pledge-rs

A Rust binding to OpenBSD's pledge(2) interface.

Usage

/* Rust 2015 only */ #[macro_use] extern crate pledge;
/* Rust 2018 only */ use pledge::{pledge, pledge_promises, pledge_execpromises};

fn foo() {
    // make both promises and execpromises
    pledge![Stdio Proc Exec, Stdio Tty].unwrap();

    // make promises only
    pledge_promises![Stdio Exec].unwrap();

    // make execpromises only
    pledge_execpromises![Stdio].unwrap();
}

This is roughly equivalent to:

/* Rust 2015 only */ extern crate pledge;
use pledge::{pledge, Promise, ToPromiseString};

fn foo() {
    // make both promises and execpromises
    let promises = vec![Promise::Stdio, Promise::Proc, Promise::Exec];
    let execpromises = vec![Promise::Stdio, Promise::Tty];
    pledge(&*promises.to_promise_string(), &*execpromises.to_promise_string()).unwrap();

    // make promises only
    let promises = vec![Promise::Stdio, Promise::Exec];
    pledge(&*promises.to_promise_string(), None).unwrap();

    // make execpromises only
    let execpromises = vec![Promise::Stdio];
    pledge(None, &*execpromises.to_promise_string()).unwrap();
}

You may also provide promises directly as a string:

/* Rust 2015 only */ extern crate pledge;
use pledge::pledge;

fn foo() {
    // make both promises and execpromises
    pledge("stdio proc exec", "stdio tty").unwrap();

    // make promises only
    pledge("stdio exec", None).unwrap();

    // make execpromises only
    pledge(None, "stdio").unwrap();
}

All of these will yield pledge::Error::UnsupportedPlatform on platforms that don’t support pledge(2). You can use pledge::Error::ignore_platform to ignore that variant and make your program portable to those platforms:

/* Rust 2015 only */ extern crate pledge;
/* Rust 2018 only */ use pledge::pledge_promises;

fn foo() {
    ...

    pledge_promises![Stdio Exec]
        .or_else(pledge::Error::ignore_platform)
        .unwrap();

    ...
}

Compatibility

This version of the crate is compatible with the OpenBSD 6.3+ interface, where the second parameter restricts the privileges of the process after execve(2), and guaranteed to be compatible with Rust 1.24.0+ (as shipped by OpenBSD 6.3).

Use version ^0.3 for the OpenBSD 5.9+ interface last supported by Bitrig, where the second parameter sets a whitelist of permitted paths.

To migrate your code from older versions:

• change pledge![P, Q, R] call sites to pledge_promises![P Q R]
• change pledge("p q r") call sites to pledge("p q r", None)
• change pledge_with_paths(promises, paths) to pledge(promises)
• update usage of renamed Promise variants (e.g. MCast → Mcast)
• consider making execpromises to restrict processes after execve(2)
• consider using unveil(2) and the unveil crate (OpenBSD 6.4+)