env(1) is obviously a program falling into pledge "stdio exec". It

does stdio, and it does a raw execve().  It is so obvious.  It gets
only _exit(2), kbind(2), and 46 system calls -- over half of which
are deeply gutted in their functionality to only serve narrow libc
needs for "stdio (includes malloc)".  the other 161 system calls kill it.

diff --git a/usr.bin/env/env.c b/usr.bin/env/env.c
index 5596e6f..87e9a0b 100644 (file)
--- a/usr.bin/env/env.c
+++ b/usr.bin/env/env.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: env.c,v 1.15 2014/03/08 00:09:20 schwarze Exp $       */
+/*     $OpenBSD: env.c,v 1.16 2015/10/10 21:19:14 deraadt Exp $        */
 
 /*
  * Copyright (c) 1988, 1993, 1994
@@ -49,6 +49,9 @@ main(int argc, char *argv[])
 
        setlocale(LC_ALL, "");
 
+       if (pledge("stdio exec", NULL) == -1)
+               err(1, "pledge");
+
        while ((ch = getopt(argc, argv, "i-")) != -1)
                switch(ch) {
                case '-':                       /* obsolete */