5 files changed, 35 insertions, 0 deletions

diff --git a/Makefile b/Makefile
index 89dcc440..4ac7172f 100644
--- a/Makefile
+++ b/Makefile
@@ -33,6 +33,7 @@ TESTSRCS	 = test-dirent-namlen.c \
 		   test-reallocarray.c \
 		   test-rewb-bsd.c \
 		   test-rewb-sysv.c \
+		   test-sandbox_init.c \
 		   test-sqlite3.c \
 		   test-sqlite3_errstr.c \
 		   test-strcasestr.c \
diff --git a/configure b/configure
index 13fd1409..6f2c4116 100755
--- a/configure
+++ b/configure
@@ -58,6 +58,7 @@ HAVE_PROGNAME=
 HAVE_REALLOCARRAY=
 HAVE_REWB_BSD=
 HAVE_REWB_SYSV=
+HAVE_SANDBOX_INIT=
 HAVE_STRCASESTR=
 HAVE_STRINGLIST=
 HAVE_STRLCAT=
@@ -186,6 +187,7 @@ runtest isblank		ISBLANK		|| true
 runtest mkdtemp		MKDTEMP		|| true
 runtest mmap		MMAP		|| true
 runtest pledge		PLEDGE		|| true
+runtest sandbox_init	SANDBOX_INIT	|| true
 runtest progname	PROGNAME	|| true
 runtest reallocarray	REALLOCARRAY	|| true
 runtest rewb-bsd	REWB_BSD	|| true
@@ -317,6 +319,7 @@ cat << __HEREDOC__
 #define HAVE_REALLOCARRAY ${HAVE_REALLOCARRAY}
 #define HAVE_REWB_BSD ${HAVE_REWB_BSD}
 #define HAVE_REWB_SYSV ${HAVE_REWB_SYSV}
+#define HAVE_SANDBOX_INIT ${HAVE_SANDBOX_INIT}
 #define HAVE_STRCASESTR ${HAVE_STRCASESTR}
 #define HAVE_STRINGLIST ${HAVE_STRINGLIST}
 #define HAVE_STRLCAT ${HAVE_STRLCAT}
diff --git a/main.c b/main.c
index 71648b0e..b921bfe1 100644
--- a/main.c
+++ b/main.c
@@ -30,6 +30,9 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <glob.h>
+#if HAVE_SANDBOX_INIT
+#include <sandbox.h>
+#endif
 #include <signal.h>
 #include <stdio.h>
 #include <stdint.h>
@@ -159,6 +162,11 @@ main(int argc, char *argv[])
 		err((int)MANDOCLEVEL_SYSERR, "pledge");
 #endif
 
+#if HAVE_SANDBOX_INIT
+	if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, NULL) == -1)
+		errx((int)MANDOCLEVEL_SYSERR, "sandbox_init");
+#endif
+
 	/* Search options. */
 
 	memset(&conf, 0, sizeof(conf));
diff --git a/mandocdb.c b/mandocdb.c
index 4a1544d2..8a084451 100644
--- a/mandocdb.c
+++ b/mandocdb.c
@@ -34,6 +34,9 @@
 #include "compat_fts.h"
 #endif
 #include <limits.h>
+#if HAVE_SANDBOX_INIT
+#include <sandbox.h>
+#endif
 #include <stddef.h>
 #include <stdio.h>
 #include <stdint.h>
@@ -345,6 +348,13 @@ mandocdb(int argc, char *argv[])
 	}
 #endif
 
+#if HAVE_SANDBOX_INIT
+	if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, NULL) == -1) {
+		warnx("sandbox_init");
+		return (int)MANDOCLEVEL_SYSERR;
+	}
+#endif
+
 	memset(&conf, 0, sizeof(conf));
 	memset(stmts, 0, STMT__MAX * sizeof(sqlite3_stmt *));
 
diff --git a/test-sandbox_init.c b/test-sandbox_init.c
new file mode 100644
index 00000000..a4902ee6
--- /dev/null
+++ b/test-sandbox_init.c
@@ -0,0 +1,13 @@
+#include <sandbox.h>
+
+int
+main(void)
+{
+	char	*ep;
+	int	 rc;
+
+	rc = sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, &ep);
+	if (-1 == rc)
+		sandbox_free_error(ep);
+	return(-1 == rc);
+}