Document missing pledge promises

Fri, 11 Jun 2021 07:51:30 -0700 

Here's my take at documenting the missing pledge promises in pledge.2
and placing them in a reasonable order with the others.  Each of these
just enabled various ioctl or sysctl interfaces.

I'm unhappy with the explanation for drm, but don't know how to
explain the purpose of these ioctls, and could not find any man page
to .Xr which documents these ioctl commands.

diff db8264de5e686d467fdfaede154dd2a2b3b1dc3d /usr/src
blob - 5794003962d7bc22bb4bb10471ed6f3381383cdf
file + lib/libc/sys/pledge.2
--- lib/libc/sys/pledge.2
+++ lib/libc/sys/pledge.2
@@ -498,6 +498,24 @@ programs like
 .Xr top 1
 and
 .Xr vmstat 8 .
+.It Va vmm
+Allows a subset of
+.Xr ioctl 2
+operations on the
+.Xr vmm 4
+device:
+.Pp
+.Dv VMM_IOC_CREATE ,
+.Dv VMM_IOC_RUN ,
+.Dv VMM_IOC_INFO ,
+.Dv VMM_IOC_TERM ,
+.Dv VMM_IOC_RESETCPU ,
+.Dv VMM_IOC_INTR ,
+.Dv VMM_IOC_READREGS ,
+.Dv VMM_IOC_WRITEREGS ,
+.Dv VMM_IOC_READVMPARAMS ,
+.Dv VMM_IOC_WRITEVMPARAMS ,
+.Dv VMM_IOC_MPROTECT_EPT
 .It Va id
 Allows the following system calls which can change the rights of a
 process:
@@ -579,12 +597,27 @@ devices:
 .Dv VIDIOC_STREAMON ,
 .Dv VIDIOC_TRY_FMT ,
 .Dv VIDIOC_REQBUFS
+.It Va drm
+Allows a subset of
+.Xr ioctl 2
+operations on
+.Xr drm 4
+devices.
 .It Va bpf
 Allow
 .Dv BIOCGSTATS
 operation for statistics collection from a
 .Xr bpf 4
 device.
+.It Va disklabel
+Allow enough
+.Xr sysctl 2
+interfaces to allow inspection of
+.Xr disklabel 5
+partitions by programs like
+.Xr disklabel 8
+and
+.Xr fdisk 8 .
 .It Va unveil
 Allow
 .Xr unveil 2
blob - a8e23adf2a48afcb82c4118a45b76ad3060c1069
file + sys/sys/pledge.h
--- sys/sys/pledge.h
+++ sys/sys/pledge.h
@@ -100,18 +100,18 @@ static const struct {
        { PLEDGE_SETTIME,       "settime" },
        { PLEDGE_PS,            "ps" },
        { PLEDGE_VMINFO,        "vminfo" },
+       { PLEDGE_VMM,           "vmm" },
        { PLEDGE_ID,            "id" },
        { PLEDGE_PF,            "pf" },
        { PLEDGE_ROUTE,         "route" },
        { PLEDGE_WROUTE,        "wroute" },
        { PLEDGE_AUDIO,         "audio" },
        { PLEDGE_VIDEO,         "video" },
+       { PLEDGE_DRM,           "drm" },
        { PLEDGE_BPF,           "bpf" },
+       { PLEDGE_DISKLABEL,     "disklabel" },
        { PLEDGE_UNVEIL,        "unveil" },
        { PLEDGE_ERROR,         "error" },
-       { PLEDGE_DISKLABEL,     "disklabel" },
-       { PLEDGE_DRM,           "drm" },
-       { PLEDGE_VMM,           "vmm" },
        { 0, NULL },
 };
 #endif

Reply via email to