$OpenBSD: patch-bin_dig_dig_c,v 1.22 2021/02/20 15:49:52 sthen Exp $

Index: bin/dig/dig.c
--- bin/dig/dig.c.orig
+++ bin/dig/dig.c
@@ -16,6 +16,7 @@
 #include <stdbool.h>
 #include <stdlib.h>
 #include <time.h>
+#include <unistd.h>
 
 #include <isc/app.h>
 #include <isc/netaddr.h>
@@ -2635,6 +2636,15 @@ dig_setup(int argc, char **argv) {
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
+	/*
+	 * unix: needed for startup check, isc_net_probeunix. can probably be
+	 *       hardcoded instead? (unix sockets used in controlconf).
+	 */
+	if (pledge("stdio rpath inet unix dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	debug("dig_setup()");
 
 	/* setup dighost callbacks */
@@ -2666,6 +2676,16 @@ dig_query_setup(bool is_batchfile, bool config_only, i
 	} else if (keysecret[0] != 0) {
 		setup_text_key();
 	}
+
+	/*
+	 * dns:   resolv.conf, also allows port 53 sockets
+	 * inet:  needed if we query on port != 53
+	 */
+	if (pledge("stdio inet dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	if (domainopt[0] != '\0') {
 		set_search_domain(domainopt);
 		usesearch = true;
