Index: bin/sh/input.c
===================================================================
--- bin/sh/input.c
+++ bin/sh/input.c
@@ -360,9 +360,13 @@
 	int e;
 	int fd;
 	int fd2;
+	int oflags = O_RDONLY | O_CLOEXEC;
+
+	if (verifyflag)
+		oflags |= O_VERIFY;
 
 	INTOFF;
-	if ((fd = open(fname, O_RDONLY | O_CLOEXEC)) < 0) {
+	if ((fd = open(fname, oflags)) < 0) {
 		e = errno;
 		errorwithstatus(e == ENOENT || e == ENOTDIR ? 127 : 126,
 		    "cannot open %s: %s", fname, strerror(e));
Index: bin/sh/main.c
===================================================================
--- bin/sh/main.c
+++ bin/sh/main.c
@@ -246,12 +246,16 @@
 {
 	int fd;
 	const char *expandedname;
+	int oflags = O_RDONLY | O_CLOEXEC;
+
+	if (verifyflag)
+		oflags |= O_VERIFY;
 
 	expandedname = expandstr(name);
 	if (expandedname == NULL)
 		return;
 	INTOFF;
-	if ((fd = open(expandedname, O_RDONLY | O_CLOEXEC)) >= 0)
+	if ((fd = open(expandedname, oflags)) >= 0)
 		setinputfd(fd, 1);
 	INTON;
 	if (fd < 0)
Index: bin/sh/options.h
===================================================================
--- bin/sh/options.h
+++ bin/sh/options.h
@@ -68,9 +68,10 @@
 #define	hflag optval[18]
 #define	nologflag optval[19]
 #define	pipefailflag optval[20]
+#define	verifyflag optval[21]
 
 #define NSHORTOPTS	19
-#define NOPTS		21
+#define NOPTS		22
 
 extern char optval[NOPTS];
 extern const char optletter[NSHORTOPTS];
@@ -99,6 +100,7 @@
 	"\010trackall"
 	"\005nolog"
 	"\010pipefail"
+	"\006verify"
 ;
 #endif
 
Index: bin/sh/sh.1
===================================================================
--- bin/sh/sh.1
+++ bin/sh/sh.1
@@ -355,6 +355,11 @@
 in the pipeline terminates with status 0 without reading its
 input completely.
 This option only has a long name.
+.It Li verify
+Set
+.Dv O_VERIFY
+when sourcing files or loading profiles. See also
+.Xr mac_veriexec 4 .
 .El
 .Pp
 The