From: Fabien Romano Subject: kern_pledge, allow sysctl hw.model & hw.cpuspeed To: tech@openbsd.org Date: Thu, 20 Jun 2024 20:50:21 +0100 I would like to sandbox my electron (chromium based) stuff but many nodejs modules around use something like : var CPU_COUNT = Math.max(os.cpus().length, 1); That's really sad there is no proper os.ncpu() implementation. Furthermore, those module come from a package manager (npm, yarn, pnpm) so it's very painfull to patch everything again and again. The problem is os.cpus() need hw.model & hw.cpuspeed but both are not available under pledge(). I can consider patching node itself but I have no idea what to use instead of those sysctl and even if I do there may be some modules in the wild which use the data and not only the length (who knows ... maybe someone use os.cpus() for what it is). I think my justification isn't very good as there is only two softwares (furthermore, wip only) which need it (atm). Anyway I would like to know if this can be considered in the future or maybe right now. Is it an issue to allow those two sysctl ? My work on sandboxing is still in early stage ... while there, I also encounter a mlock(2) in signal-desktop/better-sqlite/sqlcipher. From my understanding this syscall is about wiring page and not about concurrencies. I guess this is for performance reasons so I disabled the feature at compilation time. Am I wrong ? Index: kern_pledge.c =================================================================== RCS file: /cvs/src/sys/kern/kern_pledge.c,v diff -u -p -r1.316 kern_pledge.c --- kern_pledge.c 3 Jun 2024 03:41:47 -0000 1.316 +++ kern_pledge.c 19 Jun 2024 21:48:15 -0000 @@ -966,11 +966,13 @@ pledge_sysctl(struct proc *p, int miblen case CTL_HW: switch (mib[1]) { case HW_MACHINE: /* uname() */ case HW_PAGESIZE: /* getpagesize() */ case HW_PHYSMEM64: /* hw.physmem */ case HW_NCPU: /* hw.ncpu */ case HW_NCPUONLINE: /* hw.ncpuonline */ case HW_USERMEM64: /* hw.usermem */ + case HW_MODEL: /* hw.model */ + case HW_CPUSPEED: /* hw.cpuspeed */ return (0); } break;