unveil(2) is easy since this only uses one directory tree

(containing no exterior pointing symlinks), and a file.
In snaps for about 2 months.

diff --git a/usr.sbin/makefs/makefs.c b/usr.sbin/makefs/makefs.c
index 8946e42..5b8b4ed 100644 (file)
--- a/usr.sbin/makefs/makefs.c
+++ b/usr.sbin/makefs/makefs.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: makefs.c,v 1.19 2016/12/17 16:12:15 krw Exp $ */
+/*     $OpenBSD: makefs.c,v 1.20 2018/09/24 22:55:50 deraadt Exp $     */
 /*     $NetBSD: makefs.c,v 1.53 2015/11/27 15:10:32 joerg Exp $        */
 
 /*
@@ -198,6 +198,10 @@ main(int argc, char *argv[])
        if (argc != 2)
                usage();
 
+       if (unveil(argv[0], "rwc") == -1)
+               err(1, "unveil");
+       if (unveil(argv[1], "rw") == -1)
+               err(1, "unveil");
        if (pledge("stdio rpath wpath cpath", NULL) == -1)
                err(1, "pledge");