unveil() of specific files

The update will look like:

  - Adding the relevant pledges "rpath" or "wpath" if it does not
    already have them;
  - Add an unveil for the path with the permissions matching the mode(s)
    the file or device is opened with.
  - Alternatively adjust the code to open() before pledge() (and
    remember you can reduce pledges, so it may be possible to pledge
    with "rpath wpath" and later drop one or both of those).

The list of promises and the special paths which could previously be
opened under that promise is:

stdio
  /dev/null (rpath or wpath)
  /etc/localtime
  /usr/share/zoneinfo

tty
  /dev/tty (rpath or wpath)

dns
  /etc/resolv.conf
  /etc/hosts
  /etc/services
  /etc/protocols

getpw
  /etc/group
  /etc/netid
  /etc/pwd.db (the .db files really should be left to the system)
  /etc/spwd.db (could not open, but returned EPERM)

Whilst a new committer, David has been involved heavily in the recent pledge(2)/unveil(2) changes.

Latest Articles

Fri, Mar 20
- 08:53 Pledge changes in 7.9-beta (0)
Thu, Mar 19
- 12:58 PF queues break the 4 Gbps barrier (0)
Thu, Mar 12
- 18:56 Delayed hibernation comes to OpenBSD/amd64 laptops (4)
Wed, Mar 11
- 06:29 OpenBSD -current moves to 7.9-beta (0)
Tue, Mar 10
- 10:29 Major update to drm(4) code in OpenBSD-current (to linux 6.18.16) (0)
Fri, Mar 06
- 13:11 The Book of PF, 4th Edition Spotted in the Wild (0)
Thu, Mar 05
- 14:39 OpenBSD on SGI: a rollercoaster story, as told by miod@ (2)
Thu, Feb 26
- 16:40 tmppath promise removed from pledge(2) in -current (0)
- 11:06 Another subprocess for vmd(8) (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]