CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2026/01/12 04:36:40
Modified files:
emulators/mupen64plus/ui-console: Makefile
Removed files:
emulators/mupen64plus/ui-console/patches: patch-src_main_c
Log message:
Back out use of pledge(2) in mupen64plus-ui-console.
Although pledge(2) was only called at the last possible moment, after
nearly all initialization had been done, it turns out there was one case
I missed: if the user is playing with a ujoy(4) gamepad, then SDL will
call ioctl(2) with USB_GET_REPORT_DESC. No pledge(2) promise allows this.
Due to mupen64plus's design, pledge(2) cannot be moved any later. The
USB initialization takes place in a .so plugin with a documented public
API. Calling pledge(2) inside the plugin would certainly break other
mupen64plus frontends.
It may be possible to reintroduce pledge(2) in mupen64plus, by hoisting
joystick initialization to a place that gets executed earlier. However,
this too might not be possible without breaking other frontends.
Other alternatives could be to modify SDL's joystick initialization to
not require USB_GET_REPORT_DESC, or perhaps to add a new "ujoy" promise.
Either of these would benefit other SDL/ujoy(4)/pledge-using programs
(e.g., mgba). But research needs to be done to see how much of a benefit
this would actually provide.
To be honest, complete removal of pledge(2) from mupen64plus would not
be a great loss. mupen64plus initializes things late and reinitializes
things often. That meant the tightest pledge(2) promise still required
filesystem access *and* network access *and* exec. A better-designed
program would perform initialization earlier and use privilege separation.
Even other non-privilege-separated programs usually lend themselves
better to pledge(2) than mupen64plus.
Wrong pledge(2) promise reported by Fabien Romano.
