On Fri, Mar 6, 2026 at 12:23 PM Crystal Kolipe <[email protected]> wrote: > > On Fri, Mar 06, 2026 at 11:07:41AM -0800, Andrew Hewus Fresh wrote: > > On Thu, Mar 05, 2026 at 06:47:45PM +0000, Crystal Kolipe wrote: > > > On Thu, Mar 05, 2026 at 10:21:58AM +0100, tetrosalame wrote: > > > > BTW, i failed to find an in-tree .c file where execpromises weren't > > > > set to NULL: is that idiom somehow discouraged? > > > > As I recall, when I wrote the module the second argument was still very > > experimental (I think it was pledgepaths maybe) and after it had settled > > to execpromises but before I had time, this message was posted. > > > > > https://marc.info/?l=openbsd-bugs&m=158378079011968 > > > > I then lost interest. > > Does the fact that ldd is now using execpromises invalidate the previous > advice not to use it? > > Or is this still undecided?
ldd can make use of it because (a) it checks that it's invoking an ELF executable with an interpreter, (b) there's only one support ELF interpreter on OpenBSD, and (c) ldd is tightly integrated with that interpreter and knows exactly what is used when ldd invokes it. I ok'ed the diff that added that use in ldd and I haven't been able to imagine a *stable* followup use for it since then, since I don't see any other uses that *can* occur with a similar level of knowledge of the post-exec operation. Given what we know now, would it have been better if pledge() only took one argument and there was a separate pledgeexec() syscall that only ldd called? I'll answer with a fully qualified "maybe" Philip Guenther
