> Grmbl. I've hard a hard time trying to understand *why* this would be > needed. The answer is pledge(2), who makes chmod(2) fail with EPERM > instead of killing the process. > > I find this confusing. IMO pledge(2) should let the kernel do the > appropriate security checks for chown(2).
Cannot. pledge handles *chown() at a realistic level. Otherwise, we'd need pledge checks in every function reachable by VOP_SETATTR.