From: Claudio Jeker Subject: Re: patch: relax ni_pledge panic To: Theo de Raadt , Mark Kettenis , semarie@kapouay.eu.org, tech@openbsd.org Date: Mon, 10 Feb 2025 13:02:57 +0100 On Mon, Feb 10, 2025 at 12:32:52PM +0100, Martin Pieuchot wrote: > On 07/02/25(Fri) 17:47, Claudio Jeker wrote: > > On Thu, Feb 06, 2025 at 06:46:52PM +0100, Martin Pieuchot wrote: > > > On 06/02/25(Thu) 09:43, Theo de Raadt wrote: > > > > Mark Kettenis wrote: > > > > > > > > > > From: "Theo de Raadt" > > > > > > Date: Thu, 06 Feb 2025 09:17:52 -0700 > > > > > > > > > > > > > [2] in another thread, pledge("stdio rpath wpath"), and returns. > > > > > > > the process is now pledged. > > > > > > > > > > > > How can this be allowed? > > > > > > > > > > > > I am pretty sure sys_pledge should single-thread the process, which > > > > > > means it will wait until other threads complete their in-kernel sleeps. > > > > > > > > > > I'm not sure clauio@ will agree with you ;) > > > > > > > > He just agreed with me privately. > > > > > > I'd rather see a rwlock be used to serialized access to the per-process > > > data structures. I don't see any reason to use the single thread API > > > for this and I'd rather not spread its usage. It is already a pain to > > > work with. > > > > We need to fix that and this is what I'm slowly working at. The single > > thread API should be simple and allow a few syscalls to know that no other > > thread will disturb them. exec and exit are such cases but I think unveil > > and pledge fall into a similar category. They alter the behaviour of the > > process and should therefor change the sate in a safe fashion. > > I disagree with this approach. I desagree with you on this one. The single thread API is one of the tools we have to make MP/MT code safe. In this case this tool fits well and solves an immediate problem. Hammering an rwlock around all of unveil is not practicable on the other hand. Why can't we use all tools in the box? Why can we only use rwlocks and mutexes for our solutions? > > Since both pledge and unveil are almost never called it is better to > > optimise for the readers (which happen on all or many syscalls). > > Indeed, a read/write lock is fine. No it is not. rwlocks are not a golden ticket that makes all pain go away. They are massive bottle necks even now that the most obvious problem has been fixed. -- :wq Claudio