I wanted to comment on some changes that are happening in pstat, relating to pledge. The commits for pstat are not commited yet, but I find them interesting. They show why pledge was designed to fit into all programs, and why it is worth pledging so many, even trivial programs.
Way back at the start of history, pstat was a setgid kmem program. It would snoop kernel memory. At least CSRG had been kind enough to abstract the grovely bits into libkvm to simplify these risky programs, but still, influence of this program could potentially gain read-access to kernel memory via that file descriptor. Around 2001 a few developers including angelos started going through the various groveling programs to improve the situation. sysctl nodes were created which carried much of the information. Such grovel programs are intended to work against "live kernels" and "dead kernels". The live case is what you are used to using, and using sysctl for the information was good, the programs would not open kmem anymore. The "dead kernel" case is for inspecting the results of a crash dump. That code was left, but the setgid bits could be removed. It took many more generations of changes by (generations?) of developers to eliminate similar problems in other programs - the ones which required the most work were ps, top, and netstat. But a small risk does remain. It is really tiny, but pledge can help it. Imagine you had one bug which could subtly corrupt kernel memory. Fragments of that kernel memory (or details calculated from them) are passed out via sysctl. Generally that result is supposed to be a coherent output, but what if it could be made incoherent. Then, what if a program like pstat contained a 2nd bug which, based upon incoherent input (from sysctl), would do the wrong thing. Well, that is where pledge fits in. The influence from such bugs would be minimized, since the program has far fewer system call operations permitted. When things go wrong, we contain their influence.
