The kern.somaxconn sysctl was previously permitted under the inet pledge, which allowed pledged Go applications to listen on AF_INET and AF_INET6 domains.
https://marc.info/?l=openbsd-tech&m=158069595809463&w=2 https://marc.info/?l=openbsd-cvs&m=158081099810301&w=2 But Go will also read this sysctl when only using unix domain sockets. The patch below additionally permits reading this sysctl if the unix pledge is granted. Note that for this to be tested and useful (where useful means not running with the inet pledge), Go's net package also needs a patch: https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81 diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b file + sys/kern/kern_pledge.c --- sys/kern/kern_pledge.c +++ sys/kern/kern_pledge.c @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo return (0); } - if ((p->p_p->ps_pledge & PLEDGE_INET)) { + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) { if (miblen == 2 && /* kern.somaxconn */ mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) return (0);