mirror of
https://github.com/openbsd/ports.git
synced 2026-06-17 23:13:55 +02:00
bentley
1944839cd8
Although pledge(2) was only called at the last possible moment, after nearly all initialization had been done, it turns out there was one case I missed: if the user is playing with a ujoy(4) gamepad, then SDL will call ioctl(2) with USB_GET_REPORT_DESC. No pledge(2) promise allows this. Due to mupen64plus's design, pledge(2) cannot be moved any later. The USB initialization takes place in a .so plugin with a documented public API. Calling pledge(2) inside the plugin would certainly break other mupen64plus frontends. It may be possible to reintroduce pledge(2) in mupen64plus, by hoisting joystick initialization to a place that gets executed earlier. However, this too might not be possible without breaking other frontends. Other alternatives could be to modify SDL's joystick initialization to not require USB_GET_REPORT_DESC, or perhaps to add a new "ujoy" promise. Either of these would benefit other SDL/ujoy(4)/pledge-using programs (e.g., mgba). But research needs to be done to see how much of a benefit this would actually provide. To be honest, complete removal of pledge(2) from mupen64plus would not be a great loss. mupen64plus initializes things late and reinitializes things often. That meant the tightest pledge(2) promise still required filesystem access *and* network access *and* exec. A better-designed program would perform initialization earlier and use privilege separation. Even other non-privilege-separated programs usually lend themselves better to pledge(2) than mupen64plus. Wrong pledge(2) promise reported by Fabien Romano.