Believe you've missed the point
Programs that do fork+exec do so because users want to do so
In the ports tree, it is not customary to gut features, AND YOU DID NOT
CHANGE THE MANUAL PAGE.
pledge is still very effective. Such a program cannot open a socket.
Approximately half of system features are disabled.
Unless it reaches that fork+exec code path, of course. Then the
new process can do more, but that is an obvious "shell out feature".
You say:
If I am simply wrong here or this feature is in high demand please
disregard the rest of this mail.
Seems a lot like saying "you are sitting in a chair, you don't need your
legs, tell me if I am wrong".
> I have been playing around a bit with pledge(2) in textproc/mupdf after
> stumbling upon the 'proc exec' promises that are needed in mupdf-x11,
> mupdf-x11-curl and mupdf-gl to open an external browser on an uri link.
>
> Following the discussion on pledging www/lynx here
>
> https://marc.info/?l=openbsd-ports&m=146487363316499&w=2
>
> as well as discussion on pdf-viewers in general here
>
> https://marc.info/?l=openbsd-misc&m=142794933016263&w=2
>
> my impression was/is that trading off 'proc exec' promises just for the
> ability to open an external browser on an uri link is a bad deal.
>
> If I am simply wrong here or this feature is in high demand please
> disregard the rest of this mail.
>
> Now if all calls to an external browser could be turned off these
> promises would not be needed anymore and would also stop the executables
> from dumping core when an external link is encountered.
>
> A (admittedly horrific) way to do this is attached. With this internal
> links will work but links that would spawn a browser do nothing instead.
>
> I am sure there are better ways to achieve this and (only given this
> idea makes any sense in the first place) would appreciate any input that
> I can get.
>
> Best
>
> Gerrit
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/textproc/mupdf/Makefile,v
> retrieving revision 1.72
> diff -u -p -r1.72 Makefile
> --- Makefile 10 Feb 2017 14:51:13 -0000 1.72
> +++ Makefile 10 Apr 2017 17:32:22 -0000
> @@ -6,7 +6,7 @@ SHARED_LIBS += mupdfthird 0.0
> COMMENT = graphic library, pdf parser, viewer and utilities
>
> V = 1.10a
> -REVISION = 0
> +REVISION = 1
> DISTNAME = mupdf-$V-source
> PKGNAME = mupdf-$V
>
> @@ -21,7 +21,7 @@ MAINTAINER = Stuart Henderson <sthen@ope
> # droid font: Apache.
> PERMIT_PACKAGE_CDROM = Yes
>
> -# uses pledge(2)
> +# uses pledge()
> WANTLIB += GL X11 Xcursor Xext Xinerama Xrandr c crypto curl freetype
> WANTLIB += harfbuzz jbig2dec jpeg m nghttp2 openjp2 pthread ssl z
>
> @@ -35,8 +35,7 @@ MODGCC4_ARCHS = *
> MASTER_SITES = http://mupdf.com/downloads/ \
> http://mupdf.com/downloads/archive/
>
> -RUN_DEPENDS = devel/desktop-file-utils \
> - devel/xdg-utils
> +RUN_DEPENDS = devel/desktop-file-utils
> LIB_DEPENDS = devel/harfbuzz \
> graphics/jbig2dec \
> graphics/jpeg \
> Index: patches/patch-platform_gl_gl-main_c
> ===================================================================
> RCS file: /cvs/ports/textproc/mupdf/patches/patch-platform_gl_gl-main_c,v
> retrieving revision 1.3
> diff -u -p -r1.3 patch-platform_gl_gl-main_c
> --- patches/patch-platform_gl_gl-main_c 12 Dec 2016 10:54:39 -0000
> 1.3
> +++ patches/patch-platform_gl_gl-main_c 10 Apr 2017 17:32:22 -0000
> @@ -1,21 +1,41 @@
> -$OpenBSD: patch-platform_gl_gl-main_c,v 1.3 2016/12/12 10:54:39 sthen Exp $
> -
> -add pledge(2) to mupdf-gl:
> - - drm : opengl stuff
> - - proc exec : opening a external browser on uri link
> -
> ---- platform/gl/gl-main.c.orig Mon Nov 28 13:34:04 2016
> -+++ platform/gl/gl-main.c Mon Dec 12 09:39:02 2016
> -@@ -1414,6 +1414,12 @@ int main(int argc, char **argv)
> +--- platform/gl/gl-main.c.orig Mon Nov 28 14:33:38 2016
> ++++ platform/gl/gl-main.c Thu Jan 12 02:00:24 2017
> +@@ -48,25 +48,6 @@ static void ui_end(void)
>
> - glfwMakeContextCurrent(window);
> + static void open_browser(const char *uri)
> + {
> +-#ifdef _WIN32
> +- ShellExecuteA(NULL, "open", uri, 0, 0, SW_SHOWNORMAL);
> +-#else
> +- const char *browser = getenv("BROWSER");
> +- if (!browser)
> +- {
> +-#ifdef __APPLE__
