> So I think we need to narrow down the pledge(2) semantics a bit more > with respect to ioctls. I'm inclined to say that if a certain ioctl > is allowed by pledge(2) it should not abort the program anymore but > return an error like it would do if unpledged. But perhaps we need to > make that decision on a per-ioctl basis.
With tty ioctls, there are a few circumstances where the subsystem returns error rather than killing. Most of those are to satisfy library routines which do the operation. There was some significant grumpyniness when I added the first one of those. Now the error condition is visible to a caller, can be checked, and what we have is a run-time deviation from "POSIX". The reason for these checks is because they protect the kernel, and they identify a program that does the wrong thing. Here, a program did the wrong thing. I am 100% in agreement that opendev may not be the right place to do this. That kind of stems from the design of opendev regarding DUID conversion.... I think we all knew that wasn't the best design early on, but we needed to get that going, before the rest of the DUID subsystem could work...
