privsep: Note that unveil(2) is not needed

As we are in a chroot.
https://www.mail-archive.com/misc@openbsd.org/msg171664.html

diff --git a/src/privsep.c b/src/privsep.c
index 03f4be9151d467c812433de944b823b900b74307..c3aeab8df021c4f7619b8d756b9fe9222dff162e 100644 (file)
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -622,6 +622,9 @@ ps_entersandbox(const char *_pledge, const char **sandbox)
 #elif defined(HAVE_PLEDGE)
        if (sandbox != NULL)
                *sandbox = "pledge";
+       // There is no need to use unveil(2) because we are in an empty chroot
+       // This is encouraged by Theo de Raadt himself:
+       // https://www.mail-archive.com/misc@openbsd.org/msg171655.html
        return pledge(_pledge, NULL);
 #elif defined(HAVE_SECCOMP)
        if (sandbox != NULL)