Rename tame() to pledge(). This fairly interface has evolved to be more

strict than anticipated.  It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.

19 files changed, 527 insertions, 527 deletions

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 8c2287bc428..d47f2520e4e 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_exec.c,v 1.167 2015/10/07 03:47:43 deraadt Exp $	*/
+/*	$OpenBSD: kern_exec.c,v 1.168 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $	*/
 
 /*-
@@ -53,7 +53,7 @@
 #include <sys/signalvar.h>
 #include <sys/stat.h>
 #include <sys/conf.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #ifdef SYSVSHM
 #include <sys/shm.h>
 #endif
@@ -551,8 +551,8 @@ sys_execve(struct proc *p, void *v, register_t *retval)
 	else
 		atomic_clearbits_int(&pr->ps_flags, PS_SUGIDEXEC);
 
-	atomic_clearbits_int(&pr->ps_flags, PS_TAMED);
-	tame_dropwpaths(pr);
+	atomic_clearbits_int(&pr->ps_flags, PS_PLEDGE);
+	pledge_dropwpaths(pr);
 
 	/*
 	 * deal with set[ug]id.
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index bb9d1aaf774..9b3e397f182 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_exit.c,v 1.153 2015/10/07 03:47:43 deraadt Exp $	*/
+/*	$OpenBSD: kern_exit.c,v 1.154 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $	*/
 
 /*
@@ -60,7 +60,7 @@
 #include <sys/ktrace.h>
 #include <sys/pool.h>
 #include <sys/mutex.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #ifdef SYSVSEM
 #include <sys/sem.h>
 #endif
@@ -650,7 +650,7 @@ process_zap(struct process *pr)
 	 */
 	(void)chgproccnt(pr->ps_ucred->cr_ruid, -1);
 
-	tame_dropwpaths(pr);
+	pledge_dropwpaths(pr);
 
 	/*
 	 * Release reference to text vnode
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index 516ab090808..cbbb54c708a 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_fork.c,v 1.183 2015/09/11 08:22:31 guenther Exp $	*/
+/*	$OpenBSD: kern_fork.c,v 1.184 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $	*/
 
 /*
@@ -58,7 +58,7 @@
 #include <sys/mman.h>
 #include <sys/ptrace.h>
 #include <sys/atomic.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/unistd.h>
 
 #include <sys/syscallargs.h>
@@ -204,7 +204,7 @@ process_new(struct proc *p, struct process *parent, int flags)
 	if (pr->ps_textvp)
 		vref(pr->ps_textvp);
 
-	pr->ps_flags = parent->ps_flags & (PS_SUGID | PS_SUGIDEXEC | PS_TAMED);
+	pr->ps_flags = parent->ps_flags & (PS_SUGID | PS_SUGIDEXEC | PS_PLEDGE);
 	if (parent->ps_session->s_ttyvp != NULL)
 		pr->ps_flags |= parent->ps_flags & PS_CONTROLT;
 
@@ -225,8 +225,8 @@ process_new(struct proc *p, struct process *parent, int flags)
 	else
 		pr->ps_vmspace = uvmspace_fork(parent);
 
-	if (pr->ps_tamepaths)
-		pr->ps_tamepaths->wl_ref++;
+	if (pr->ps_pledgepaths)
+		pr->ps_pledgepaths->wl_ref++;
 
 	if (parent->ps_flags & PS_PROFIL)
 		startprofclock(pr);
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 1fed1fa84b8..5d34952665c 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_ktrace.c,v 1.79 2015/10/02 05:07:41 guenther Exp $	*/
+/*	$OpenBSD: kern_ktrace.c,v 1.80 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $	*/
 
 /*
@@ -429,7 +429,7 @@ sys_ktrace(struct proc *p, void *v, register_t *retval)
 		 * an operation which requires a file argument.
 		 */
 		cred = p->p_ucred;
-		p->p_tamenote = TMN_CPATH;
+		p->p_pledgenote = TMN_CPATH;
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, fname),
 		    p);
 		if ((error = vn_open(&nd, FREAD|FWRITE|O_NOFOLLOW, 0)) != 0)
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 8afc60219ee..87a85a1958d 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.183 2015/07/27 18:22:37 deraadt Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.184 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1517,7 +1517,7 @@ coredump(struct proc *p)
 		cred->cr_gid = 0;
 	}
 
-	p->p_tamenote = TMN_COREDUMP;
+	p->p_pledgenote = TMN_COREDUMP;
 	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
 
 	error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR);
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 3a716b0ac6a..b5258b5309c 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.295 2015/09/28 16:59:35 deraadt Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.296 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -69,7 +69,7 @@
 #include <sys/socket.h>
 #include <sys/domain.h>
 #include <sys/protosw.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/timetc.h>
 #include <sys/evcount.h>
 #include <sys/un.h>
@@ -174,8 +174,8 @@ sys_sysctl(struct proc *p, void *v, register_t *retval)
 	if (error)
 		return (error);
 
-	if (tame_sysctl_check(p, SCARG(uap, namelen), name, SCARG(uap, new)))
-		return (tame_fail(p, EPERM, TAME_SELF));
+	if (pledge_sysctl_check(p, SCARG(uap, namelen), name, SCARG(uap, new)))
+		return (pledge_fail(p, EPERM, PLEDGE_SELF));
 
 	switch (name[0]) {
 	case CTL_KERN:
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index 3e7525f20ab..3ccb09989f8 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_tame.c,v 1.70 2015/10/08 17:29:43 deraadt Exp $	*/
+/*	$OpenBSD: kern_tame.c,v 1.71 2015/10/09 01:10:27 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -44,215 +44,215 @@
 #include <sys/syscall.h>
 #include <sys/syscallargs.h>
 #include <sys/systm.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 
 int canonpath(const char *input, char *buf, size_t bufsize);
 
-const u_int tame_syscalls[SYS_MAXSYSCALL] = {
+const u_int pledge_syscalls[SYS_MAXSYSCALL] = {
 	[SYS_exit] = 0xffffffff,
 	[SYS_kbind] = 0xffffffff,
 
-	[SYS_getuid] = TAME_SELF,
-	[SYS_geteuid] = TAME_SELF,
-	[SYS_getresuid] = TAME_SELF,
-	[SYS_getgid] = TAME_SELF,
-	[SYS_getegid] = TAME_SELF,
-	[SYS_getresgid] = TAME_SELF,
-	[SYS_getgroups] = TAME_SELF,
-	[SYS_getlogin] = TAME_SELF,
-	[SYS_getpgrp] = TAME_SELF,
-	[SYS_getpgid] = TAME_SELF,
-	[SYS_getppid] = TAME_SELF,
-	[SYS_getsid] = TAME_SELF,
-	[SYS_getthrid] = TAME_SELF,
-	[SYS_getrlimit] = TAME_SELF,
-	[SYS_gettimeofday] = TAME_SELF,
-	[SYS_getdtablecount] = TAME_SELF,
-	[SYS_getrusage] = TAME_SELF,
-	[SYS_issetugid] = TAME_SELF,
-	[SYS_clock_getres] = TAME_SELF,
-	[SYS_clock_gettime] = TAME_SELF,
-	[SYS_getpid] = TAME_SELF,
-	[SYS_umask] = TAME_SELF,
-	[SYS_sysctl] = TAME_SELF,	/* read-only; narrow subset */
-	[SYS_adjtime] = TAME_SELF,	/* read-only */
-
-	[SYS_fchdir] = TAME_SELF,	/* careful of directory fd inside jails */
+	[SYS_getuid] = PLEDGE_SELF,
+	[SYS_geteuid] = PLEDGE_SELF,
+	[SYS_getresuid] = PLEDGE_SELF,
+	[SYS_getgid] = PLEDGE_SELF,
+	[SYS_getegid] = PLEDGE_SELF,
+	[SYS_getresgid] = PLEDGE_SELF,
+	[SYS_getgroups] = PLEDGE_SELF,
+	[SYS_getlogin] = PLEDGE_SELF,
+	[SYS_getpgrp] = PLEDGE_SELF,
+	[SYS_getpgid] = PLEDGE_SELF,
+	[SYS_getppid] = PLEDGE_SELF,
+	[SYS_getsid] = PLEDGE_SELF,
+	[SYS_getthrid] = PLEDGE_SELF,
+	[SYS_getrlimit] = PLEDGE_SELF,
+	[SYS_gettimeofday] = PLEDGE_SELF,
+	[SYS_getdtablecount] = PLEDGE_SELF,
+	[SYS_getrusage] = PLEDGE_SELF,
+	[SYS_issetugid] = PLEDGE_SELF,
+	[SYS_clock_getres] = PLEDGE_SELF,
+	[SYS_clock_gettime] = PLEDGE_SELF,
+	[SYS_getpid] = PLEDGE_SELF,
+	[SYS_umask] = PLEDGE_SELF,
+	[SYS_sysctl] = PLEDGE_SELF,	/* read-only; narrow subset */
+	[SYS_adjtime] = PLEDGE_SELF,	/* read-only */
+
+	[SYS_fchdir] = PLEDGE_SELF,	/* careful of directory fd inside jails */
 
