Release redbean 2.0.14

libc/mem/pledge.c

@@ -1438,17 +1438,17 @@ int ParsePromises(const char *promises, unsigned long *out) {
  *   placeholder group for pledge.com, which reads the `__promises`
  *   global to determine if /tmp and $TMPPATH should be unveiled.
  *
- * `execpromises` only matters if "exec" or "execnative" are specified
+ * `execpromises` only matters if "exec" is specified in `promises`. In
- * in `promises`. In that case, this specifies the promises that'll
+ * that case, this specifies the promises that'll apply once execve()
- * apply once execve() happens. If this is NULL then the default is
+ * happens. If this is NULL then the default is used, which is
- * used, which is unrestricted. OpenBSD allows child processes to escape
+ * unrestricted. OpenBSD allows child processes to escape the sandbox
- * the sandbox (so a pledged OpenSSH server process can do things like
+ * (so a pledged OpenSSH server process can do things like spawn a root
- * spawn a root shell). Linux however requires monotonically decreasing
+ * shell). Linux however requires monotonically decreasing privileges.
- * privileges. This function will will perform some validation on Linux
+ * This function will will perform some validation on Linux to make sure
- * to make sure that `execpromises` is a subset of `promises`. Your libc
+ * that `execpromises` is a subset of `promises`. Your libc wrapper for
- * wrapper for execve() will then apply its SECCOMP BPF filter later.
+ * execve() will then apply its SECCOMP BPF filter later. Since Linux
- * Since Linux has to do this before calling sys_execve(), the executed
+ * has to do this before calling sys_execve(), the executed process will
- * process will be weakened to have execute permissions too.
+ * be weakened to have execute permissions too.
  *
  * @return 0 on success, or -1 w/ errno
  * @raise ENOSYS if host os isn't Linux or OpenBSD

tool/net/help.txt

@@ -3908,14 +3908,14 @@ UNIX MODULE
       such as non-assimilated APE binaries, or programs that link
       dynamic shared objects, i.e. most Linux distro binaries.
 
-    `execpromises` only matters if "exec" or "execnative" are specified
+    `execpromises` only matters if "exec" is specified in `promises`. In
-    in `promises`. In that case, this specifies the promises that'll
+    that case, this specifies the promises that'll apply once execve()
-    apply once execve() happens. If this is NULL then the default is
+    happens. If this is NULL then the default is used, which is
-    used, which is unrestricted. OpenBSD allows child processes to escape
+    unrestricted. OpenBSD allows child processes to escape the sandbox
-    the sandbox (so a pledged OpenSSH server process can do things like
+    (so a pledged OpenSSH server process can do things like spawn a root
-    spawn a root shell). Linux however requires monotonically decreasing
+    shell). Linux however requires monotonically decreasing privileges.
-    privileges. This function will will perform some validation on Linux
+    This function will will perform some validation on Linux to make
-    to make sure that `execpromises` is a subset of `promises`. Your libc
+    sure that `execpromises` is a subset of `promises`. Your libc
     wrapper for execve() will then apply its SECCOMP BPF filter later.
     Since Linux has to do this before calling sys_execve(), the executed
     process will be weakened to have execute permissions too.

tool/net/redbean.c

@@ -149,7 +149,7 @@ STATIC_YOINK("ShowCrashReportsEarly");
 #define REDBEAN "redbean"
 #endif
 
-#define VERSION          0x02000d
+#define VERSION          0x02000e
 #define HEARTBEAT        5000 /*ms*/
 #define HASH_LOAD_FACTOR /* 1. / */ 4
 #define MONITOR_MICROS   150000