And pax, because I can
============
diff --git bin/pax/ar_io.c bin/pax/ar_io.c
index 40a6492405e..ce53a9ae51b 100644
--- bin/pax/ar_io.c
+++ bin/pax/ar_io.c
@@ -1281,6 +1281,11 @@ ar_start_gzip(int fd, const char *path, int wr)
/* System compressors are more likely to use pledge(2) */
putenv("PATH=/usr/bin:/usr/local/bin");
+ /* Restrict them to sane pledges */
+ if (pledge(NULL, "stdio rpath wpath cpath fattr chown "
+ "prot_exec") == -1)
+ err(1, "pledge");
+
if (execlp(path, path, gzip_flags, (char *)NULL) < 0)
err(1, "could not exec %s", path);
/* NOTREACHED */
