Hi, Pekwm seems to work with following pledge patch. It seems to need "dns inet unix protexec", possible more if the pledge call is done before the WindowManager::start call but after that the reduced pledge set seems to work on basic use. Could use a bit more testing to cover all the use cases. I'm not sure if the WindowManager::start's XOpenDisplay call could/should be patched to work with unix sockets instead of making network calls. That way the pledge call could be moved a bit earlier in the init process.
Timo Index: Makefile =================================================================== RCS file: /cvs/ports/x11/pekwm/Makefile,v retrieving revision 1.28 diff -u -p -r1.28 Makefile --- Makefile 31 Oct 2016 17:07:30 -0000 1.28 +++ Makefile 7 Nov 2016 05:12:08 -0000 @@ -3,6 +3,7 @@ COMMENT= aewm++ based pretty themable window manager DISTNAME= pekwm-0.1.17 +REVISION= 0 CATEGORIES= x11 HOMEPAGE= https://www.pekwm.org/ @@ -12,6 +13,7 @@ MAINTAINER= Timo Myyra <timo.myyra@wicke # GPLv2 PERMIT_PACKAGE_CDROM= Yes +# uses pledge() WANTLIB += ICE SM X11 Xext Xft Xinerama Xpm Xrandr c iconv jpeg m png WANTLIB += stdc++ Index: patches/patch-src_main_cc =================================================================== RCS file: patches/patch-src_main_cc diff -N patches/patch-src_main_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_main_cc 7 Nov 2016 05:12:08 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ +--- src/main.cc.orig Wed Nov 2 19:11:31 2016 ++++ src/main.cc Wed Nov 2 19:11:42 2016 +@@ -124,6 +124,13 @@ main(int argc, char **argv) + #endif // DEBUG + + WindowManager *wm = WindowManager::start(command_line, config_file, replace); ++ ++#if defined(__OpenBSD__) ++ if (pledge("stdio rpath wpath cpath proc exec", NULL) == -1) { ++ cerr << "failed to pledge" << endl; ++ return 1; ++ } ++#endif + + if (wm) { + try {
