I would like to sandbox my electron (chromium based) stuff but many nodejs
modules around use something like :
var CPU_COUNT = Math.max(os.cpus().length, 1);

That's really sad there is no proper os.ncpu() implementation.
Furthermore, those module come from a package manager (npm, yarn, pnpm) so it's
very painfull to patch everything again and again.

The problem is os.cpus() need hw.model & hw.cpuspeed but both are not available
under pledge(). I can consider patching node itself but I have no idea what to
use instead of those sysctl and even if I do there may be some modules in the
wild which use the data and not only the length (who knows ... maybe someone use
os.cpus() for what it is).

I think my justification isn't very good as there is only two softwares
(furthermore, wip only) which need it (atm). Anyway I would like to know if this
can be considered in the future or maybe right now.

Is it an issue to allow those two sysctl ?

My work on sandboxing is still in early stage ... while there, I also encounter
a mlock(2) in signal-desktop/better-sqlite/sqlcipher. From my understanding this
syscall is about wiring page and not about concurrencies. I guess this is for
performance reasons so I disabled the feature at compilation time.
Am I wrong ?


Index: kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
diff -u -p -r1.316 kern_pledge.c
--- kern_pledge.c	3 Jun 2024 03:41:47 -0000	1.316
+++ kern_pledge.c	19 Jun 2024 21:48:15 -0000
@@ -966,11 +966,13 @@ pledge_sysctl(struct proc *p, int miblen
 		case CTL_HW:
 			switch (mib[1]) {
 			case HW_MACHINE: 	/* uname() */
 			case HW_PAGESIZE: 	/* getpagesize() */
 			case HW_PHYSMEM64:	/* hw.physmem */
 			case HW_NCPU:		/* hw.ncpu */
 			case HW_NCPUONLINE:	/* hw.ncpuonline */
 			case HW_USERMEM64:	/* hw.usermem */
+			case HW_MODEL:		/* hw.model */
+			case HW_CPUSPEED:	/* hw.cpuspeed */
 				return (0);
 			}
 			break;