> +- browser = "open";
> +-#else
> +- browser = "xdg-open";
> +-#endif
> +- }
> +- if (fork() == 0)
> +- {
> +- execlp(browser, browser, uri, (char*)0);
> +- fprintf(stderr, "cannot exec '%s'\n", browser);
> +- exit(0);
> +- }
> +-#endif
> + }
> +
> + const char *ogl_error_string(GLenum code)
> +@@ -1413,6 +1394,12 @@ int main(int argc, char **argv)
> + }
>
> -+ if (pledge("stdio rpath drm proc exec", NULL) == -1)
> + glfwMakeContextCurrent(window);
> ++
> ++ if (pledge("stdio rpath drm", NULL) == -1)
> + {
> + fprintf(stderr, "pledge: %s\n", strerror(errno));
> + exit(1);
> + }
> -+
> +
> ctx = fz_new_context(NULL, NULL, 0);
> fz_register_document_handlers(ctx);
> -
> Index: patches/patch-platform_x11_win_main_c
> ===================================================================
> RCS file: patches/patch-platform_x11_win_main_c
> diff -N patches/patch-platform_x11_win_main_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-platform_x11_win_main_c 10 Apr 2017 17:32:22 -0000
> @@ -0,0 +1,10 @@
> +--- platform/x11/win_main.c.orig Thu Jan 12 02:02:33 2017
> ++++ platform/x11/win_main.c Thu Jan 12 02:02:53 2017
> +@@ -908,7 +908,6 @@ void winreloadpage(pdfapp_t *app)
> +
> + void winopenuri(pdfapp_t *app, char *buf)
> + {
> +- ShellExecuteA(hwndframe, "open", buf, 0, 0, SW_SHOWNORMAL);
> + }
> +
> + #define OUR_TIMER_ID 1
> Index: patches/patch-platform_x11_x11_main_c
> ===================================================================
> RCS file: /cvs/ports/textproc/mupdf/patches/patch-platform_x11_x11_main_c,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-platform_x11_x11_main_c
> --- patches/patch-platform_x11_x11_main_c 12 Dec 2016 10:54:39 -0000
> 1.2
> +++ patches/patch-platform_x11_x11_main_c 10 Apr 2017 17:32:22 -0000
> @@ -1,11 +1,5 @@
> -$OpenBSD: patch-platform_x11_x11_main_c,v 1.2 2016/12/12 10:54:39 sthen Exp $
> -
> -add pledge(2) to mupdf-x11 and mupdf-x11-curl:
> - - inet dns : with HAVE_CURL only
> - - proc exec : opening an external browser on uri link
> -
> ---- platform/x11/x11_main.c.orig Mon Nov 28 13:34:04 2016
> -+++ platform/x11/x11_main.c Mon Dec 12 09:39:02 2016
> +--- platform/x11/x11_main.c.orig Mon Nov 28 14:33:38 2016
> ++++ platform/x11/x11_main.c Thu Jan 12 02:01:57 2017
> @@ -706,7 +706,6 @@ void onselreq(Window requestor, Atom selection, Atom t
> void winreloadpage(pdfapp_t *app)
> {
> @@ -14,7 +8,7 @@ add pledge(2) to mupdf-x11 and mupdf-x11
>
> xev.xclient.type = ClientMessage;
> xev.xclient.serial = 0;
> -@@ -717,8 +716,7 @@ void winreloadpage(pdfapp_t *app)
> +@@ -717,38 +716,11 @@ void winreloadpage(pdfapp_t *app)
> xev.xclient.data.l[0] = 0;
> xev.xclient.data.l[1] = 0;
> xev.xclient.data.l[2] = 0;
> @@ -24,19 +18,49 @@ add pledge(2) to mupdf-x11 and mupdf-x11
> }
>
> void winopenuri(pdfapp_t *app, char *buf)
> -@@ -892,6 +890,20 @@ int main(int argc, char **argv)
> + {
> +- char *browser = getenv("BROWSER");
> +- pid_t pid;
> +- if (!browser)
> +- {
> +-#ifdef __APPLE__
> +- browser = "open";
> +-#else
> +- browser = "xdg-open";
> +-#endif
> +- }
> +- /* Fork once to start a child process that we wait on. This
> +- * child process forks again and immediately exits. The
> +- * grandchild process continues in the background. The purpose
> +- * of this strange two-step is to avoid zombie processes. See
> +- * bug 695701 for an explanation. */
> +- pid = fork();
> +- if (pid == 0)
> +- {
> +- if (fork() == 0)
> +- {
> +- execlp(browser, browser, buf, (char*)0);
> +- fprintf(stderr, "cannot exec '%s'\n", browser);
> +- }
> +- exit(0);
> +- }
> +- waitpid(pid, NULL, 0);
> + }
> +
> + static void onkey(int c, int modifiers)
> +@@ -892,6 +864,20 @@ int main(int argc, char **argv)
> tmo_at.tv_sec = 0;
> tmo_at.tv_usec = 0;
> timeout = NULL;
> +
> +#ifdef HAVE_CURL
> -+ if (pledge("stdio rpath inet dns proc exec", NULL) == -1)
> ++ if (pledge("stdio rpath inet dns", NULL) == -1)
> + {
> + fprintf(stderr, "pledge: %s\n", strerror(errno));
> + exit(1);
> + }
> +#else
> -+ if (pledge("stdio rpath proc exec", NULL) == -1)
> ++ if (pledge("stdio rpath", NULL) == -1)
> + {
> + fprintf(stderr, "pledge: %s\n", strerror(errno));
> + exit(1);
>
`