 	/* needed by threaded programs */
-	[SYS_sched_yield] = TAME_SELF,
-	[SYS___thrsleep] = TAME_SELF,
-	[SYS___thrwakeup] = TAME_SELF,
-	[SYS___threxit] = TAME_SELF,
-	[SYS___thrsigdivert] = TAME_SELF,
-
-	[SYS_sendsyslog] = TAME_SELF,
-	[SYS_nanosleep] = TAME_SELF,
-	[SYS_sigprocmask] = TAME_SELF,
-	[SYS_sigaction] = TAME_SELF,
-	[SYS_sigreturn] = TAME_SELF,
-	[SYS_sigpending] = TAME_SELF,
-	[SYS_getitimer] = TAME_SELF,
-	[SYS_setitimer] = TAME_SELF,
-
-	[SYS_tame] = TAME_SELF,
-
-	[SYS_wait4] = TAME_SELF,
-
-	[SYS_poll] = TAME_RW,
-	[SYS_kevent] = TAME_RW,
-	[SYS_kqueue] = TAME_RW,
-	[SYS_select] = TAME_RW,
-
-	[SYS_close] = TAME_RW,
-	[SYS_dup] = TAME_RW,
-	[SYS_dup2] = TAME_RW,
-	[SYS_dup3] = TAME_RW,
-	[SYS_closefrom] = TAME_RW,
-	[SYS_shutdown] = TAME_RW,
-	[SYS_read] = TAME_RW,
-	[SYS_readv] = TAME_RW,
-	[SYS_pread] = TAME_RW,
-	[SYS_preadv] = TAME_RW,
-	[SYS_write] = TAME_RW,
-	[SYS_writev] = TAME_RW,
-	[SYS_pwrite] = TAME_RW,
-	[SYS_pwritev] = TAME_RW,
-	[SYS_ftruncate] = TAME_RW,
-	[SYS_lseek] = TAME_RW,
-	[SYS_fstat] = TAME_RW,
-
-	[SYS_fcntl] = TAME_RW,
-	[SYS_fsync] = TAME_RW,
-	[SYS_pipe] = TAME_RW,
-	[SYS_pipe2] = TAME_RW,
-	[SYS_socketpair] = TAME_RW,
-	[SYS_getdents] = TAME_RW,
-
-	[SYS_sendto] = TAME_RW | TAME_DNS_ACTIVE | TAME_YP_ACTIVE,
-	[SYS_sendmsg] = TAME_RW,
-	[SYS_recvmsg] = TAME_RW,
-	[SYS_recvfrom] = TAME_RW | TAME_DNS_ACTIVE | TAME_YP_ACTIVE,
-
-	[SYS_fork] = TAME_PROC,
-	[SYS_vfork] = TAME_PROC,
-	[SYS_kill] = TAME_PROC,
-	[SYS_setpgid] = TAME_PROC,
-	[SYS_sigsuspend] = TAME_PROC,
-	[SYS_setrlimit] = TAME_PROC,
-
-	[SYS_execve] = TAME_EXEC,
-
-	[SYS_setgroups] = TAME_PROC,
-	[SYS_setresgid] = TAME_PROC,
-	[SYS_setresuid] = TAME_PROC,
-
-	/* FIONREAD/FIONBIO, plus further checks in tame_ioctl_check() */
-	[SYS_ioctl] = TAME_RW | TAME_IOCTL | TAME_TTY,
-
-	[SYS_getentropy] = TAME_MALLOC,
-	[SYS_madvise] = TAME_MALLOC,
-	[SYS_minherit] = TAME_MALLOC,
-	[SYS_mmap] = TAME_MALLOC,
-	[SYS_mprotect] = TAME_MALLOC,
-	[SYS_mquery] = TAME_MALLOC,
-	[SYS_munmap] = TAME_MALLOC,
-
-	[SYS_open] = TAME_SELF,			/* further checks in namei */
-	[SYS_stat] = TAME_SELF,			/* further checks in namei */
-	[SYS_access] = TAME_SELF,		/* further checks in namei */
-	[SYS_readlink] = TAME_SELF,		/* further checks in namei */
-
-	[SYS_chdir] = TAME_RPATH,
-	[SYS_openat] = TAME_RPATH | TAME_WPATH,
-	[SYS_fstatat] = TAME_RPATH | TAME_WPATH,
-	[SYS_faccessat] = TAME_RPATH | TAME_WPATH,
-	[SYS_readlinkat] = TAME_RPATH | TAME_WPATH,
-	[SYS_lstat] = TAME_RPATH | TAME_WPATH | TAME_TMPPATH,
-	[SYS_rename] = TAME_CPATH,
-	[SYS_rmdir] = TAME_CPATH,
-	[SYS_renameat] = TAME_CPATH,
-	[SYS_link] = TAME_CPATH,
-	[SYS_linkat] = TAME_CPATH,
-	[SYS_symlink] = TAME_CPATH,
-	[SYS_unlink] = TAME_CPATH | TAME_TMPPATH,
-	[SYS_unlinkat] = TAME_CPATH,
-	[SYS_mkdir] = TAME_CPATH,
-	[SYS_mkdirat] = TAME_CPATH,
+	[SYS_sched_yield] = PLEDGE_SELF,
+	[SYS___thrsleep] = PLEDGE_SELF,
+	[SYS___thrwakeup] = PLEDGE_SELF,
+	[SYS___threxit] = PLEDGE_SELF,
+	[SYS___thrsigdivert] = PLEDGE_SELF,
+
+	[SYS_sendsyslog] = PLEDGE_SELF,
+	[SYS_nanosleep] = PLEDGE_SELF,
+	[SYS_sigprocmask] = PLEDGE_SELF,
+	[SYS_sigaction] = PLEDGE_SELF,
+	[SYS_sigreturn] = PLEDGE_SELF,
+	[SYS_sigpending] = PLEDGE_SELF,
+	[SYS_getitimer] = PLEDGE_SELF,
+	[SYS_setitimer] = PLEDGE_SELF,
+
+	[SYS_pledge] = PLEDGE_SELF,
+
+	[SYS_wait4] = PLEDGE_SELF,
+
+	[SYS_poll] = PLEDGE_RW,
+	[SYS_kevent] = PLEDGE_RW,
+	[SYS_kqueue] = PLEDGE_RW,
+	[SYS_select] = PLEDGE_RW,
+
+	[SYS_close] = PLEDGE_RW,
+	[SYS_dup] = PLEDGE_RW,
+	[SYS_dup2] = PLEDGE_RW,
+	[SYS_dup3] = PLEDGE_RW,
+	[SYS_closefrom] = PLEDGE_RW,
+	[SYS_shutdown] = PLEDGE_RW,
+	[SYS_read] = PLEDGE_RW,
+	[SYS_readv] = PLEDGE_RW,
+	[SYS_pread] = PLEDGE_RW,
+	[SYS_preadv] = PLEDGE_RW,
+	[SYS_write] = PLEDGE_RW,
+	[SYS_writev] = PLEDGE_RW,
+	[SYS_pwrite] = PLEDGE_RW,
+	[SYS_pwritev] = PLEDGE_RW,
+	[SYS_ftruncate] = PLEDGE_RW,
+	[SYS_lseek] = PLEDGE_RW,
+	[SYS_fstat] = PLEDGE_RW,
+
+	[SYS_fcntl] = PLEDGE_RW,
+	[SYS_fsync] = PLEDGE_RW,
+	[SYS_pipe] = PLEDGE_RW,
+	[SYS_pipe2] = PLEDGE_RW,
+	[SYS_socketpair] = PLEDGE_RW,
+	[SYS_getdents] = PLEDGE_RW,
+
+	[SYS_sendto] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE,
+	[SYS_sendmsg] = PLEDGE_RW,
+	[SYS_recvmsg] = PLEDGE_RW,
+	[SYS_recvfrom] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE,
+
+	[SYS_fork] = PLEDGE_PROC,
+	[SYS_vfork] = PLEDGE_PROC,
+	[SYS_kill] = PLEDGE_PROC,
+	[SYS_setpgid] = PLEDGE_PROC,
+	[SYS_sigsuspend] = PLEDGE_PROC,
+	[SYS_setrlimit] = PLEDGE_PROC,
+
+	[SYS_execve] = PLEDGE_EXEC,
+
+	[SYS_setgroups] = PLEDGE_PROC,
+	[SYS_setresgid] = PLEDGE_PROC,
+	[SYS_setresuid] = PLEDGE_PROC,
+
+	/* FIONREAD/FIONBIO, plus further checks in pledge_ioctl_check() */
+	[SYS_ioctl] = PLEDGE_RW | PLEDGE_IOCTL | PLEDGE_TTY,
+
+	[SYS_getentropy] = PLEDGE_MALLOC,
+	[SYS_madvise] = PLEDGE_MALLOC,
+	[SYS_minherit] = PLEDGE_MALLOC,
+	[SYS_mmap] = PLEDGE_MALLOC,
+	[SYS_mprotect] = PLEDGE_MALLOC,
+	[SYS_mquery] = PLEDGE_MALLOC,
+	[SYS_munmap] = PLEDGE_MALLOC,
+
+	[SYS_open] = PLEDGE_SELF,			/* further checks in namei */
+	[SYS_stat] = PLEDGE_SELF,			/* further checks in namei */
+	[SYS_access] = PLEDGE_SELF,		/* further checks in namei */
+	[SYS_readlink] = PLEDGE_SELF,		/* further checks in namei */
+
+	[SYS_chdir] = PLEDGE_RPATH,
+	[SYS_openat] = PLEDGE_RPATH | PLEDGE_WPATH,
+	[SYS_fstatat] = PLEDGE_RPATH | PLEDGE_WPATH,
+	[SYS_faccessat] = PLEDGE_RPATH | PLEDGE_WPATH,
+	[SYS_readlinkat] = PLEDGE_RPATH | PLEDGE_WPATH,
+	[SYS_lstat] = PLEDGE_RPATH | PLEDGE_WPATH | PLEDGE_TMPPATH,
+	[SYS_rename] = PLEDGE_CPATH,
+	[SYS_rmdir] = PLEDGE_CPATH,
+	[SYS_renameat] = PLEDGE_CPATH,
+	[SYS_link] = PLEDGE_CPATH,
+	[SYS_linkat] = PLEDGE_CPATH,
+	[SYS_symlink] = PLEDGE_CPATH,
+	[SYS_unlink] = PLEDGE_CPATH | PLEDGE_TMPPATH,
+	[SYS_unlinkat] = PLEDGE_CPATH,
+	[SYS_mkdir] = PLEDGE_CPATH,
+	[SYS_mkdirat] = PLEDGE_CPATH,
 
 	/*
 	 * Classify as RPATH|WPATH, because of path information leakage.
 	 * WPATH due to unknown use of mk*temp(3) on non-/tmp paths..
 	 */
-	[SYS___getcwd] = TAME_RPATH | TAME_WPATH,
+	[SYS___getcwd] = PLEDGE_RPATH | PLEDGE_WPATH,
 
 	/* Classify as RPATH, because these leak path information */
-	[SYS_getfsstat] = TAME_RPATH,
-	[SYS_statfs] = TAME_RPATH,
-	[SYS_fstatfs] = TAME_RPATH,
-
-	[SYS_utimes] = TAME_FATTR,
-	[SYS_futimes] = TAME_FATTR,
-	[SYS_utimensat] = TAME_FATTR,
-	[SYS_futimens] = TAME_FATTR,
-	[SYS_chmod] = TAME_FATTR,
-	[SYS_fchmod] = TAME_FATTR,
-	[SYS_fchmodat] = TAME_FATTR,
-	[SYS_chflags] = TAME_FATTR,
-	[SYS_chflagsat] = TAME_FATTR,
-	[SYS_chown] = TAME_FATTR,
-	[SYS_fchownat] = TAME_FATTR,
-	[SYS_lchown] = TAME_FATTR,
-	[SYS_fchown] = TAME_FATTR,
-
-	[SYS_socket] = TAME_INET | TAME_UNIX | TAME_DNS_ACTIVE | TAME_YP_ACTIVE,
-	[SYS_connect] = TAME_INET | TAME_UNIX | TAME_DNS_ACTIVE | TAME_YP_ACTIVE,
-
-	[SYS_listen] = TAME_INET | TAME_UNIX,
-	[SYS_bind] = TAME_INET | TAME_UNIX,
-	[SYS_accept4] = TAME_INET | TAME_UNIX,
-	[SYS_accept] = TAME_INET | TAME_UNIX,
-	[SYS_getpeername] = TAME_INET | TAME_UNIX,
-	[SYS_getsockname] = TAME_INET | TAME_UNIX,
-	[SYS_setsockopt] = TAME_INET | TAME_UNIX,
-	[SYS_getsockopt] = TAME_INET | TAME_UNIX,
-
-	[SYS_flock] = TAME_GETPW,
+	[SYS_getfsstat] = PLEDGE_RPATH,
+	[SYS_statfs] = PLEDGE_RPATH,
+	[SYS_fstatfs] = PLEDGE_RPATH,
+
+	[SYS_utimes] = PLEDGE_FATTR,
+	[SYS_futimes] = PLEDGE_FATTR,
+	[SYS_utimensat] = PLEDGE_FATTR,
+	[SYS_futimens] = PLEDGE_FATTR,
+	[SYS_chmod] = PLEDGE_FATTR,
+	[SYS_fchmod] = PLEDGE_FATTR,
+	[SYS_fchmodat] = PLEDGE_FATTR,
+	[SYS_chflags] = PLEDGE_FATTR,
+	[SYS_chflagsat] = PLEDGE_FATTR,
+	[SYS_chown] = PLEDGE_FATTR,
+	[SYS_fchownat] = PLEDGE_FATTR,
+	[SYS_lchown] = PLEDGE_FATTR,
+	[SYS_fchown] = PLEDGE_FATTR,
+
+	[SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE,
+	[SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE,
+
+	[SYS_listen] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_bind] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_accept4] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_accept] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_getpeername] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_getsockname] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_setsockopt] = PLEDGE_INET | PLEDGE_UNIX,
+	[SYS_getsockopt] = PLEDGE_INET | PLEDGE_UNIX,
+
+	[SYS_flock] = PLEDGE_GETPW,
 };
 
