I wanted to comment on some changes that are happening in pstat,
relating to pledge. The commits for pstat are not commited yet, but I
find them interesting. They show why pledge was designed to fit into
all programs, and why it is worth pledging so many, even trivial
Way back at the start of history, pstat was a setgid kmem program. It
would snoop kernel memory. At least CSRG had been kind enough to
abstract the grovely bits into libkvm to simplify these risky
programs, but still, influence of this program could potentially gain
read-access to kernel memory via that file descriptor.
Around 2001 a few developers including angelos started going through
the various groveling programs to improve the situation. sysctl nodes
were created which carried much of the information. Such grovel
programs are intended to work against "live kernels" and "dead
kernels". The live case is what you are used to using, and using
sysctl for the information was good, the programs would not open kmem
anymore. The "dead kernel" case is for inspecting the results of a
crash dump. That code was left, but the setgid bits could be removed.
It took many more generations of changes by (generations?) of
developers to eliminate similar problems in other programs - the ones
which required the most work were ps, top, and netstat.
But a small risk does remain. It is really tiny, but pledge can help
Imagine you had one bug which could subtly corrupt kernel memory.
Fragments of that kernel memory (or details calculated from them) are
passed out via sysctl. Generally that result is supposed to be a
coherent output, but what if it could be made incoherent. Then, what
if a program like pstat contained a 2nd bug which, based upon
incoherent input (from sysctl), would do the wrong thing.
Well, that is where pledge fits in. The influence from such bugs
would be minimized, since the program has far fewer system call
When things go wrong, we contain their influence.