snmpclient pledges after calling chroot(2) and requires a dns promise for sendto(2) with non-NULL destination.
Rob Index: snmpclient.c =================================================================== RCS file: /cvs/src/usr.sbin/snmpctl/snmpclient.c,v retrieving revision 1.13 diff -u -p -r1.13 snmpclient.c --- snmpclient.c 16 Jan 2015 06:40:21 -0000 1.13 +++ snmpclient.c 25 Jul 2017 19:05:37 -0000 @@ -160,6 +160,9 @@ snmpclient(struct parse_result *res) #endif } + if (pledge("stdio dns", NULL) == -1) + fatal("pledge"); + sc.sc_fd = s; sc.sc_community = res->community; sc.sc_version = res->version; Index: snmpctl.c =================================================================== RCS file: /cvs/src/usr.sbin/snmpctl/snmpctl.c,v retrieving revision 1.22 diff -u -p -r1.22 snmpctl.c --- snmpctl.c 28 Oct 2016 20:49:32 -0000 1.22 +++ snmpctl.c 25 Jul 2017 19:05:37 -0000 @@ -123,6 +123,8 @@ main(int argc, char *argv[]) usage(); break; case SHOW_MIB: + if (pledge("stdio", NULL) == -1) + fatal("pledge"); show_mib(); break; case WALK: @@ -131,6 +133,8 @@ main(int argc, char *argv[]) snmpclient(res); break; default: + if (pledge("stdio unix", NULL) == -1) + fatal("pledge"); goto connect; } @@ -155,6 +159,9 @@ main(int argc, char *argv[]) } err(1, "connect: %s", sock); } + + if (pledge("stdio", NULL) == -1) + fatal("pledge"); imsg_init(&ibuf, ctl_sock); done = 0;