A go program that uses pledge("dns") mostly works except for two incompatibilities with the way golang's dns library works. Otherwise pledge("rpath") is required.
1. go likes to stat /etc/hosts to check for changes. I think this is reasonable behavior. Patch below adds a whitelist to the kernel to permit this. (libc does not currently cache results, but it could..?) 2. go tries to look a file called mdns.allow which does not exist on openbsd. There are several platform dependent branches in go/src/net/conf.go, trying to read this file should be avoided on openbsd. Patch left as an exercise. Point 2 is also trivially worked around by performing a dummy lookup of localhost before enabling pledge, so no urgency, but point 1 requires a code change somewhere. Index: kern_pledge.c =================================================================== RCS file: /cvs/src/sys/kern/kern_pledge.c,v retrieving revision 1.278 diff -u -p -r1.278 kern_pledge.c --- kern_pledge.c 20 Jan 2022 03:43:30 -0000 1.278 +++ kern_pledge.c 30 Jan 2022 21:01:43 -0000 @@ -733,12 +733,17 @@ pledge_namei(struct proc *p, struct name break; case SYS_stat: - /* DNS needs /etc/resolv.conf. */ + /* DNS needs /etc/{resolv.conf,hosts}. */ if ((ni->ni_pledge == PLEDGE_RPATH) && - (pledge & PLEDGE_DNS) && - strcmp(path, "/etc/resolv.conf") == 0) { - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); + (pledge & PLEDGE_DNS)) { + if (strcmp(path, "/etc/resolv.conf") == 0) { + ni->ni_cnd.cn_flags |= BYPASSUNVEIL; + return (0); + } + if (strcmp(path, "/etc/hosts") == 0) { + ni->ni_cnd.cn_flags |= BYPASSUNVEIL; + return (0); + } } break; }