When fonts are installed to a font directory by pkg_add, three new
files are created: fonts.alias (created by pkg_add directly),
fonts.scale (generated by mkfontscale(1)), and fonts.dir (generated
by mkfontdir(1), which is just a sh wrapper around mkfontscale(1)).

mkfontscale parses the font files in the specified directories to
generate the scale and alias files. pkg_add executes mkfontscale as
root. pledge(2) would be a useful addition here.

I don't see a way to limit writes with unveil(2). Relative paths to -o
are appended to each of an arbitrary number of directory arguments, and
users running mkfontscale in non-system directories is a valid usecase.
If some crazy font trojan exploits mkfontscale into scribbling elsewhere
into the filesystem, I guess the only way to prevent doing so as root
during pkg_add would be to introduce a new user in the ports tree to run
mkfontscale who has ownership of just the new files.

But in the meantime, this diff is very simple.

This survived a full xenocara release and sequential pkg_adds of about 
100 font packages.

ok?

--- app/mkfontscale/mkfontscale.c
+++ app/mkfontscale/mkfontscale.c
@@ -33,6 +33,7 @@
 #include <sys/stat.h>
 #include <dirent.h>
 #include <unistd.h>
+#include <err.h>
 #include <errno.h>
 #include <ctype.h>
 
@@ -150,6 +151,9 @@ main(int argc, char **argv)
     encodingPrefix = NULL;
     exclusionSuffix = NULL;
 
+    if (pledge("stdio rpath wpath cpath", NULL) == -1)
+        err(1, "pledge");
+
     if (getcwd(prefix, NPREFIX - 1) == NULL) {
         perror("Couldn't get cwd");
         exit(1);