Support OpenBSD’s pledge(2), unveil(2) privelege separation in programming languages

Posted on

Some years ago OpenBSD 5.9 bring support of pledge(2) and later OpenBSD 6.4 bring support of unveil(2) system calls. Initially only C/C++ applications had possibility to use these system calls. Later people from community added support to many other programming languages that allows to use pledge(2) and uneil(2) in the most popular languages. Table below helps to understand status of it’s support in these languages.

Read more about privelege separation and pledge in Wikipedia and in talk “Privilege Separation and Pledge” by Theo de Raadt, dotSecurity 2016.

NOTE: In case your favourite language has pledge(2) or unveil(2) support and absent in a table, please drop me a line and I’ll add it to a table.

Language Support of unveil(2) Support of pledge(2) Support of privelege separation
Ada Yes Yes -
C/C++ Yes Yes -
Crystal No Yes -
Erlang Yes Yes
Go Yes Yes Yes
Haskell No Yes
Korn Shell Yes Yes -
Lua Yes Yes
Nim Yes (v2.0.0+) Yes -
.NET (C#, F# and VB) No Yes -
Perl Yes: 1, (mirror) Yes: 1 (mirror), 2 -
PHP Yes (included in PHP 7.4) Yes (included in PHP 7.4) -
Python Yes (py-openbsd) Yes (py-openbsd-pledge, py-pledge) -
Rust Yes Yes Yes
Ruby Yes Yes -
Scheme No Yes -
Javascript Yes Yes: 1, 2 -
Java No Yes -
Zig Yes Yes -

BTW there are ports of pledge(2) and unveil(2) on Linux and SerenityOS.

Tags: softwareopensourceopenbsd-enfeedprogrammingen