pledge()'s 2nd argument becomes char *execpromises, which becomes the

pledge for a new execve image immediately upon start.  Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon

1 files changed, 8 insertions, 2 deletions

diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2
index 5deb91919ee..7a5ab854249 100644
--- a/lib/libc/sys/execve.2
+++ b/lib/libc/sys/execve.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: execve.2,v 1.50 2017/04/13 21:49:11 millert Exp $
+.\"	$OpenBSD: execve.2,v 1.51 2017/12/12 01:12:34 deraadt Exp $
 .\"	$NetBSD: execve.2,v 1.9 1995/02/27 12:32:25 cgd Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)execve.2	8.3 (Berkeley) 1/24/94
 .\"
-.Dd $Mdocdate: April 13 2017 $
+.Dd $Mdocdate: December 12 2017 $
 .Dt EXECVE 2
 .Os
 .Sh NAME
@@ -273,6 +273,12 @@ system not allowing such operations, being mounted without the
 .Xr mount 8
 .Fl o Cm wxallowed
 flag.
+.It Bq Er EACCESS
+The parent used
+.Xr pledge 2
+to declare an
+.Va execpromise ,
+and that is not permitted for setuid or setgid images.
 .It Bq Er ENOEXEC
 The new process file has the appropriate access
 permission, but has an invalid magic number in its header.