Hacker News new | ask | show | jobs
by int_19h 2899 days ago
Which makes it that much harder to extend.

There's nothing wrong with the use of strings here. It's very readable, easily understandable to anyone who knows C, can be checked by automated tools (or at runtime) for invalid values, and is easily extensible in the future. It's also not on a hot path (I mean, you shouldn't have to do this at any point other than process creation).
1 comments
therein 2899 days ago
Right but is there really any reason why the implementation should call strncmp or anything that would be costlier than a bitwise AND? It's not like "r" reads better than O_RDONLY.
link
codetrotter 2899 days ago
Pledge happens on process startup only, so since it’s not like it is called over and over again during the life of the process, the overhead is certainly negligible for all modern servers, desktops and laptops.
link
microtonal 2899 days ago
But compiler errors (typo in a flag) become runtime errors (typo in the unveil string).
link
tedunangst 2899 days ago
You're only one character away from FLAG1 || FLAG2.
link
protomyth 2899 days ago
It is trivial to run a script to check the values are correct.
link
temprature 2899 days ago
It's also pretty trivial to run the program. Maybe it's different in other projects, but I'm pretty sure in OpenBSD you're encouraged to actually test the code, not just ship it because it compiles. There's 2 programs in OpenBSD's base that don't abort on the pledge call failing, they're both shells, and they don't fail quietly.
link
vageli 2899 days ago
You don't see an issue with needing to write and maintain a verification script for something that is essentially a solved problem? Why add more development runtime overhead? What do string-based flags get you that bit-based don't?
link
temprature 2899 days ago
Removes the need to add a separate include for namespacing, ie. no pledge.h header needed.

Makes the calls shorter and easier to read. Consider:

    if (pledge("stdio rpath tmppath proc exec", NULL) == -1)
        err(1, "pledge");
vs.

    if (pledge(PLEDGE_STDIO | PLEDGE_RPATH | PLEDGE_TMPPATH | PLEDGE_PROC | PLEDGE_EXEC, NULL) == -1)
        err(1, "pledge");
Makes it easier to add a pledge interface to other languages with having to keep chasing bit flag changes, ie. there's been several new promises add since 2015 but the OpenBSD::Pledge perl module hasn't needed to change.

And really, unless you're using pledge wrong, ie. by using it outside of the startup path and/or not checking the return value, what does compile-time checking get you?

link
protomyth 2899 days ago
Nope, I really don't. I don't fear strings in code because I have to run verification scripts on whatever config format we end up using or you get stuff like [1]. Its just another part of the compile process once setup, and their reasoning was sound[2], so why stress. Heck, the script isn't even complicated.

Now, at a language level, would I like the C committee to start looking at some of these things? Yes, but why bother hoping for miracles.

1) https://www.engadget.com/2018/07/13/aliens-colonial-marines-...

2) https://www.tedunangst.com/flak/post/string-interfaces

link