 static const struct {
 	char *name;
 	int flags;
-} tamereq[] = {
-	{ "malloc",		TAME_SELF | TAME_MALLOC },
-	{ "rw",			TAME_SELF | TAME_RW },
-	{ "stdio",		TAME_SELF | TAME_MALLOC | TAME_RW },
-	{ "rpath",		TAME_SELF | TAME_RW | TAME_RPATH },
-	{ "wpath",		TAME_SELF | TAME_RW | TAME_WPATH },
-	{ "tmppath",		TAME_SELF | TAME_RW | TAME_TMPPATH },
-	{ "inet",		TAME_SELF | TAME_RW | TAME_INET },
-	{ "unix",		TAME_SELF | TAME_RW | TAME_UNIX },
-	{ "dns",		TAME_SELF | TAME_MALLOC | TAME_DNSPATH },
-	{ "getpw",		TAME_SELF | TAME_MALLOC | TAME_RW | TAME_GETPW },
-/*X*/	{ "cmsg",		TAME_UNIX | TAME_INET | TAME_SENDFD | TAME_RECVFD },
-	{ "sendfd",		TAME_RW | TAME_SENDFD },
-	{ "recvfd",		TAME_RW | TAME_RECVFD },
-	{ "ioctl",		TAME_IOCTL },
-	{ "route",		TAME_ROUTE },
-	{ "mcast",		TAME_MCAST },
-	{ "tty",		TAME_TTY },
-	{ "proc",		TAME_PROC },
-	{ "exec",		TAME_EXEC },
-	{ "cpath",		TAME_CPATH },
-	{ "abort",		TAME_ABORT },
-	{ "fattr",		TAME_FATTR },
-	{ "prot_exec",		TAME_PROTEXEC },
+} pledgereq[] = {
+	{ "malloc",		PLEDGE_SELF | PLEDGE_MALLOC },
+	{ "rw",			PLEDGE_SELF | PLEDGE_RW },
+	{ "stdio",		PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_RW },
+	{ "rpath",		PLEDGE_SELF | PLEDGE_RW | PLEDGE_RPATH },
+	{ "wpath",		PLEDGE_SELF | PLEDGE_RW | PLEDGE_WPATH },
+	{ "tmppath",		PLEDGE_SELF | PLEDGE_RW | PLEDGE_TMPPATH },
+	{ "inet",		PLEDGE_SELF | PLEDGE_RW | PLEDGE_INET },
+	{ "unix",		PLEDGE_SELF | PLEDGE_RW | PLEDGE_UNIX },
+	{ "dns",		PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_DNSPATH },
+	{ "getpw",		PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_RW | PLEDGE_GETPW },
+/*X*/	{ "cmsg",		PLEDGE_UNIX | PLEDGE_INET | PLEDGE_SENDFD | PLEDGE_RECVFD },
+	{ "sendfd",		PLEDGE_RW | PLEDGE_SENDFD },
+	{ "recvfd",		PLEDGE_RW | PLEDGE_RECVFD },
+	{ "ioctl",		PLEDGE_IOCTL },
+	{ "route",		PLEDGE_ROUTE },
+	{ "mcast",		PLEDGE_MCAST },
+	{ "tty",		PLEDGE_TTY },
+	{ "proc",		PLEDGE_PROC },
+	{ "exec",		PLEDGE_EXEC },
+	{ "cpath",		PLEDGE_CPATH },
+	{ "abort",		PLEDGE_ABORT },
+	{ "fattr",		PLEDGE_FATTR },
+	{ "prot_exec",		PLEDGE_PROTEXEC },
 };
 
 int
-sys_tame(struct proc *p, void *v, register_t *retval)
+sys_pledge(struct proc *p, void *v, register_t *retval)
 {
-	struct sys_tame_args /* {
+	struct sys_pledge_args /* {
 		syscallarg(const char *)request;
 		syscallarg(const char **)paths;
 	} */	*uap = v;
@@ -273,7 +273,7 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 		}
 #ifdef KTRACE
 		if (KTRPOINT(p, KTR_STRUCT))
-			ktrstruct(p, "tamereq", rbuf, rbuflen-1);
+			ktrstruct(p, "pledgereq", rbuf, rbuflen-1);
 #endif
 
 		for (rp = rbuf; rp && *rp && error == 0; rp = pn) {
@@ -283,9 +283,9 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 					*pn++ = '\0';
 			}
 
-			for (f = i = 0; i < nitems(tamereq); i++) {
-				if (strcmp(rp, tamereq[i].name) == 0) {
-					f = tamereq[i].flags;
+			for (f = i = 0; i < nitems(pledgereq); i++) {
+				if (strcmp(rp, pledgereq[i].name) == 0) {
+					f = pledgereq[i].flags;
 					break;
 				}
 			}
@@ -298,18 +298,18 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 		free(rbuf, M_TEMP, MAXPATHLEN);
 	}
 
-	if (flags & ~TAME_USERSET)
+	if (flags & ~PLEDGE_USERSET)
 		return (EINVAL);
 
-	if ((p->p_p->ps_flags & PS_TAMED)) {
-		/* Already tamed, only allow reductions */
-		if (((flags | p->p_p->ps_tame) & TAME_USERSET) !=
-		    (p->p_p->ps_tame & TAME_USERSET)) {
+	if ((p->p_p->ps_flags & PS_PLEDGE)) {
+		/* Already pledged, only allow reductions */
+		if (((flags | p->p_p->ps_pledge) & PLEDGE_USERSET) !=
+		    (p->p_p->ps_pledge & PLEDGE_USERSET)) {
 			return (EPERM);
 		}
 
-		flags &= p->p_p->ps_tame;
-		flags &= TAME_USERSET;		/* Relearn _ACTIVE */
+		flags &= p->p_p->ps_pledge;
+		flags &= PLEDGE_USERSET;		/* Relearn _ACTIVE */
 	}
 
 	if (SCARG(uap, paths)) {
@@ -319,17 +319,17 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 		size_t cwdpathlen = MAXPATHLEN * 4, cwdlen, len, maxargs = 0;
 		int i, error;
 
-		if (p->p_p->ps_tamepaths)
+		if (p->p_p->ps_pledgepaths)
 			return (EPERM);
 
 		/* Count paths */
-		for (i = 0; i < TAME_MAXPATHS; i++) {
+		for (i = 0; i < PLEDGE_MAXPATHS; i++) {
 			if ((error = copyin(u + i, &sp, sizeof(sp))) != 0)
 				return (error);
 			if (sp == NULL)
 				break;
 		}
-		if (i == TAME_MAXPATHS)
+		if (i == PLEDGE_MAXPATHS)
 			return (E2BIG);
 
 		wl = malloc(sizeof *wl + sizeof(struct whitepath) * (i+1),
@@ -353,7 +353,7 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 				break;
 #ifdef KTRACE
 			if (KTRPOINT(p, KTR_STRUCT))
-				ktrstruct(p, "tamepath", path, len-1);
+				ktrstruct(p, "pledgepath", path, len-1);
 #endif
 
 			/* If path is relative, prepend cwd */
@@ -383,7 +383,7 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 				}
 				builtpath = malloc(builtlen, M_TEMP, M_WAITOK);
 				snprintf(builtpath, builtlen, "%s/%s", cwd, path);
-				// printf("tame: builtpath = %s\n", builtpath);
+				// printf("pledge: builtpath = %s\n", builtpath);
 				fullpath = builtpath;
 			} else
 				fullpath = path;
@@ -399,7 +399,7 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 
 			len = strlen(canopath) + 1;
 
-			//printf("tame: canopath = %s %lld strlen %lld\n", canopath,
+			//printf("pledge: canopath = %s %lld strlen %lld\n", canopath,
 			//    (long long)len, (long long)strlen(canopath));
 
 			if (maxargs += len > ARG_MAX) {
@@ -421,40 +421,40 @@ sys_tame(struct proc *p, void *v, register_t *retval)
 			free(wl, M_TEMP, wl->wl_size);
 			return (error);
 		}
-		p->p_p->ps_tamepaths = wl;
+		p->p_p->ps_pledgepaths = wl;
 #if 0
-		printf("tame: %s(%d): paths loaded:\n", p->p_comm, p->p_pid);
+		printf("pledge: %s(%d): paths loaded:\n", p->p_comm, p->p_pid);
 		for (i = 0; i < wl->wl_count; i++)
 			if (wl->wl_paths[i].name)
-				printf("tame: %d=%s %lld\n", i, wl->wl_paths[i].name,
+				printf("pledge: %d=%s %lld\n", i, wl->wl_paths[i].name,
 				    (long long)wl->wl_paths[i].len);
 #endif
 	}
 
-	p->p_p->ps_tame = flags;
-	p->p_p->ps_flags |= PS_TAMED;
+	p->p_p->ps_pledge = flags;
+	p->p_p->ps_flags |= PS_PLEDGE;
 	return (0);
 }
 
 int
-tame_check(struct proc *p, int code)
+pledge_check(struct proc *p, int code)
 {
-	p->p_tamenote = p->p_tameafter = 0;	/* XX optimise? */
-	p->p_tame_syscall = code;
+	p->p_pledgenote = p->p_pledgeafter = 0;	/* XX optimise? */
+	p->p_pledge_syscall = code;
 
 	if (code < 0 || code > SYS_MAXSYSCALL - 1)
 		return (0);
 
-	if (p->p_p->ps_tame == 0)
+	if (p->p_p->ps_pledge == 0)
 		return (code == SYS_exit || code == SYS_kbind);
-	return (p->p_p->ps_tame & tame_syscalls[code]);
+	return (p->p_p->ps_pledge & pledge_syscalls[code]);
 }
 
 int
-tame_fail(struct proc *p, int error, int code)
+pledge_fail(struct proc *p, int error, int code)
 {
-	printf("%s(%d): syscall %d\n", p->p_comm, p->p_pid, p->p_tame_syscall);
-	if (p->p_p->ps_tame & TAME_ABORT) {	/* Core dump requested */
+	printf("%s(%d): syscall %d\n", p->p_comm, p->p_pid, p->p_pledge_syscall);
+	if (p->p_p->ps_pledge & PLEDGE_ABORT) {	/* Core dump requested */
 		struct sigaction sa;
 
 		memset(&sa, 0, sizeof sa);
@@ -464,7 +464,7 @@ tame_fail(struct proc *p, int error, int code)
 	} else
 		psignal(p, SIGKILL);
 
