I have to say I'm only a beginner to C but hopefully my patch is good.
This patch adds a second and more restrictive pledge (only "stdio" instead of "stdio rpath") after the getopt loop if there is no input file or if the input file is "-" (stdin) or a sequence of repeated instances of "-". It doesn't move argv past the last "-", and doesn't pledge if it runs into an input file other than "-". I've compiled it and tested it with ktrace(1) and kdump(1) and it appears to work as expected and pledge correctly with at least these invocations: $ echo test | ./cat -uv # pledge("stdio", NULL); $ echo test | ./cat -uv - # pledge("stdio", NULL); $ echo test | ./cat # pledge("stdio", NULL); $ echo test | ./cat - - - # pledge("stdio", NULL); $ echo test | ./cat - # pledge("stdio", NULL); $ echo test | ./cat - cat.c # pledge("stdio rpath", NULL); $ echo test | ./cat cat.c - # pledge("stdio rpath", NULL); Index: bin/cat/cat.c =================================================================== RCS file: /cvs/src/bin/cat/cat.c,v retrieving revision 1.27 diff -u -p -u -p -r1.27 cat.c --- bin/cat/cat.c 28 Jun 2019 13:34:58 -0000 1.27 +++ bin/cat/cat.c 30 Jul 2020 23:21:14 -0000 @@ -94,7 +94,26 @@ main(int argc, char *argv[]) "usage: %s [-benstuv] [file ...]\n", __progname); return 1; } + argc -= optind; argv += optind; + + if (argc) { + if (!strcmp(*argv, "-")) { + do { + if (argc == 1) { + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); + argc--, argv++; + break; + } else + argc--, argv++; + } while (argc && !strcmp(*argv, "-")); + argc++, argv--; + } + } else { + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); + } if (bflag || eflag || nflag || sflag || tflag || vflag) cook_args(argv);