Pledge is not possible due to the ioctls, but as it hoists both the control socket and apm device early at startup and only ever possibly executes scripts under /etc/apm/, hiding the rest of the filesystem becomes easy.
Technically, only "x" is required to traverse the directory and run scripts, but we carefully access(2) each script, and that requires the read bit regardless of the permission bits being tested. Feedback? OK? Runs fine in daily usage on my X230 with suspend and resume scripts. Feedback? OK? Index: apmd.c =================================================================== RCS file: /cvs/src/usr.sbin/apmd/apmd.c,v retrieving revision 1.86 diff -u -p -r1.86 apmd.c --- apmd.c 22 Jul 2019 08:06:52 -0000 1.86 +++ apmd.c 22 Jul 2019 08:07:17 -0000 @@ -483,6 +483,11 @@ main(int argc, char *argv[]) if (statonly) exit(0); + if (unveil(_PATH_APM_ETC_DIR, "rx") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + set_driver_messages(ctl_fd, APM_PRINT_OFF); kq = kqueue();