pledge.nimThu, Apr 14, 2016
A wrapper around OpenBSD’s
pledge(2) systemcall for Nim.
The man pages for
pledge(2) describe it as folows:
The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory management, read-write operations on file descriptors, opening of files, networking. In general, these modes were selected by studying the operation of many programs using libc and other such interfaces, and setting promises or paths.
Use of pledge() in an application will require at least some study and understanding of the interfaces called. Subsequent calls to pledge() can reduce the abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with an uncatchable SIGABRT, delivering a core file if possible.
pledge can be installed using Nimble:
nimble install pledge
Or add the following to your
# Dependencies requires "pledge >= 1.1.0"
import pledge pledge(Promises.Stdio) # As we haven't used pledge to ask to access files, the below will cause the program to be temrinated with a SIGABRT. let f = open("/etc/rc.conf")