No golang tcp server can be pledged without this change because it queries kern.somaxconn before it listens on a tcp socket[1][2][3].
I cannot think of any advantage this change would give an attacker who has compromised a pledged process. [1] https://golang.org/src/net/sock_posix.go#L57 [2] https://golang.org/src/net/net.go#L373 [3] https://golang.org/src/net/sock_bsd.go#L27 --- sys/kern/kern_pledge.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c index 9f436df4893..8d1203198ed 100644 --- sys/kern/kern_pledge.c +++ sys/kern/kern_pledge.c @@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void *new) return (0); } + if ((p->p_p->ps_pledge & PLEDGE_INET)) { + if (miblen == 2 && /* kern.somaxconn */ + mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) + return (0); + } + if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) { if (miblen == 6 && /* getifaddrs() */ mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
