From: Roy Marples <roy@marples.name>
Date: Fri, 10 Nov 2023 12:02:19 +0000 (+0000)
Subject: privsep: Note that unveil(2) is not needed
X-Git-Tag: v10.0.5~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3941274074d310b8b1682b43c2c4bfd513f88199;p=thirdparty%2Fdhcpcd.git

privsep: Note that unveil(2) is not needed

As we are in a chroot.
https://www.mail-archive.com/misc@openbsd.org/msg171664.html
---

diff --git a/src/privsep.c b/src/privsep.c
index 03f4be91..c3aeab8d 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -622,6 +622,9 @@ ps_entersandbox(const char *_pledge, const char **sandbox)
 #elif defined(HAVE_PLEDGE)
 	if (sandbox != NULL)
 		*sandbox = "pledge";
+	// There is no need to use unveil(2) because we are in an empty chroot
+	// This is encouraged by Theo de Raadt himself:
+	// https://www.mail-archive.com/misc@openbsd.org/msg171655.html
 	return pledge(_pledge, NULL);
 #elif defined(HAVE_SECCOMP)
 	if (sandbox != NULL)