Tobias Heider <tobias.heider@stusta.de> wrote:

> > My work on sandboxing is still in early stage ... while there, I also encounter
> > a mlock(2) in signal-desktop/better-sqlite/sqlcipher. From my understanding this
> > syscall is about wiring page and not about concurrencies. I guess this is for
> > performance reasons so I disabled the feature at compilation time.
> > Am I wrong ?
> 
> Those properties will not change at runtime so the better way to deal with
> this would be reading them once at the start of the program before any
> privileges are dropped and then using that value where needed instead of
> softening the pledge promise.

When we applied pledge to all of base, and to chrome and a few ports, this
development process became known as "hoisting".  You move the things prevented
by the chosen pledges, above the pledge call(s).

It is refactoring initialization code to be outside the security-sensitive
main loop.

It is a required procedure to use pledge.

Every month someone comes to me and says pledge is too restrictive.  Being
restrictive is the entire idea.

Applications and daemons must adapt to pledge, not the other way around.