Contributed by tj on 2016-01-07 from the no-broken-promises dept.

In a continuing series of pledge(2) reports, Theo de Raadt (deraadt@) gives us the latest update before the 5.9 freeze.

Time for another report on pledge. A few items. int pledge(const char *promises, const char *paths[]); For the next upcoming release, we will disable the 'paths' argument. Reasoning: We have been very busy making as much of the tree set the promises right in applications, and building a few new promises as well. We simply don't have enough time to review the kernel code and make sure it is bug-free. We'll use the next 6 months development cycle to decide on paths, and then re-audit the tree to use the interface where it is suitable. The base tree (/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/games) contains 652 ELF binaries. 451 use pledge. 201 do not. Approximately 47 do not need or cannot use pledge. Leaving 154 we could potentially pledge in the future. Most of those are not very important. There are a few hot spots, but most of what people use has been handled well by the team. The sndiod subsystem now has been privsep'd, and also uses a new "audio" pledge to contain the ioctl operations against the sound device. Robert, with some help from Kettenis for a "drm" pledge to control ioctls agaist the drm subsystem, recently started using pledge in chrome. chrome is already designed for sandboxing (it uses seccomp and various other technology on android and linux systems). pledge turns out to be an incredibly simple adaptation. This does however leave us in the strange situation where firefox has W^X but lacks pledge, and chrome has pledge but lacks W^X.

Amazing progress has been made in this development cycle. As a reminder, an early version of pledge was included in 5.8 (when it was called "tame") but no programs actually used it then. In just a few months' time, well, the numbers speak for themselves. We're looking forward to 5.9 with these improvements, and 6.0 is set to be even better.