From: "Theo de Raadt" Subject: Re: www/ungoogled-chromium: configurable cdm pledges To: Renato Aguiar Cc: ports , Robert Nagy , Stuart Henderson Date: Sat, 14 Mar 2026 15:25:00 -0600 Renato Aguiar wrote: > I agree that, in general, pledge/unveil shouldn't be configurable, but, > in this particular case, ungoogled-chromium is loading an external > library (openwv) that isn't distributed with the main application. It is > impossible for it to know for sure what permissions are needed. Impossible?? I dispute that. I also dispute that if a developer cannot narrow down the MAXIMUM featureset it uses, then it is even more impossible for a USER to perform that task. > This is > similar to the shell situation, where it cannot set pledge/unveil for > processes it spawns. No it is not. Look if the situation is completely unworkable then you need to remove all the pledges and unveils, because you are just causing 1) crashes, 2) divergent behaviour relative to the POSIX expectatations of the program, 3) broken files left behind due to the crashes, which are picked up in subsequent restarts. Alternatively, determine all the things that library (or all those libraries do), and then make them work to The Contract, or specify a very loose Contract. If you don't do that, you are fighting battle that will always result in an an unreliable application. pledge and unveil were not designed to give people unreliable applications. From the manual page; Use of pledge() in an application will require at least some study and understanding of the interfaces called. If you don't do that, you are not using it right.