From aa5937787c4b0635f20441b57e6e40035effe107 Mon Sep 17 00:00:00 2001
From: tedu <tedu@openbsd.org>
Date: Thu, 15 Oct 2015 19:49:22 +0000
Subject: [PATCH] child can be pledged down a bit to just sockets and io

---
 usr.sbin/rebound/rebound.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c
index 0a670a16333..52be698b1c2 100644
--- a/usr.sbin/rebound/rebound.c
+++ b/usr.sbin/rebound/rebound.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rebound.c,v 1.1 2015/10/15 19:43:30 tedu Exp $ */
+/* $OpenBSD: rebound.c,v 1.2 2015/10/15 19:49:22 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -326,6 +326,11 @@ launch(const char *confname, int ud, int ld, int kq)
 
 	close(kq);
 
+	if (pledge("stdio inet", NULL) == -1) {
+		logmsg(LOG_DAEMON | LOG_ERR, "pledge failed");
+		exit(1);
+	}
+
 	af = readconfig(conf, &remoteaddr);
 	fclose(conf);
 	if (af == -1) {
-- 
2.20.1