===================================================================
RCS file: /cvs/mandoc/main.c,v
retrieving revision 1.268
retrieving revision 1.271
diff -u -p -r1.268 -r1.271
--- mandoc/main.c	2016/07/10 14:05:13	1.268
+++ mandoc/main.c	2016/07/15 18:50:20	1.271
@@ -1,4 +1,4 @@
-/*	$Id: main.c,v 1.268 2016/07/10 14:05:13 schwarze Exp $ */
+/*	$Id: main.c,v 1.271 2016/07/15 18:50:20 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2012, 2014-2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -30,6 +30,9 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <glob.h>
+#if HAVE_SANDBOX_INIT
+#include <sandbox.h>
+#endif
 #include <signal.h>
 #include <stdio.h>
 #include <stdint.h>
@@ -84,6 +87,11 @@ struct	curparse {
 	struct manoutput *outopts;	/* output options */
 };
 
+
+#if HAVE_SQLITE3
+int			  mandocdb(int, char *[]);
+#endif
+
 static	int		  fs_lookup(const struct manpaths *,
 				size_t ipath, const char *,
 				const char *, const char *,
@@ -92,9 +100,6 @@ static	void		  fs_search(const struct mansearch *,
 				const struct manpaths *, int, char**,
 				struct manpage **, size_t *);
 static	int		  koptions(int *, char *);
-#if HAVE_SQLITE3
-int			  mandocdb(int, char**);
-#endif
 static	int		  moptions(int *, char *);
 static	void		  mmsg(enum mandocerr, enum mandoclevel,
 				const char *, int, int, const char *);
@@ -157,6 +162,11 @@ main(int argc, char *argv[])
 #if HAVE_PLEDGE
 	if (pledge("stdio rpath tmppath tty proc exec flock", NULL) == -1)
 		err((int)MANDOCLEVEL_SYSERR, "pledge");
+#endif
+
+#if HAVE_SANDBOX_INIT
+	if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, NULL) == -1)
+		errx((int)MANDOCLEVEL_SYSERR, "sandbox_init");
 #endif
 
 	/* Search options. */