-	p->p_p->ps_tame = 0;		/* Disable all TAME_ flags */
+	p->p_p->ps_pledge = 0;		/* Disable all PLEDGE_ flags */
 	return (error);
 }
 
@@ -473,27 +473,27 @@ tame_fail(struct proc *p, int error, int code)
  * without the right flags set
  */
 int
-tame_namei(struct proc *p, char *origpath)
+pledge_namei(struct proc *p, char *origpath)
 {
 	char path[PATH_MAX];
 
-	if (p->p_tamenote == TMN_COREDUMP)
+	if (p->p_pledgenote == TMN_COREDUMP)
 		return (0);			/* Allow a coredump */
 
 	if (canonpath(origpath, path, sizeof(path)) != 0)
-		return (tame_fail(p, EPERM, TAME_RPATH));
+		return (pledge_fail(p, EPERM, PLEDGE_RPATH));
 
-	if ((p->p_tamenote & TMN_FATTR) &&
-	    (p->p_p->ps_tame & TAME_FATTR) == 0) {
+	if ((p->p_pledgenote & TMN_FATTR) &&
+	    (p->p_p->ps_pledge & PLEDGE_FATTR) == 0) {
 		printf("%s(%d): inode syscall%d, not allowed\n",
-		    p->p_comm, p->p_pid, p->p_tame_syscall);
-		return (tame_fail(p, EPERM, TAME_FATTR));
+		    p->p_comm, p->p_pid, p->p_pledge_syscall);
+		return (pledge_fail(p, EPERM, PLEDGE_FATTR));
 	}
 
 	/* Detect what looks like a mkstemp(3) family operation */
-	if ((p->p_p->ps_tame & TAME_TMPPATH) &&
-	    (p->p_tame_syscall == SYS_open) &&
-	    (p->p_tamenote & TMN_CPATH) &&
+	if ((p->p_p->ps_pledge & PLEDGE_TMPPATH) &&
+	    (p->p_pledge_syscall == SYS_open) &&
+	    (p->p_pledgenote & TMN_CPATH) &&
 	    strncmp(path, "/tmp/", sizeof("/tmp/") - 1) == 0) {
 		return (0);
 	}
@@ -501,33 +501,33 @@ tame_namei(struct proc *p, char *origpath)
 	/* Allow unlinking of a mkstemp(3) file...
 	 * Good opportunity for strict checks here.
 	 */
-	if ((p->p_p->ps_tame & TAME_TMPPATH) &&
-	    (p->p_tame_syscall == SYS_unlink) &&
+	if ((p->p_p->ps_pledge & PLEDGE_TMPPATH) &&
+	    (p->p_pledge_syscall == SYS_unlink) &&
 	    strncmp(path, "/tmp/", sizeof("/tmp/") - 1) == 0) {
 		return (0);
 	}
 
 	/* open, mkdir, or other path creation operation */
-	if ((p->p_tamenote & TMN_CPATH) &&
-	    ((p->p_p->ps_tame & TAME_CPATH) == 0))
-		return (tame_fail(p, EPERM, TAME_CPATH));
+	if ((p->p_pledgenote & TMN_CPATH) &&
+	    ((p->p_p->ps_pledge & PLEDGE_CPATH) == 0))
+		return (pledge_fail(p, EPERM, PLEDGE_CPATH));
 
-	if ((p->p_tamenote & TMN_WPATH) &&
-	    (p->p_p->ps_tame & TAME_WPATH) == 0)
-		return (tame_fail(p, EPERM, TAME_WPATH));
+	if ((p->p_pledgenote & TMN_WPATH) &&
+	    (p->p_p->ps_pledge & PLEDGE_WPATH) == 0)
+		return (pledge_fail(p, EPERM, PLEDGE_WPATH));
 
 	/* Read-only paths used occasionally by libc */
-	switch (p->p_tame_syscall) {
+	switch (p->p_pledge_syscall) {
 	case SYS_access:
 		/* tzset() needs this. */
-		if ((p->p_tamenote == TMN_RPATH) &&
+		if ((p->p_pledgenote == TMN_RPATH) &&
 		    strcmp(path, "/etc/localtime") == 0)
 			return (0);
 		break;
 	case SYS_open:
 		/* getpw* and friends need a few files */
-		if ((p->p_tamenote == TMN_RPATH) &&
-		    (p->p_p->ps_tame & TAME_GETPW)) {
+		if ((p->p_pledgenote == TMN_RPATH) &&
+		    (p->p_p->ps_pledge & PLEDGE_GETPW)) {
 			if (strcmp(path, "/etc/spwd.db") == 0)
 				return (EPERM);
 			if (strcmp(path, "/etc/pwd.db") == 0)
@@ -537,10 +537,10 @@ tame_namei(struct proc *p, char *origpath)
 		}
 
 		/* DNS needs /etc/{resolv.conf,hosts,services}. */
-		if ((p->p_tamenote == TMN_RPATH) &&
-		    (p->p_p->ps_tame & TAME_DNSPATH)) {
+		if ((p->p_pledgenote == TMN_RPATH) &&
+		    (p->p_p->ps_pledge & PLEDGE_DNSPATH)) {
 			if (strcmp(path, "/etc/resolv.conf") == 0) {
-				p->p_tameafter |= TMA_DNSRESOLV;
+				p->p_pledgeafter |= TMA_DNSRESOLV;
 				return (0);
 			}
 			if (strcmp(path, "/etc/hosts") == 0)
@@ -548,10 +548,10 @@ tame_namei(struct proc *p, char *origpath)
 			if (strcmp(path, "/etc/services") == 0)
 				return (0);
 		}
-		if ((p->p_tamenote == TMN_RPATH) &&
-		    (p->p_p->ps_tame & TAME_GETPW)) {
+		if ((p->p_pledgenote == TMN_RPATH) &&
+		    (p->p_p->ps_pledge & PLEDGE_GETPW)) {
 			if (strcmp(path, "/var/run/ypbind.lock") == 0) {
-				p->p_tameafter |= TMA_YPLOCK;
+				p->p_pledgeafter |= TMA_YPLOCK;
 				return (0);
 			}
 			if (strncmp(path, "/var/yp/binding/",
@@ -559,16 +559,16 @@ tame_namei(struct proc *p, char *origpath)
 				return (0);
 		}
 		/* tzset() needs these. */
-		if ((p->p_tamenote == TMN_RPATH) &&
+		if ((p->p_pledgenote == TMN_RPATH) &&
 		    strncmp(path, "/usr/share/zoneinfo/",
 		    sizeof("/usr/share/zoneinfo/") - 1) == 0)
 			return (0);
-		if ((p->p_tamenote == TMN_RPATH) &&
+		if ((p->p_pledgenote == TMN_RPATH) &&
 		    strcmp(path, "/etc/localtime") == 0)
 			return (0);
 
 		/* /usr/share/nls/../libc.cat has to succeed for strerror(3). */
-		if ((p->p_tamenote == TMN_RPATH) &&
+		if ((p->p_pledgenote == TMN_RPATH) &&
 		    strncmp(path, "/usr/share/nls/",
 		    sizeof("/usr/share/nls/") - 1) == 0 &&
 		    strcmp(path + strlen(path) - 9, "/libc.cat") == 0)
@@ -576,16 +576,16 @@ tame_namei(struct proc *p, char *origpath)
 		break;
 	case SYS_readlink:
 		/* Allow /etc/malloc.conf for malloc(3). */
-		if ((p->p_tamenote == TMN_RPATH) &&
+		if ((p->p_pledgenote == TMN_RPATH) &&
 		    strcmp(path, "/etc/malloc.conf") == 0)
 			return (0);
 		break;
 	case SYS_stat:
 		/* DNS needs /etc/resolv.conf. */
-		if ((p->p_tamenote == TMN_RPATH) &&
-		    (p->p_p->ps_tame & TAME_DNSPATH)) {
+		if ((p->p_pledgenote == TMN_RPATH) &&
+		    (p->p_p->ps_pledge & PLEDGE_DNSPATH)) {
 			if (strcmp(path, "/etc/resolv.conf") == 0) {
-				p->p_tameafter |= TMA_DNSRESOLV;
+				p->p_pledgeafter |= TMA_DNSRESOLV;
 				return (0);
 			}
 		}
@@ -596,8 +596,8 @@ tame_namei(struct proc *p, char *origpath)
 	 * If a whitelist is set, compare canonical paths.  Anything
 	 * not on the whitelist gets ENOENT.
 	 */
-	if (p->p_p->ps_tamepaths) {
-		struct whitepaths *wl = p->p_p->ps_tamepaths;
+	if (p->p_p->ps_pledgepaths) {
+		struct whitepaths *wl = p->p_p->ps_pledgepaths;
 		char *fullpath, *builtpath = NULL, *canopath = NULL;
 		size_t builtlen = 0;
 		int i, error;
@@ -639,7 +639,7 @@ tame_namei(struct proc *p, char *origpath)
 		free(builtpath, M_TEMP, builtlen);
 		if (error != 0) {
 			free(canopath, M_TEMP, MAXPATHLEN);
-			return (tame_fail(p, EPERM, TAME_RPATH));
+			return (pledge_fail(p, EPERM, PLEDGE_RPATH));
 		}
 
 		//printf("namei: canopath = %s strlen %lld\n", canopath,
@@ -660,30 +660,30 @@ tame_namei(struct proc *p, char *origpath)
 		return (error);			/* Don't hint why it failed */
 	}
 
-	if (p->p_p->ps_tame & TAME_RPATH)
+	if (p->p_p->ps_pledge & PLEDGE_RPATH)
 		return (0);
-	if (p->p_p->ps_tame & TAME_WPATH)
+	if (p->p_p->ps_pledge & PLEDGE_WPATH)
 		return (0);
-	if (p->p_p->ps_tame & TAME_CPATH)
+	if (p->p_p->ps_pledge & PLEDGE_CPATH)
 		return (0);
 
-	return (tame_fail(p, EPERM, TAME_RPATH));
+	return (pledge_fail(p, EPERM, PLEDGE_RPATH));
 }
 
 void
-tame_aftersyscall(struct proc *p, int code, int error)
+pledge_aftersyscall(struct proc *p, int code, int error)
 {
-	if ((p->p_tameafter & TMA_YPLOCK) && error == 0)
-		atomic_setbits_int(&p->p_p->ps_tame, TAME_YP_ACTIVE | TAME_INET);
-	if ((p->p_tameafter & TMA_DNSRESOLV) && error == 0)
-		atomic_setbits_int(&p->p_p->ps_tame, TAME_DNS_ACTIVE);
+	if ((p->p_pledgeafter & TMA_YPLOCK) && error == 0)
+		atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_YP_ACTIVE | PLEDGE_INET);
+	if ((p->p_pledgeafter & TMA_DNSRESOLV) && error == 0)
+		atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_DNS_ACTIVE);
 }
 
