slaacd does not have include statements open the control socket earlier, then unveil().
diff --git sbin/slaacd/slaacd.c sbin/slaacd/slaacd.c index 9c3f64f407d..990614df734 100644 --- sbin/slaacd/slaacd.c +++ sbin/slaacd/slaacd.c @@ -179,6 +179,16 @@ main(int argc, char *argv[]) if (getpwnam(SLAACD_USER) == NULL) errx(1, "unknown user %s", SLAACD_USER); +#ifndef SMALL + if ((control_fd = control_init(csock)) == -1) + fatalx("control socket setup failed"); +#endif /* SMALL */ + + if (unveil(saved_argv0, "x") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + log_init(debug, LOG_DAEMON); log_setverbose(verbose); @@ -276,11 +286,6 @@ main(int argc, char *argv[]) &rtfilter, sizeof(rtfilter)) == -1) fatal("setsockopt(ROUTE_MSGFILTER)"); -#ifndef SMALL - if ((control_fd = control_init(csock)) == -1) - fatalx("control socket setup failed"); -#endif /* SMALL */ - if (pledge("stdio sendfd wroute", NULL) == -1) fatal("pledge");