From: Mark Kettenis Subject: Re: patch: relax ni_pledge panic To: "Theo de Raadt" Cc: semarie@kapouay.eu.org, tech@openbsd.org Date: Thu, 06 Feb 2025 17:34:28 +0100 > From: "Theo de Raadt" > Date: Thu, 06 Feb 2025 09:17:52 -0700 > > > [2] in another thread, pledge("stdio rpath wpath"), and returns. > > the process is now pledged. > > How can this be allowed? > > I am pretty sure sys_pledge should single-thread the process, which > means it will wait until other threads complete their in-kernel sleeps. I'm not sure clauio@ will agree with you ;) One possible stance would be to disallow pledge(2) after __tfork(2) has been called (and make it kill the process). But I suspect there is code out there that does already do this... (cough, chromium). > Obviously not all pledge-variable checks occur before the first > in-kernel sleep of other system calls. And of course syzkaller is doing completely nonsensical things. So a pledge failure that kills the process may be totally acceptable here. But it shouldn't panic the kernel.