 /*
  * By default, only the advisory cmsg's can be received from the kernel,
  * such as TIMESTAMP ntpd.
  *
- * If TAME_RECVFD is set SCM_RIGHTS is also allowed in for a carefully
+ * If PLEDGE_RECVFD is set SCM_RIGHTS is also allowed in for a carefully
  * selected set of descriptors (specifically to exclude directories).
  *
  * This results in a kill upon recv, if some other process on the system
@@ -691,7 +691,7 @@ tame_aftersyscall(struct proc *p, int code, int error)
  * leaving such sockets lying around...
  */
 int
-tame_cmsg_recv(struct proc *p, struct mbuf *control)
+pledge_cmsg_recv(struct proc *p, struct mbuf *control)
 {
 	struct msghdr tmp;
 	struct cmsghdr *cmsg;
@@ -699,7 +699,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
 	struct file *fp;
 	int nfds, i;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
 	/* Scan the cmsg */
@@ -719,8 +719,8 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
 	if (cmsg == NULL)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_RECVFD) == 0)
-		return tame_fail(p, EPERM, TAME_RECVFD);
+	if ((p->p_p->ps_pledge & PLEDGE_RECVFD) == 0)
+		return pledge_fail(p, EPERM, PLEDGE_RECVFD);
 
 	/* In OpenBSD, a CMSG only contains one SCM_RIGHTS.  Check it. */
 	fdp = (int *)CMSG_DATA(cmsg);
@@ -732,7 +732,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
 		fd = *fdp++;
 		fp = fd_getfile(p->p_fd, fd);
 		if (fp == NULL)
-			return tame_fail(p, EBADF, TAME_RECVFD);
+			return pledge_fail(p, EBADF, PLEDGE_RECVFD);
 
 		/* Only allow passing of sockets, pipes, and pure files */
 		switch (fp->f_type) {
@@ -747,30 +747,30 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
 		default:
 			break;
 		}
-		return tame_fail(p, EPERM, TAME_RECVFD);
+		return pledge_fail(p, EPERM, PLEDGE_RECVFD);
 	}
 	return (0);
 }
 
 /*
- * When tamed, default prevents sending of a cmsg.
+ * When pledged, default prevents sending of a cmsg.
  *
- * Unlike tame_cmsg_recv tame_cmsg_send is called with individual
+ * Unlike pledge_cmsg_recv pledge_cmsg_send is called with individual
  * cmsgs one per mbuf. So no need to loop or scan.
  */
 int
-tame_cmsg_send(struct proc *p, struct mbuf *control)
+pledge_cmsg_send(struct proc *p, struct mbuf *control)
 {
 	struct cmsghdr *cmsg;
 	int *fdp, fd;
 	struct file *fp;
 	int nfds, i;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_SENDFD) == 0)
-		return tame_fail(p, EPERM, TAME_SENDFD);
+	if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0)
+		return pledge_fail(p, EPERM, PLEDGE_SENDFD);
 
 	/* Scan the cmsg */
 	cmsg = mtod(control, struct cmsghdr *);
@@ -790,7 +790,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
 		fd = *fdp++;
 		fp = fd_getfile(p->p_fd, fd);
 		if (fp == NULL)
-			return tame_fail(p, EBADF, TAME_SENDFD);
+			return pledge_fail(p, EBADF, PLEDGE_SENDFD);
 
 		/* Only allow passing of sockets, pipes, and pure files */
 		switch (fp->f_type) {
@@ -806,22 +806,22 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
 			break;
 		}
 		/* Not allowed to send a bad fd type */
-		return tame_fail(p, EPERM, TAME_SENDFD);
+		return pledge_fail(p, EPERM, PLEDGE_SENDFD);
 	}
 	return (0);
 }
 
 int
-tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new)
+pledge_sysctl_check(struct proc *p, int miblen, int *mib, void *new)
 {
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
 	if (new)
 		return (EFAULT);
 
 	/* routing table observation */
-	if ((p->p_p->ps_tame & TAME_ROUTE)) {
+	if ((p->p_p->ps_pledge & PLEDGE_ROUTE)) {
 		if (miblen == 7 &&
 		    mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
 		    mib[2] == 0 &&
@@ -843,7 +843,7 @@ tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new)
 			return (0);
 	}
 
-	if ((p->p_p->ps_tame & (TAME_ROUTE | TAME_INET))) {
+	if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET))) {
 		if (miblen == 6 &&		/* getifaddrs() */
 		    mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
 		    mib[2] == 0 &&
@@ -892,11 +892,11 @@ tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new)
 }
 
 int
-tame_adjtime_check(struct proc *p, const void *v)
+pledge_adjtime_check(struct proc *p, const void *v)
 {
 	const struct timeval *delta = v;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
 	if (delta)
@@ -905,32 +905,32 @@ tame_adjtime_check(struct proc *p, const void *v)
 }
 
 int
-tame_connect_check(struct proc *p)
+pledge_connect_check(struct proc *p)
 {
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_DNS_ACTIVE))
+	if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE))
 		return (0);	/* A port check happens inside sys_connect() */
 
-	if ((p->p_p->ps_tame & (TAME_INET | TAME_UNIX)))
+	if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX)))
 		return (0);
 	return (EPERM);
 }
 
 int
-tame_recvfrom_check(struct proc *p, void *v)
+pledge_recvfrom_check(struct proc *p, void *v)
 {
 	struct sockaddr *from = v;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && from == NULL)
+	if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && from == NULL)
 		return (0);
-	if (p->p_p->ps_tame & TAME_INET)
+	if (p->p_p->ps_pledge & PLEDGE_INET)
 		return (0);
-	if (p->p_p->ps_tame & TAME_UNIX)
+	if (p->p_p->ps_pledge & PLEDGE_UNIX)
 		return (0);
 	if (from == NULL)
 		return (0);		/* behaves just like write */
@@ -938,19 +938,19 @@ tame_recvfrom_check(struct proc *p, void *v)
 }
 
 int
-tame_sendto_check(struct proc *p, const void *v)
+pledge_sendto_check(struct proc *p, const void *v)
 {
 	const struct sockaddr *to = v;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && to == NULL)
+	if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && to == NULL)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_INET))
+	if ((p->p_p->ps_pledge & PLEDGE_INET))
 		return (0);
-	if ((p->p_p->ps_tame & TAME_UNIX))
+	if ((p->p_p->ps_pledge & PLEDGE_UNIX))
 		return (0);
 	if (to == NULL)
 		return (0);		/* behaves just like write */
@@ -958,36 +958,36 @@ tame_sendto_check(struct proc *p, const void *v)
 }
 
 int
-tame_socket_check(struct proc *p, int domain)
+pledge_socket_check(struct proc *p, int domain)
 {
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
-	if ((p->p_p->ps_tame & (TAME_INET | TAME_UNIX)))
+	if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX)))
 		return (0);
-	if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) &&
+	if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) &&
 	    (domain == AF_INET || domain == AF_INET6))
 		return (0);
 	return (EPERM);
 }
 
 int
-tame_bind_check(struct proc *p, const void *v)
+pledge_bind_check(struct proc *p, const void *v)
 {
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
-	if ((p->p_p->ps_tame & TAME_INET))
+	if ((p->p_p->ps_pledge & PLEDGE_INET))
 		return (0);
 	return (EPERM);
 }
 
 int
-tame_ioctl_check(struct proc *p, long com, void *v)
+pledge_ioctl_check(struct proc *p, long com, void *v)
 {
 	struct file *fp = v;
 	struct vnode *vp = NULL;
 
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
 	/*
@@ -1007,7 +1007,7 @@ tame_ioctl_check(struct proc *p, long com, void *v)
 	 * Further sets of ioctl become available, but are checked a
 	 * bit more carefully against the vnode.
 	 */
-	if ((p->p_p->ps_tame & TAME_IOCTL)) {
+	if ((p->p_p->ps_pledge & PLEDGE_IOCTL)) {
 		switch (com) {
 		case FIOCLEX:
 		case FIONCLEX:
@@ -1034,14 +1034,14 @@ tame_ioctl_check(struct proc *p, long com, void *v)
 				return (0);
 			break;
 		case SIOCGIFGROUP:
-			if ((p->p_p->ps_tame & TAME_INET) &&
+			if ((p->p_p->ps_pledge & PLEDGE_INET) &&
 			    fp->f_type == DTYPE_SOCKET)
 				return (0);
 			break;
 		}
 	}
 
-	if ((p->p_p->ps_tame & TAME_ROUTE)) {
+	if ((p->p_p->ps_pledge & PLEDGE_ROUTE)) {
 		switch (com) {
 		case SIOCGIFADDR:
 		case SIOCGIFFLAGS:
@@ -1052,10 +1052,10 @@ tame_ioctl_check(struct proc *p, long com, void *v)
 		}
 	}
 
-	if ((p->p_p->ps_tame & TAME_TTY)) {
+	if ((p->p_p->ps_pledge & PLEDGE_TTY)) {
 		switch (com) {
 		case TIOCSPGRP:
-			if ((p->p_p->ps_tame & TAME_PROC) == 0)
+			if ((p->p_p->ps_pledge & PLEDGE_PROC) == 0)
 				break;
 			/* FALTHROUGH */
 		case TIOCGETA:
@@ -1075,16 +1075,16 @@ tame_ioctl_check(struct proc *p, long com, void *v)
 		}
 	}
 
-	return tame_fail(p, EPERM, TAME_IOCTL);
+	return pledge_fail(p, EPERM, PLEDGE_IOCTL);
 }
 
 int
-tame_setsockopt_check(struct proc *p, int level, int optname)
+pledge_setsockopt_check(struct proc *p, int level, int optname)
 {
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	/* common case for TAME_UNIX and TAME_INET */
+	/* common case for PLEDGE_UNIX and PLEDGE_INET */
 	switch (level) {
 	case SOL_SOCKET:
 		switch (optname) {
@@ -1094,7 +1094,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 		return (0);
 	}
 
-	if ((p->p_p->ps_tame & TAME_INET) == 0)
+	if ((p->p_p->ps_pledge & PLEDGE_INET) == 0)
 		return (EPERM);
 
 	switch (level) {
@@ -1119,7 +1119,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 		case IP_MULTICAST_IF:
 		case IP_ADD_MEMBERSHIP:
 		case IP_DROP_MEMBERSHIP:
-			if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+			if ((p->p_p->ps_pledge & PLEDGE_MCAST) == 0)
 				return (0);
 			break;
 		}		
@@ -1139,7 +1139,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 		case IPV6_MULTICAST_IF:
 		case IPV6_JOIN_GROUP:
 		case IPV6_LEAVE_GROUP:
-			if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+			if ((p->p_p->ps_pledge & PLEDGE_MCAST) == 0)
 				return (0);
 			break;
 		}
@@ -1151,30 +1151,30 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 }
 
 int
-tame_dns_check(struct proc *p, in_port_t port)
+pledge_dns_check(struct proc *p, in_port_t port)
 {
-	if ((p->p_p->ps_flags & PS_TAMED) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
 		return (0);
 
