The compat.c patch is by tb@ and stops tor from calling sysctl() to get the total memory everytime it receives sighup, so we don't need `ps' after tor_init().
I originally thought tor repeatedly called setgroups() but it does avoid this so we don't need `id' after tor_init() either. What's left we can't drop because tor's configuration can be changed and reloaded while it's running. rpath cpath wpath - tor reads, create and writes files in its data dir. fattr - chowns and chmods various files and unix sockets. dns - relays need dns and tor can be become a relay after startup. inet - tor needs sockets. unix - the socks and control ports can be set to use unix sockets flock - locking file in the data dir. getpw - gets ids to drop privs, chown files and answer GETINFO queries proc exec - daemonising and pluggable transports pf - tor supports transparent proxying to pf Index: Makefile =================================================================== RCS file: /var/cvs/ports/net/tor/Makefile,v retrieving revision 1.88 diff -u -p -r1.88 Makefile --- Makefile 10 Dec 2015 23:35:11 -0000 1.88 +++ Makefile 18 Jan 2016 23:43:03 -0000 @@ -6,11 +6,14 @@ DISTNAME= tor-0.2.7.6 CATEGORIES= net HOMEPAGE= https://www.torproject.org/ +REVISION= 0 + MAINTAINER= Pascal Stumpf <pascal.stu...@cubes.de> # BSD PERMIT_PACKAGE_CDROM= Yes +# uses pledge() WANTLIB += c crypto event_core event_extra m pthread ssl z MASTER_SITES= https://www.torproject.org/dist/ Index: patches/patch-src_common_compat_c =================================================================== RCS file: patches/patch-src_common_compat_c diff -N patches/patch-src_common_compat_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_common_compat_c 19 Jan 2016 00:06:45 -0000 @@ -0,0 +1,41 @@ +$OpenBSD$ +--- src/common/compat.c.orig Tue Jan 19 01:04:16 2016 ++++ src/common/compat.c Tue Jan 19 01:06:20 2016 +@@ -3228,23 +3228,25 @@ get_total_system_memory_impl(void) + #elif defined(HAVE_SYSCTL) && defined(INT64_HW_MEM) + /* On many systems, HW_PYHSMEM is clipped to 32 bits; let's use a better + * variant if we know about it. */ +- uint64_t memsize = 0; +- size_t len = sizeof(memsize); +- int mib[2] = {CTL_HW, INT64_HW_MEM}; +- if (sysctl(mib,2,&memsize,&len,NULL,0)) +- return 0; +- ++ static uint64_t memsize = 0; ++ if (memsize == 0) { ++ size_t len = sizeof(memsize); ++ int mib[2] = {CTL_HW, INT64_HW_MEM}; ++ if (sysctl(mib,2,&memsize,&len,NULL,0)) ++ return 0; ++ } + return memsize; + + #elif defined(HAVE_SYSCTL) && defined(HW_PHYSMEM) + /* On some systems (like FreeBSD I hope) you can use a size_t with + * HW_PHYSMEM. */ +- size_t memsize=0; +- size_t len = sizeof(memsize); +- int mib[2] = {CTL_HW, HW_USERMEM}; +- if (sysctl(mib,2,&memsize,&len,NULL,0)) +- return 0; +- ++ static size_t memsize=0; ++ if (memsize == 0) { ++ size_t len = sizeof(memsize); ++ int mib[2] = {CTL_HW, HW_USERMEM}; ++ if (sysctl(mib,2,&memsize,&len,NULL,0)) ++ return 0; ++ } + return memsize; + + #else Index: patches/patch-src_or_main_c =================================================================== RCS file: patches/patch-src_or_main_c diff -N patches/patch-src_or_main_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_or_main_c 19 Jan 2016 00:06:29 -0000 @@ -0,0 +1,14 @@ +--- src/or/main.c.orig Wed Dec 9 15:25:24 2015 ++++ src/or/main.c Tue Jan 19 00:50:23 2016 +@@ -3271,6 +3271,11 @@ tor_main(int argc, char *argv[]) + if (tor_init(argc, argv)<0) + return -1; + ++ if (pledge("stdio rpath cpath wpath fattr dns inet unix flock getpw proc exec pf", NULL) == -1) { ++ log_err(LD_BUG, "pledge: %s", strerror(errno)); ++ return -1; ++ } ++ + if (get_options()->Sandbox && get_options()->command == CMD_RUN_TOR) { + sandbox_cfg_t* cfg = sandbox_init_filter(); + -- Carlin