pledge - reduce process capabilities
#include <unistd.h>
int pledge(const char* promises, const char* execpromises);
pledge() makes a promise to the kernel that from this moment on, the calling process will only use a subset of system functionality.
Functionality is divided into a curated set of promises (described below), which can be combined to cover the program's needs. Both arguments are space-separated lists of promises.
Note that pledge() can be called repeatedly to remove previously-pledged promises, but it can never regain capabilities once lost.
promises are applied to the current process, and will also be inherited by children created by fork(2).
execpromises are applied if/when a new process image is created with exec(2).
If promises or execpromises is null, the corresponding value is unchanged.
If the process later attempts to use any system functionality it has previously promised not to use, the process is instantly terminated. Note that a process that has not ever called pledge() is considered to not have made any promises, and is allowed use any system functionality (subject to regular permission checks).
pledge() is intended to be used in programs that want to sandbox themselves, either to limit the impact of a possible vulnerability exploitation, or before intentionally executing untrusted code.
stdio: Basic I/O, memory allocation, information about self, various non-destructive syscallsthread: The POSIX threading API (*)id: Ability to change UID/GIDtty: TTY related functionalityproc: Process and scheduling related functionalityexec: Theexec(2)syscallunix: UNIX local domain socketsinet: IPv4 domain socketsaccept: May useaccept(2)to accept incoming socket connections on already listening sockets (*)rpath: "Read" filesystem accesswpath: "Write" filesystem accesscpath: "Create" filesystem accessdpath: Creating new device fileschown: Changing file owner/groupfattr: Changing file attributes/permissionschroot: Thechroot(2)syscall (*)video: May useioctl(2)andmmap(2)on framebuffer video devicessettime: Changing the system time and datesetkeymap: Changing the system keyboard layout (*)sigaction: Change signal handlers and dispositions (*)sendfd: Send file descriptors over a local socketrecvfd: Receive file descriptors over a local socketptrace: Theptrace(2)syscall (*)prot_exec:mmap(2)andmprotect(2)withPROT_EXECmap_fixed:mmap(2)withMAP_FIXED(*)
Promises marked with an asterisk (*) are SerenityOS specific extensions not supported by the original OpenBSD pledge().
EFAULT:promisesand/orexecpromisesare not null and not in readable memory.EINVAL: One or more invalid promises were specified.EPERM: An attempt to increase capabilities was rejected.
The pledge() system call was first introduced by OpenBSD. The implementation in SerenityOS differs in many ways and is by no means final.