Thanks a lot for your quick and very helpful input, Ingo and Sebastien! Here's the part of the initial diff that seems uncontentious.
I changed break to brk and removed the chflags, chmod and chown families from rpath and wpath. I intend to commit this a bit later. After this is in, I'll send a second diff which takes the rest your input into account since that will probably need some more discussion and refinement. Index: pledge.2 =================================================================== RCS file: /var/cvs/src/lib/libc/sys/pledge.2,v retrieving revision 1.27 diff -u -p -r1.27 pledge.2 --- pledge.2 11 Mar 2016 06:36:51 -0000 1.27 +++ pledge.2 10 Apr 2016 17:34:27 -0000 @@ -133,6 +133,7 @@ The following system calls are permitted in libc, including memory allocation, most types of IO operations on previously allocated file descriptors: .Pp +.Xr brk 2 , .Xr clock_getres 2 , .Xr clock_gettime 2 , .Xr close 2 , @@ -142,10 +143,10 @@ previously allocated file descriptors: .Xr dup3 2 , .Xr fchdir 2 , .Xr fcntl 2 , +.Xr fpathconf 2 , .Xr fstat 2 , .Xr fsync 2 , .Xr ftruncate 2 , -.Xr getdents 2 , .Xr getdtablecount 2 , .Xr getegid 2 , .Xr getentropy 2 , @@ -154,6 +155,7 @@ previously allocated file descriptors: .Xr getgroups 2 , .Xr getitimer 2 , .Xr getlogin 2 , +.Xr getlogin_r 2 , .Xr getpgid 2 , .Xr getpgrp 2 , .Xr getpid 2 , @@ -161,11 +163,11 @@ previously allocated file descriptors: .Xr getresgid 2 , .Xr getresuid 2 , .Xr getrlimit 2 , +.Xr getrusage 2 , .Xr getsid 2 , .Xr getthrid 2 , .Xr gettimeofday 2 , .Xr getuid 2 , -.Xr getuid 2 , .Xr issetugid 2 , .Xr kevent 2 , .Xr kqueue 2 , @@ -176,12 +178,15 @@ previously allocated file descriptors: .Xr mprotect 2 , .Xr mquery 2 , .Xr munmap 2 , +.Xr msync 2 , .Xr nanosleep 2 , .Xr pipe 2 , .Xr pipe2 2 , .Xr poll 2 , +.Xr ppoll 2 , .Xr pread 2 , .Xr preadv 2 , +.Xr pselect 2 , .Xr pwrite 2 , .Xr pwritev 2 , .Xr read 2 , @@ -195,9 +200,13 @@ previously allocated file descriptors: .Xr setitimer 2 , .Xr shutdown 2 , .Xr sigaction 2 , +.Xr sigaltstack 2 , +.Xr sigpending 2 , .Xr sigprocmask 2 , .Xr sigreturn 2 , +.Xr sigsuspend 2 , .Xr socketpair 2 , +.Xr stat 2 , .Xr umask 2 , .Xr wait4 2 , .Xr write 2 , @@ -215,46 +224,35 @@ read-only effects on the filesystem: .Xr chdir 2 , .Xr getcwd 3 , .Xr openat 2 , -.Xr fstatat 2 , .Xr faccessat 2 , -.Xr readlinkat 2 , -.Xr lstat 2 , -.Xr chmod 2 , -.Xr fchmod 2 , -.Xr fchmodat 2 , -.Xr chflags 2 , -.Xr chflagsat 2 , -.Xr chown 2 , -.Xr fchown 2 , -.Xr fchownat 2 , .Xr fstat 2 , +.Xr fstatat 2 , +.Xr fstatfs 2 , +.Xr getdents 2 , .Xr getfsstat 2 . +.Xr lstat 2 , +.Xr pathconf 2 , +.Xr readlinkat 2 , +.Xr statfs 2 . .It Va "wpath" A number of system calls are allowed and may cause write-effects on the filesystem: .Pp .Xr getcwd 3 , .Xr openat 2 , -.Xr fstatat 2 , .Xr faccessat 2 , -.Xr readlinkat 2 , -.Xr lstat 2 , -.Xr chmod 2 , -.Xr fchmod 2 , -.Xr fchmodat 2 , -.Xr chflags 2 , -.Xr chflagsat 2 , -.Xr chown 2 , -.Xr fchown 2 , -.Xr fchownat 2 , .Xr fstat 2 . +.Xr fstatat 2 , +.Xr lstat 2 , +.Xr readlinkat 2 , +.Xr truncate 2 . .It Va "cpath" A number of system calls and sub-modes are allowed, which may create new files or directories in the filesystem: .Pp .Xr rename 2 , -.Xr rmdir 2 , .Xr renameat 2 , +.Xr rmdir 2 , .Xr link 2 , .Xr linkat 2 , .Xr symlink 2 , @@ -273,11 +271,11 @@ A number of system calls are allowed to directory, including create, read, or write: .Pp .Xr lstat 2 , -.Xr chmod 2 , .Xr chflags 2 , +.Xr chmod 2 , .Xr chown 2 , -.Xr unlink 2 , -.Xr fstat 2 . +.Xr fstat 2 , +.Xr unlink 2 . .It Va "inet" The following system calls are allowed to operate in the .Dv AF_INET @@ -308,15 +306,15 @@ relating to a file: .Xr futimes 2 , .Xr utimensat 2 , .Xr futimens 2 , +.Xr chflags 2 , +.Xr chflagsat 2 , .Xr chmod 2 , .Xr fchmod 2 , .Xr fchmodat 2 , -.Xr chflags 2 , -.Xr chflagsat 2 , .Xr chown 2 , +.Xr fchown 2 , .Xr fchownat 2 , .Xr lchown 2 , -.Xr fchown 2 , .Xr utimes 2 . .It Va "flock" File locking via @@ -353,7 +351,9 @@ a few system calls become able to allow .Xr sendto 2 , .Xr recvfrom 2 , .Xr socket 2 , -.Xr connect 2 . +.Xr bind 2 , +.Xr connect 2 , +.Xr getsockname 2 . .It Va "getpw" This allows read-only opening of files in .Pa /etc @@ -376,11 +376,11 @@ operations. .It Va "sendfd" Allows sending of file descriptors using .Xr sendmsg 2 . -File descriptors referering to directories may not be passed. +File descriptors referring to directories may not be passed. .It Va "recvfd" Allows receiving of file descriptors using .Xr recvmsg 2 . -File descriptors referering to directories may not be passed. +File descriptors referring to directories may not be passed. .It Va "ioctl" Allows a subset of .Xr ioctl 2 @@ -476,6 +476,8 @@ programs like .Xr top 1 and .Xr vmstat 8 . +Also allows +.Xr swapctl 2 . .It Va "id" Allows the following system calls which can change the rights of a process:
