> Michael Hendricks wrote: > > I would like to have pledge on the command line so I can restrict an ad-hoc > > process during execution. For example: > > > > $ pledge "stdio" sed -e "s/foo/bar/g" <input.txt >output.txt > > > > I can't modify sed, for example, because I don't always want it pledged > > that tightly. Since execve removes pledges, I can't see a way to write > > this pledge utility myself. Is it possible? Is there a better way to > > impose these kinds of ad-hoc restrictions on a utility? > > sed can (should?) reduce the set of permissions after it determines that input > and output are streams. in fact, it can do so after opening any required > files.
Right. Ted is pointing out sed does this itself. Read my previous mail on "initialization" vs "mainloop", then go look at the code in main.c That is the groundbreaking idea behind pledge -- that a program itself knows when to instantiate policy for future instructions.
