pledge.nim

A wrapper around OpenBSD’s pledge(2) systemcall for Nim.

The man pages for pledge(2) describe it as folows:

The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory management, read-write operations on file descriptors, opening of files, networking. In general, these modes were selected by studying the operation of many programs using libc and other such interfaces, and setting promises or paths.

Use of pledge() in an application will require at least some study and understanding of the interfaces called. Subsequent calls to pledge() can reduce the abilities further, but abilities can never be regained.

A process which attempts a restricted operation is killed with an uncatchable SIGABRT, delivering a core file if possible.

Installation

pledge can be installed using Nimble:

nimble install pledge

Or add the following to your .nimble file:

# Dependencies

requires "pledge >= 1.1.0"

Documentation

Usage

import pledge

pledge(Promises.Stdio)

# As we haven't used pledge to ask to access files, the below will cause the program to be temrinated with a SIGABRT.
let f = open("/etc/rc.conf")