Background

It's a joy to see LibMain and TRY() greatly simplifying the main function of SerenityOS components like in 6b862d5. One thing that stands out though is the barebones C-syscall wrapping of Core::System::pledge() and Core::System::unveil().

Given the Core::System namespace you'd expect these functions to offer a typed C++ interface to the underlying system calls. Such a 'proper' C++ interface would allow for compile-time checking, finding exact argument usage and automated code indexing and refactoring.

Maybe someone's already on this, but here's a few ideas that cross my mind.

1. pledge() symbols

Make the Core::System namespace define specific enums or macros for each possible pledge promise. Advantages:

• compile-time checking of promises
• exact users of each pledge promise can be found instantly (imagine finding all users of the stdio pledge in the codebase)

This would make code look something like:

// enumeration style
TRY(Core::System::pledge(kPromise_STDIO | kPromise_EXEC));

// macro style
TRY(Core::System::pledge(PROMISE_STDIO | PROMISE_EXEC));

// struct style
TRY(Core::System::pledge({ .stdio = true, .exec = true }));

2. unveil() symbols

Make the Core::System namespace define specific enums or macros for each possible unveil permission. Advantages:

• compile-time checking of permissions
• exact users of each unveil permission can be found instantly (imagine finding all c permission uses in the codebase)

This would make code look something like:

// enumeration style
TRY(Core::System::unveil("/tmp/tmpfile", kUnveil_Read | kUnveil_Write));

// macro style
TRY(Core::System::unveil("/tmp/tmpfile", UNVEIL_READ | UNVEIL_WRITE));

// struct style
TRY(Core::System::unveil("/tmp/tmpfile", { .read = true, .write = true }));

3. unveil() auto-commit

Instead of forcing unveil(nullptr, nullptr) into every program, serenity_main could commit permissions automatically if any Core::System::unveil() call was made in serenity_main. Programs that want to unveil() at a later moment can then still unveil later.

4. unveil_commit() function

In a similar vein, forcing programmers to unveil(nullptr, nullptr) at all seems silly. Why not introduce a Core::System::unveilCommit() function that commits unveil permissions without having to pass nullptrs.