-	if ((p->p_p->ps_tame & TAME_INET))
+	if ((p->p_p->ps_pledge & PLEDGE_INET))
 		return (0);
-	if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && port == htons(53))
+	if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && port == htons(53))
 		return (0);	/* Allow a DNS connect outbound */
 	return (EPERM);
 }
 
 void
-tame_dropwpaths(struct process *pr)
+pledge_dropwpaths(struct process *pr)
 {
-	if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) {
-		struct whitepaths *wl = pr->ps_tamepaths;
+	if (pr->ps_pledgepaths && --pr->ps_pledgepaths->wl_ref == 0) {
+		struct whitepaths *wl = pr->ps_pledgepaths;
 		int i;
 
 		for (i = 0; i < wl->wl_count; i++)
 			free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len);
 		free(wl, M_TEMP, wl->wl_size);
 	}
-	pr->ps_tamepaths = NULL;
+	pr->ps_pledgepaths = NULL;
 }
 
 int
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 2942e3de2cc..3aab66ce4d9 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_time.c,v 1.93 2015/09/11 08:22:31 guenther Exp $	*/
+/*	$OpenBSD: kern_time.c,v 1.94 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: kern_time.c,v 1.20 1996/02/18 11:57:06 fvdl Exp $	*/
 
 /*
@@ -40,7 +40,7 @@
 #include <sys/ktrace.h>
 #include <sys/vnode.h>
 #include <sys/signalvar.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/timetc.h>
 
 #include <sys/mount.h>
@@ -433,7 +433,7 @@ sys_adjtime(struct proc *p, void *v, register_t *retval)
 	struct timeval atv;
 	int error;
 
-	if (tame_adjtime_check(p, delta))
+	if (pledge_adjtime_check(p, delta))
 		return (EPERM);
 
 	if (olddelta) {
diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master
index bccfe3d7198..31dfa063d50 100644
--- a/sys/kern/syscalls.master
+++ b/sys/kern/syscalls.master
@@ -1,4 +1,4 @@
-;	$OpenBSD: syscalls.master,v 1.161 2015/10/02 17:49:40 kettenis Exp $
+;	$OpenBSD: syscalls.master,v 1.162 2015/10/09 01:10:27 deraadt Exp $
 ;	$NetBSD: syscalls.master,v 1.32 1996/04/23 10:24:21 mycroft Exp $
 
 ;	@(#)syscalls.master	8.2 (Berkeley) 1/13/94
@@ -225,7 +225,7 @@
 106	STD		{ int sys_listen(int s, int backlog); }
 107	STD		{ int sys_chflagsat(int fd, const char *path, \
 			    u_int flags, int atflags); }
-108	STD 		{ int sys_tame(const char *request, const char **paths); }
+108	STD 		{ int sys_pledge(const char *request, const char **paths); }
 109	STD		{ int sys_ppoll(struct pollfd *fds, \
 			    u_int nfds, const struct timespec *ts, \
 			    const sigset_t *mask); }
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 8cb3444affd..13780c4a5ac 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_syscalls.c,v 1.111 2015/10/06 14:55:41 claudio Exp $	*/
+/*	$OpenBSD: uipc_syscalls.c,v 1.112 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: uipc_syscalls.c,v 1.19 1996/02/09 19:00:48 christos Exp $	*/
 
 /*
@@ -45,7 +45,7 @@
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/signalvar.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/unpcb.h>
 #include <sys/un.h>
 #ifdef KTRACE
@@ -79,8 +79,8 @@ sys_socket(struct proc *p, void *v, register_t *retval)
 	int type = SCARG(uap, type);
 	int fd, error;
 
-	if (tame_socket_check(p, SCARG(uap, domain)))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_socket_check(p, SCARG(uap, domain)))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	fdplock(fdp);
 	error = falloc(p, &fp, &fd);
@@ -124,8 +124,8 @@ sys_bind(struct proc *p, void *v, register_t *retval)
 	struct mbuf *nam;
 	int error;
 
-	if (tame_bind_check(p, SCARG(uap, name)))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_bind_check(p, SCARG(uap, name)))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	if ((error = getsock(p, SCARG(uap, s), &fp)) != 0)
 		return (error);
@@ -322,8 +322,8 @@ sys_connect(struct proc *p, void *v, register_t *retval)
 	struct mbuf *nam = NULL;
 	int error, s;
 
-	if (tame_connect_check(p))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_connect_check(p))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	if ((error = getsock(p, SCARG(uap, s), &fp)) != 0)
 		return (error);
@@ -465,8 +465,8 @@ sys_sendto(struct proc *p, void *v, register_t *retval)
 	struct msghdr msg;
 	struct iovec aiov;
 
-	if (tame_sendto_check(p, SCARG(uap, to)))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_sendto_check(p, SCARG(uap, to)))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	msg.msg_name = (caddr_t)SCARG(uap, to);
 	msg.msg_namelen = SCARG(uap, tolen);
@@ -499,8 +499,8 @@ sys_sendmsg(struct proc *p, void *v, register_t *retval)
 		ktrmsghdr(p, &msg);
 #endif
 
-	if (tame_sendto_check(p, msg.msg_name))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_sendto_check(p, msg.msg_name))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	if (msg.msg_iovlen > IOV_MAX)
 		return (EMSGSIZE);
@@ -586,7 +586,7 @@ sendit(struct proc *p, int s, struct msghdr *mp, int flags, register_t *retsize)
 			    mp->msg_controllen);
 #endif
 
-		if (tame_cmsg_send(p, control)) {
+		if (pledge_cmsg_send(p, control)) {
 			m_free(control);
 			error = EPERM;
 			goto bad;
@@ -645,8 +645,8 @@ sys_recvfrom(struct proc *p, void *v, register_t *retval)
 	struct iovec aiov;
 	int error;
 
-	if (tame_recvfrom_check(p, SCARG(uap, from)))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_recvfrom_check(p, SCARG(uap, from)))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	if (SCARG(uap, fromlenaddr)) {
 		error = copyin(SCARG(uap, fromlenaddr),
@@ -682,8 +682,8 @@ sys_recvmsg(struct proc *p, void *v, register_t *retval)
 	if (error)
 		return (error);
 
-	if (tame_recvfrom_check(p, msg.msg_name))
-		return (tame_fail(p, EPERM, TAME_UNIX));
+	if (pledge_recvfrom_check(p, msg.msg_name))
+		return (pledge_fail(p, EPERM, PLEDGE_UNIX));
 
 	if (msg.msg_iovlen > IOV_MAX)
 		return (EMSGSIZE);
@@ -821,7 +821,7 @@ recvit(struct proc *p, int s, struct msghdr *mp, caddr_t namelenp,
 					mp->msg_flags |= MSG_CTRUNC;
 					i = len;
 				}
-				if (tame_cmsg_recv(p, m)) {
+				if (pledge_cmsg_recv(p, m)) {
 					error = EPERM;
 					goto out;
 				}
@@ -883,8 +883,8 @@ sys_setsockopt(struct proc *p, void *v, register_t *retval)
 	struct mbuf *m = NULL;
 	int error;
 
-	if (tame_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name)))
-		return (tame_fail(p, EPERM, TAME_INET));
+	if (pledge_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name)))
+		return (pledge_fail(p, EPERM, PLEDGE_INET));
 
 	if ((error = getsock(p, SCARG(uap, s), &fp)) != 0)
 		return (error);
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index ddc130fb4ed..2eae3077063 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_usrreq.c,v 1.86 2015/08/29 21:10:20 deraadt Exp $	*/
+/*	$OpenBSD: uipc_usrreq.c,v 1.87 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $	*/
 
 /*
@@ -433,7 +433,7 @@ unp_bind(struct unpcb *unp, struct mbuf *nam, struct proc *p)
 	/* Fixup sun_len to keep it in sync with m_len. */
 	soun->sun_len = nam2->m_len;
 
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	NDINIT(&nd, CREATE, NOFOLLOW | LOCKPARENT, UIO_SYSSPACE,
 	    soun->sun_path, p);
 /* SHOULD BE ABLE TO ADOPT EXISTING AND wakeup() ALA FIFO's */
@@ -492,7 +492,7 @@ unp_connect(struct socket *so, struct mbuf *nam, struct proc *p)
 	else if (memchr(soun->sun_path, '\0', sizeof(soun->sun_path)) == NULL)
 		return (EINVAL);
 
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, soun->sun_path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c
index fc8c274ec27..9de8580dd50 100644
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_lookup.c,v 1.56 2015/09/11 08:22:31 guenther Exp $	*/
+/*	$OpenBSD: vfs_lookup.c,v 1.57 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: vfs_lookup.c,v 1.17 1996/02/09 19:00:59 christos Exp $	*/
 
 /*
@@ -49,7 +49,7 @@
 #include <sys/pool.h>
 #include <sys/filedesc.h>
 #include <sys/proc.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/file.h>
 #include <sys/fcntl.h>
 
@@ -166,8 +166,8 @@ fail:
 	 */
 	if ((ndp->ni_rootdir = fdp->fd_rdir) == NULL)
 		ndp->ni_rootdir = rootvnode;
-	if ((p->p_p->ps_flags & PS_TAMED)) {
-		error = tame_namei(p, cnp->cn_pnbuf);
+ 	if ((p->p_p->ps_flags & PS_PLEDGE)) {
+		error = pledge_namei(p, cnp->cn_pnbuf);
 		if (error)
 			goto fail;
 	}
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 4c23eb59c94..af85e9a5bc1 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.228 2015/10/06 14:39:07 deraadt Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.229 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -562,7 +562,7 @@ sys_statfs(struct proc *p, void *v, register_t *retval)
 	int error;
 	struct nameidata nd;
 
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -847,17 +847,17 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode,
 
 	switch (oflags & O_ACCMODE) {
 	case O_RDONLY:
-		p->p_tamenote = TMN_RPATH;
+		p->p_pledgenote = TMN_RPATH;
 		break;
 	case O_WRONLY:
-		p->p_tamenote = TMN_WPATH;
+		p->p_pledgenote = TMN_WPATH;
 		break;
 	case O_RDWR:
-		p->p_tamenote = TMN_RPATH | TMN_WPATH;
+		p->p_pledgenote = TMN_RPATH | TMN_WPATH;
 		break;
 	}
 	if (oflags & O_CREAT)
-		p->p_tamenote |= TMN_CPATH;
+		p->p_pledgenote |= TMN_CPATH;
 
 	fdplock(fdp);
 
@@ -1295,7 +1295,7 @@ sys_mkfifo(struct proc *p, void *v, register_t *retval)
 		syscallarg(mode_t) mode;
 	} */ *uap = v;
 
-	p->p_tamenote = TMN_CPATH | TMN_RPATH;
+	p->p_pledgenote = TMN_CPATH | TMN_RPATH;
 	return (domknodat(p, AT_FDCWD, SCARG(uap, path),
 	    (SCARG(uap, mode) & ALLPERMS) | S_IFIFO, 0));
 }
@@ -1357,7 +1357,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2,
 		return (EINVAL);
 
 	follow = (flag & AT_SYMLINK_FOLLOW) ? FOLLOW : NOFOLLOW;
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd1, path1, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -1368,7 +1368,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2,
 		flags |= STRIPSLASHES;
 	}
 
