> From: "Theo de Raadt" <deraadt@openbsd.org>
> Date: Thu, 06 Feb 2025 09:17:52 -0700
> 
> > [2] in another thread, pledge("stdio rpath wpath"), and returns.
> >    the process is now pledged.
> 
> How can this be allowed?
> 
> I am pretty sure sys_pledge should single-thread the process, which
> means it will wait until other threads complete their in-kernel sleeps.

I'm not sure clauio@ will agree with you ;)

One possible stance would be to disallow pledge(2) after __tfork(2)
has been called (and make it kill the process).  But I suspect there
is code out there that does already do this... (cough, chromium).

> Obviously not all pledge-variable checks occur before the first
> in-kernel sleep of other system calls.

And of course syzkaller is doing completely nonsensical things.  So a
pledge failure that kills the process may be totally acceptable here.
But it shouldn't panic the kernel.