Use pledge.

Index: src/main.c
--- src/main.c.orig
+++ src/main.c
@@ -125,6 +125,8 @@ PACKAGE " " VERSION " - mailbox synchronizer\n"
 	exit( code );
 }
 
+int needs_proc_exec = 0;
+
 static void ATTR_PRINTFLIKE(1, 2)
 debug( const char *msg, ... )
 {
@@ -757,6 +759,36 @@ main( int argc, char **argv )
 
 	if (load_config( config ))
 		return 1;
+
+	if (mvars->list) {
+		if (needs_proc_exec) {
+			if (pledge("stdio rpath inet flock dns getpw tty"
+			    " proc exec prot_exec", NULL) == -1) {
+				sys_error("pledge\n");
+				exit(1);
+			}
+		} else {
+			if (pledge("stdio rpath inet flock dns getpw tty"
+			    " prot_exec", NULL) == -1) {
+				sys_error("pledge\n");
+				exit(1);
+			}
+		}
+	} else {
+		if (needs_proc_exec) {
+			if (pledge("stdio rpath wpath cpath inet fattr flock"
+			    " dns getpw tty proc exec prot_exec", NULL) == -1) {
+				sys_error("pledge\n");
+				exit(1);
+			}
+		} else {
+			if (pledge("stdio rpath wpath cpath inet fattr flock"
+			    " dns getpw tty prot_exec", NULL) == -1) {
+				sys_error("pledge\n");
+				exit(1);
+			}
+		}
+	}
 
 	if (!channels) {
 		fputs( "No channels defined. Try 'man " EXE "'\n", stderr );