On 2017-04-27, Ted Unangst <t...@tedunangst.com> wrote: > Michael Hendricks wrote: >> I would like to have pledge on the command line so I can restrict an ad-hoc >> process during execution. For example: >> >> $ pledge "stdio" sed -e "s/foo/bar/g" <input.txt >output.txt >> >> I can't modify sed, for example, because I don't always want it pledged >> that tightly. Since execve removes pledges, I can't see a way to write >> this pledge utility myself. Is it possible? Is there a better way to >> impose these kinds of ad-hoc restrictions on a utility? > > sed can (should?) reduce the set of permissions after it determines that input > and output are streams. in fact, it can do so after opening any required > files.
It would have to parse the command string to decide (r and w functions, w flag).