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	NDINITAT(&nd, CREATE, flags, UIO_USERSPACE, fd2, path2, p);
 	if ((error = namei(&nd)) != 0)
 		goto out;
@@ -1428,7 +1428,7 @@ dosymlinkat(struct proc *p, const char *upath, int fd, const char *link)
 	error = copyinstr(upath, path, MAXPATHLEN, NULL);
 	if (error)
 		goto out;
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, link, p);
 	if ((error = namei(&nd)) != 0)
 		goto out;
@@ -1487,7 +1487,7 @@ dounlinkat(struct proc *p, int fd, const char *path, int flag)
 	if (flag & ~AT_REMOVEDIR)
 		return (EINVAL);
 
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	NDINITAT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE,
 	    fd, path, p);
 	if ((error = namei(&nd)) != 0)
@@ -1608,7 +1608,7 @@ sys_access(struct proc *p, void *v, register_t *retval)
 		syscallarg(int) amode;
 	} */ *uap = v;
 
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	return (dofaccessat(p, AT_FDCWD, SCARG(uap, path),
 	    SCARG(uap, amode), 0));
 }
@@ -1655,7 +1655,7 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag)
 		newcred->cr_gid = newcred->cr_rgid;
 	}
 
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		goto out;
@@ -1726,7 +1726,7 @@ dofstatat(struct proc *p, int fd, const char *path, struct stat *buf, int flag)
 
 
 	follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -1825,7 +1825,7 @@ doreadlinkat(struct proc *p, int fd, const char *path, char *buf,
 	int error;
 	struct nameidata nd;
 
-	p->p_tamenote = TMN_RPATH;
+	p->p_pledgenote = TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -1888,7 +1888,7 @@ dochflagsat(struct proc *p, int fd, const char *path, u_int flags, int atflags)
 		return (EINVAL);
 
 	follow = (atflags & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -1986,13 +1986,13 @@ dofchmodat(struct proc *p, int fd, const char *path, mode_t mode, int flag)
 
 	if (mode & ~(S_IFMT | ALLPERMS))
 		return (EINVAL);
-	if ((p->p_p->ps_flags & PS_TAMED))
+	if ((p->p_p->ps_flags & PS_PLEDGE))
 		mode &= ACCESSPERMS;
 	if (flag & ~AT_SYMLINK_NOFOLLOW)
 		return (EINVAL);
 
 	follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -2028,7 +2028,7 @@ sys_fchmod(struct proc *p, void *v, register_t *retval)
 
 	if (mode & ~(S_IFMT | ALLPERMS))
 		return (EINVAL);
-	if ((p->p_p->ps_flags & PS_TAMED))
+	if ((p->p_p->ps_flags & PS_PLEDGE))
 		mode &= ACCESSPERMS;
 
 	if ((error = getvnode(p, SCARG(uap, fd), &fp)) != 0)
@@ -2093,7 +2093,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid,
 		return (EINVAL);
 
 	follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -2102,7 +2102,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid,
 	if (vp->v_mount->mnt_flag & MNT_RDONLY)
 		error = EROFS;
 	else {
-		if ((p->p_p->ps_flags & PS_TAMED) &&
+		if ((p->p_p->ps_flags & PS_PLEDGE) &&
 		    ((uid != -1 && uid != p->p_ucred->cr_uid) ||
 		     (gid != -1 && gid != p->p_ucred->cr_gid))) {
 			error = EPERM;
@@ -2149,7 +2149,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval)
 	uid_t uid = SCARG(uap, uid);
 	gid_t gid = SCARG(uap, gid);
 
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -2158,7 +2158,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval)
 	if (vp->v_mount->mnt_flag & MNT_RDONLY)
 		error = EROFS;
 	else {
-		if ((p->p_p->ps_flags & PS_TAMED) &&
+		if ((p->p_p->ps_flags & PS_PLEDGE) &&
 		    ((uid != -1 && uid != p->p_ucred->cr_uid) ||
 		     (gid != -1 && gid != p->p_ucred->cr_gid))) {
 			error = EPERM;
@@ -2212,7 +2212,7 @@ sys_fchown(struct proc *p, void *v, register_t *retval)
 	if (vp->v_mount->mnt_flag & MNT_RDONLY)
 		error = EROFS;
 	else {
-		if ((p->p_p->ps_flags & PS_TAMED) &&
+		if ((p->p_p->ps_flags & PS_PLEDGE) &&
 		    ((uid != -1 && uid != p->p_ucred->cr_uid) ||
 		     (gid != -1 && gid != p->p_ucred->cr_gid))) {
 			error = EPERM;
@@ -2308,7 +2308,7 @@ doutimensat(struct proc *p, int fd, const char *path,
 		return (EINVAL);
 
 	follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -2453,7 +2453,7 @@ sys_truncate(struct proc *p, void *v, register_t *retval)
 	int error;
 	struct nameidata nd;
 
-	p->p_tamenote = TMN_FATTR | TMN_RPATH;
+	p->p_pledgenote = TMN_FATTR | TMN_RPATH;
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
 	if ((error = namei(&nd)) != 0)
 		return (error);
@@ -2580,7 +2580,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd,
 	int error;
 	int flags;
 
-	p->p_tamenote = TMN_RPATH | TMN_CPATH;
+	p->p_pledgenote = TMN_RPATH | TMN_CPATH;
 	NDINITAT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE,
 	    fromfd, from, p);
 	if ((error = namei(&fromnd)) != 0)
@@ -2594,7 +2594,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd,
 	if (fvp->v_type == VDIR)
 		flags |= STRIPSLASHES;
 
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	NDINITAT(&tond, RENAME, flags, UIO_USERSPACE, tofd, to, p);
 	if ((error = namei(&tond)) != 0) {
 		VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
@@ -2663,7 +2663,7 @@ sys_mkdir(struct proc *p, void *v, register_t *retval)
 		syscallarg(mode_t) mode;
 	} */ *uap = v;
 
-	p->p_tamenote = TMN_CPATH | TMN_RPATH;
+	p->p_pledgenote = TMN_CPATH | TMN_RPATH;
 	return (domkdirat(p, AT_FDCWD, SCARG(uap, path), SCARG(uap, mode)));
 }
 
@@ -2688,7 +2688,7 @@ domkdirat(struct proc *p, int fd, const char *path, mode_t mode)
 	int error;
 	struct nameidata nd;
 
-	p->p_tamenote = TMN_CPATH | TMN_RPATH;
+	p->p_pledgenote = TMN_CPATH | TMN_RPATH;
 	NDINITAT(&nd, CREATE, LOCKPARENT | STRIPSLASHES, UIO_USERSPACE,
 	    fd, path, p);
 	if ((error = namei(&nd)) != 0)
@@ -2723,7 +2723,7 @@ sys_rmdir(struct proc *p, void *v, register_t *retval)
 		syscallarg(const char *) path;
 	} */ *uap = v;
 
-	p->p_tamenote = TMN_CPATH;
+	p->p_pledgenote = TMN_CPATH;
 	return (dounlinkat(p, AT_FDCWD, SCARG(uap, path), AT_REMOVEDIR));
 }
 
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index fe26a5a6840..ed4fd8b9a06 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.c,v 1.180 2015/09/22 09:34:38 vgross Exp $	*/
+/*	$OpenBSD: in_pcb.c,v 1.181 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $	*/
 
 /*
@@ -77,7 +77,7 @@
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/proc.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/domain.h>
 #include <sys/pool.h>
 
@@ -455,8 +455,8 @@ in_pcbconnect(struct inpcb *inp, struct mbuf *nam)
 	if (sin->sin_port == 0)
 		return (EADDRNOTAVAIL);
 
-	if (tame_dns_check(p, sin->sin_port))
-		return (tame_fail(p, EPERM, TAME_DNSPATH));
+	if (pledge_dns_check(p, sin->sin_port))
+		return (pledge_fail(p, EPERM, PLEDGE_DNSPATH));
 
 	error = in_selectsrc(&ina, sin, inp->inp_moptions, &inp->inp_route,
 	    &inp->inp_laddr, inp->inp_rtableid);
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 866fc9cf800..67b5384780f 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6_pcb.c,v 1.75 2015/09/22 09:34:39 vgross Exp $	*/
+/*	$OpenBSD: in6_pcb.c,v 1.76 2015/10/09 01:10:27 deraadt Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -109,7 +109,7 @@
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/proc.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 
 #include <net/if.h>
 #include <net/if_var.h>
@@ -403,8 +403,8 @@ in6_pcbconnect(struct inpcb *inp, struct mbuf *nam)
 	if (sin6->sin6_port == 0)
 		return (EADDRNOTAVAIL);
 
-	if (tame_dns_check(p, sin6->sin6_port))
-		return (tame_fail(p, EPERM, TAME_DNSPATH));
+	if (pledge_dns_check(p, sin6->sin6_port))
+		return (pledge_fail(p, EPERM, PLEDGE_DNSPATH));
 
