From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: kern_pledge, allow sysctl hw.model & hw.cpuspeed
To: Fabien Romano <fabienromano@gmail.com>
Cc: Tobias Heider <tobias.heider@stusta.de>, tech@openbsd.org
Date: Thu, 20 Jun 2024 16:29:47 -0600

> I would like so much. I can't do that without a lot of effort. I don't know a
> lot about electron internals yet but, depending on how the software is designed,
> it start directly into the chromium sandbox then load its nodejs app & modules.

But instead you propose that everyone else put in a lot of effort.

When anything new is allowed by pledge, we must audit *all software* that
uses pledge, to see if there is a downside.

Yes, for two sysctl nodes that seems a bit melodramatic.  But the current
sysctl exposure was selected because a lot of software does it.  Not just
1 piece of software.

And you aren't even done making it work.  Will you return a couple more
times with further requests?  At some point, big software cannot be
pledged, because it is big and belives it can do everything.