CVSROOT: /cvs
Module name: src
Changes by: mes...@cvs.openbsd.org 2019/08/08 00:59:44
Modified files:
usr.sbin/dhcpd : pfutils.c
Log message:
One missing piece when I added pledge(2) to dhcpd(8) was in the code path when
it's invoked with either -A/-C/-L, which at the time I left alone due to some
forbidden ioctls by pledge(2).
Now we have unveil(2) and this path can be further restricted by using it
instead of chroot(2) since this "sandbox" (not sure why people call sandbox to
about everything these days) can be escaped with *at(2) calls.
Since no filesystem access is needed here then we can disable its access by
calling unveil("/", "") unveil(NULL, NULL).
added /* no filesystem visibility */ as per suggestion by and OK deraadt@