 	/* reject IPv4 mapped address, we have no support for it */
 	if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h
new file mode 100644
index 00000000000..583ef86c18b
--- /dev/null
+++ b/sys/sys/pledge.h
@@ -0,0 +1,92 @@
+/*	$OpenBSD: pledge.h,v 1.1 2015/10/09 01:10:27 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
+ * Copyright (c) 2015 Theo de Raadt <deraadt@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _SYS_PLEDGE_H_
+#define _SYS_PLEDGE_H_
+
+#ifdef _KERNEL
+
+#include <sys/cdefs.h>
+
+#define PLEDGE_SELF	0x00000001	/* operate on own pid */
+#define PLEDGE_RW		0x00000002	/* basic io operations */
+#define PLEDGE_MALLOC	0x00000004	/* enough for malloc */
+#define PLEDGE_DNSPATH	0x00000008	/* access to DNS pathnames */
+#define PLEDGE_RPATH	0x00000010	/* allow open for read */
+#define PLEDGE_WPATH	0x00000020	/* allow open for write */
+#define PLEDGE_TMPPATH	0x00000040	/* for mk*temp() */
+#define PLEDGE_INET	0x00000080	/* AF_INET/AF_INET6 sockets */
+#define PLEDGE_UNIX	0x00000100	/* AF_UNIX sockets */
+// reuse, old CMSG	0x00000200
+#define PLEDGE_IOCTL	0x00000400	/* Select ioctl */
+#define PLEDGE_GETPW	0x00000800	/* YP enables if ypbind.lock */
+#define PLEDGE_PROC	0x00001000	/* fork, waitpid, etc */
+#define PLEDGE_CPATH	0x00002000	/* allow creat, mkdir, path creations */
+#define PLEDGE_FATTR	0x00004000	/* allow explicit file st_* mods */
+#define PLEDGE_PROTEXEC	0x00008000	/* allow use of PROT_EXEC */
+#define PLEDGE_TTY	0x00010000	/* tty setting */
+#define PLEDGE_SENDFD	0x00020000	/* AF_UNIX CMSG fd sending */
+#define PLEDGE_RECVFD	0x00040000	/* AF_UNIX CMSG fd receiving */
+#define PLEDGE_EXEC	0x00080000	/* execve, child is free of pledge */
+#define PLEDGE_ROUTE	0x00100000	/* routing lookups */
+#define PLEDGE_MCAST	0x00200000	/* multicast joins */
+
+#define PLEDGE_ABORT	0x08000000	/* SIGABRT instead of SIGKILL */
+
+/* Following flags are set by kernel, as it learns things.
+ * Not user settable. Should be moved to a seperate variable */
+#define PLEDGE_USERSET	0x0fffffff
+#define PLEDGE_YP_ACTIVE	0x10000000	/* YP use detected and allowed */
+#define PLEDGE_DNS_ACTIVE	0x20000000	/* DNS use detected and allowed */
+
+int	pledge_check(struct proc *, int);
+int	pledge_fail(struct proc *, int, int);
+int	pledge_namei(struct proc *, char *);
+void	pledge_aftersyscall(struct proc *, int, int);
+
+struct mbuf;
+int	pledge_cmsg_send(struct proc *p, struct mbuf *control);
+int	pledge_cmsg_recv(struct proc *p, struct mbuf *control);
+int	pledge_sysctl_check(struct proc *p, int namelen, int *name, void *new);
+int	pledge_adjtime_check(struct proc *p, const void *v);
+int	pledge_recvfrom_check(struct proc *p, void *from);
+int	pledge_sendto_check(struct proc *p, const void *to);
+int	pledge_bind_check(struct proc *p, const void *v);
+int	pledge_connect_check(struct proc *p);
+int	pledge_socket_check(struct proc *p, int domain);
+int	pledge_setsockopt_check(struct proc *p, int level, int optname);
+int	pledge_dns_check(struct proc *p, in_port_t port);
+int	pledge_ioctl_check(struct proc *p, long com, void *);
+
+#define PLEDGE_MAXPATHS	8192
+
+struct whitepaths {
+	size_t	wl_size;
+	int	wl_count;
+	int	wl_ref;
+	struct whitepath {
+		char		*name;
+		size_t		len;
+	} wl_paths[0];
+};
+void	pledge_dropwpaths(struct process *);
+
+#endif /* _KERNEL */
+
+#endif /* _SYS_PLEDGE_H_ */
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 63d736b18d3..064fd1d93c2 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: proc.h,v 1.205 2015/09/11 08:22:31 guenther Exp $	*/
+/*	$OpenBSD: proc.h,v 1.206 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $	*/
 
 /*-
@@ -212,8 +212,8 @@ struct process {
 
 	u_short	ps_acflag;		/* Accounting flags. */
 
-	u_int	ps_tame;
-	struct whitepaths *ps_tamepaths;
+	u_int	ps_pledge;
+	struct whitepaths *ps_pledgepaths;
 
 	int64_t ps_kbind_cookie;
 	u_long  ps_kbind_addr;
@@ -255,14 +255,14 @@ struct process {
 #define	PS_EMBRYO	0x00020000	/* New process, not yet fledged */
 #define	PS_ZOMBIE	0x00040000	/* Dead and ready to be waited for */
 #define	PS_NOBROADCASTKILL 0x00080000	/* Process excluded from kill -1. */
-#define PS_TAMED	0x00100000	/* Has called tame(2) */
+#define PS_PLEDGE	0x00100000	/* Has called pledge(2) */
 
 #define	PS_BITS \
     ("\20" "\01CONTROLT" "\02EXEC" "\03INEXEC" "\04EXITING" "\05SUGID" \
      "\06SUGIDEXEC" "\07PPWAIT" "\010ISPWAIT" "\011PROFIL" "\012TRACED" \
      "\013WAITED" "\014COREDUMP" "\015SINGLEEXIT" "\016SINGLEUNWIND" \
      "\017NOZOMBIE" "\020STOPPED" "\021SYSTEM" "\022EMBRYO" "\023ZOMBIE" \
-     "\024NOBROADCASTKILL" "\025TAMED")
+     "\024NOBROADCASTKILL" "\025PLEDGE")
 
 
 struct proc {
@@ -326,14 +326,14 @@ struct proc {
 	u_char	p_usrpri;	/* User-priority based on p_cpu and ps_nice. */
 	char	p_comm[MAXCOMLEN+1];
 
-	int	p_tame_syscall;	/* Cache of current syscall */
-	int	p_tamenote;	/* Observance during syscall */
+	int	p_pledge_syscall;	/* Cache of current syscall */
+	int	p_pledgenote;	/* Observance during syscall */
 #define TMN_RPATH	0x00000001
 #define TMN_WPATH	0x00000002
 #define TMN_CPATH	0x00000004
 #define TMN_FATTR	0x00000008
 #define TMN_COREDUMP	0x00000010
-	int	p_tameafter;
+	int	p_pledgeafter;
 #define TMA_YPLOCK	0x00000001
 #define TMA_DNSRESOLV	0x00000002
 
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
deleted file mode 100644
index abf668a0d25..00000000000
--- a/sys/sys/tame.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*	$OpenBSD: tame.h,v 1.13 2015/10/08 17:29:43 deraadt Exp $	*/
-
-/*
- * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
- * Copyright (c) 2015 Theo de Raadt <deraadt@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _SYS_TAME_H_
-#define _SYS_TAME_H_
-
-#ifdef _KERNEL
-
-#include <sys/cdefs.h>
-
-#define TAME_SELF	0x00000001	/* operate on own pid */
-#define TAME_RW		0x00000002	/* basic io operations */
-#define TAME_MALLOC	0x00000004	/* enough for malloc */
-#define TAME_DNSPATH	0x00000008	/* access to DNS pathnames */
-#define TAME_RPATH	0x00000010	/* allow open for read */
-#define TAME_WPATH	0x00000020	/* allow open for write */
-#define TAME_TMPPATH	0x00000040	/* for mk*temp() */
-#define TAME_INET	0x00000080	/* AF_INET/AF_INET6 sockets */
-#define TAME_UNIX	0x00000100	/* AF_UNIX sockets */
-// reuse, old CMSG	0x00000200
-#define TAME_IOCTL	0x00000400	/* Select ioctl */
-#define TAME_GETPW	0x00000800	/* YP enables if ypbind.lock */
-#define TAME_PROC	0x00001000	/* fork, waitpid, etc */
-#define TAME_CPATH	0x00002000	/* allow creat, mkdir, path creations */
-#define TAME_FATTR	0x00004000	/* allow explicit file st_* mods */
-#define TAME_PROTEXEC	0x00008000	/* allow use of PROT_EXEC */
-#define TAME_TTY	0x00010000	/* tty setting */
-#define TAME_SENDFD	0x00020000	/* AF_UNIX CMSG fd sending */
-#define TAME_RECVFD	0x00040000	/* AF_UNIX CMSG fd receiving */
-#define TAME_EXEC	0x00080000	/* execve, child is free of tame */
-#define TAME_ROUTE	0x00100000	/* routing lookups */
-#define TAME_MCAST	0x00200000	/* multicast joins */
-
-#define TAME_ABORT	0x08000000	/* SIGABRT instead of SIGKILL */
-
-/* Following flags are set by kernel, as it learns things.
- * Not user settable. Should be moved to a seperate variable */
-#define TAME_USERSET	0x0fffffff
-#define TAME_YP_ACTIVE	0x10000000	/* YP use detected and allowed */
-#define TAME_DNS_ACTIVE	0x20000000	/* DNS use detected and allowed */
-
-int	tame_check(struct proc *, int);
-int	tame_fail(struct proc *, int, int);
-int	tame_namei(struct proc *, char *);
-void	tame_aftersyscall(struct proc *, int, int);
-
-struct mbuf;
-int	tame_cmsg_send(struct proc *p, struct mbuf *control);
-int	tame_cmsg_recv(struct proc *p, struct mbuf *control);
-int	tame_sysctl_check(struct proc *p, int namelen, int *name, void *new);
-int	tame_adjtime_check(struct proc *p, const void *v);
-int	tame_recvfrom_check(struct proc *p, void *from);
-int	tame_sendto_check(struct proc *p, const void *to);
-int	tame_bind_check(struct proc *p, const void *v);
-int	tame_connect_check(struct proc *p);
-int	tame_socket_check(struct proc *p, int domain);
-int	tame_setsockopt_check(struct proc *p, int level, int optname);
-int	tame_dns_check(struct proc *p, in_port_t port);
-int	tame_ioctl_check(struct proc *p, long com, void *);
-
-#define TAME_MAXPATHS	8192
-
-struct whitepaths {
-	size_t	wl_size;
-	int	wl_count;
-	int	wl_ref;
-	struct whitepath {
-		char		*name;
-		size_t		len;
-	} wl_paths[0];
-};
-void	tame_dropwpaths(struct process *);
-
-#endif /* _KERNEL */
-
-#endif /* _SYS_TAME_H_ */
diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c
index 00145afead8..5f177abdb94 100644
--- a/sys/uvm/uvm_mmap.c
+++ b/sys/uvm/uvm_mmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_mmap.c,v 1.119 2015/09/30 11:36:07 semarie Exp $	*/
+/*	$OpenBSD: uvm_mmap.c,v 1.120 2015/10/09 01:10:27 deraadt Exp $	*/
 /*	$NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -65,7 +65,7 @@
 #include <sys/stat.h>
 #include <sys/specdev.h>
 #include <sys/stdint.h>
-#include <sys/tame.h>
+#include <sys/pledge.h>
 #include <sys/unistd.h>		/* for KBIND* */
 #include <sys/user.h>
 
@@ -365,10 +365,10 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 	if (size == 0)
 		return (EINVAL);
 
-	if ((p->p_p->ps_flags & PS_TAMED) &&
-	    !(p->p_p->ps_tame & TAME_PROTEXEC) &&
+	if ((p->p_p->ps_flags & PS_PLEDGE) &&
+	    !(p->p_p->ps_pledge & PLEDGE_PROTEXEC) &&
 	    (prot & PROT_EXEC))
-		return (tame_fail(p, EPERM, TAME_PROTEXEC));
+		return (pledge_fail(p, EPERM, PLEDGE_PROTEXEC));
 
 	/* align file position and save offset.  adjust size. */
 	ALIGN_ADDR(pos, size, pageoff);
@@ -668,10 +668,10 @@ sys_mprotect(struct proc *p, void *v, register_t *retval)
 	if ((prot & PROT_MASK) != prot)
 		return (EINVAL);
 
-	if ((p->p_p->ps_flags & PS_TAMED) &&
-	    !(p->p_p->ps_tame & TAME_PROTEXEC) &&
+	if ((p->p_p->ps_flags & PS_PLEDGE) &&
+	    !(p->p_p->ps_pledge & PLEDGE_PROTEXEC) &&
 	    (prot & PROT_EXEC))
-		return (tame_fail(p, EPERM, TAME_PROTEXEC));
+		return (pledge_fail(p, EPERM, PLEDGE_PROTEXEC));
 
 	/*
 	 * align the address to a page boundary, and adjust the size accordingly