Hi, tcpdrop(8) needs to access only two files, in this case /etc/hosts and /etc/resolv.conf both with read permissions for the purpose of name resolution. ethers(5) is not needed since we are not using any of the ether_*(3) family.
Since unistd.h needs to be included I also shuffled netdb.h into the right place. Comments? OK? Index: tcpdrop.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v retrieving revision 1.17 diff -u -p -u -r1.17 tcpdrop.c --- tcpdrop.c 16 Jan 2015 06:40:21 -0000 1.17 +++ tcpdrop.c 6 Nov 2018 10:48:10 -0000 @@ -27,10 +27,11 @@ #include <netinet/tcp_var.h> #include <err.h> +#include <netdb.h> #include <stdio.h> #include <string.h> #include <stdlib.h> -#include <netdb.h> +#include <unistd.h> __dead void usage(void); @@ -61,6 +62,13 @@ main(int argc, char **argv) char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; struct tcp_ident_mapping tir; int gaierr, rval = 0; + + if (unveil("/etc/hosts", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/resolv.conf", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC;