pledge() sandbox for file child(....) { + if (pledge("stdio getpw recvfd id", NULL) == -1) + err(1, "pledge"); /* drop uid priviledges */ + if (pledge("stdio recvfd", NULL) == -1) + err(1, "pledge"); [check each fd provided by parent over fd-passing] - No filesystem access. No sockets. - Files to check provided by parent over fd-passing