From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: [EXT] AMD SEV 1/5: ccp(4): pledge for ioctl(2
To: =?iso-8859-1?Q?Hans-J=F6rg_H=F6xer?= <Hans-Joerg_Hoexer@genua.de>
Cc: tech@openbsd.org, mlarkin@nested.page, dv@sisu.io, alexander.bluhm@gmx.net
Date: Wed, 28 Aug 2024 09:03:05 -0600

Hans-Jörg Höxer <Hans-Joerg_Hoexer@genua.de> wrote:

> Hi,
> 
> On Wed, Aug 28, 2024 at 08:19:49AM -0600, Theo de Raadt wrote:
> > You need all the ioctl values to work with this pledge?
> 
> good point.  Updated diff below limits to those values that will actually
> be used by vmd.

I think those ioctl's should pledge_fail, rather than returning EPERM.
Meaning, crash the program that requested an unpermitted operation.