Instead of using BYPASSUNVEIL at NDINIT time, use KERNELPATH to indicate

we want to skip all userland-related checks.  Discussed with beck and
semarie, tested by stsp.

diff --git a/sys/dev/firmload.c b/sys/dev/firmload.c
index 9c258d9..e8ade9e 100644 (file)
--- a/sys/dev/firmload.c
+++ b/sys/dev/firmload.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: firmload.c,v 1.15 2018/08/05 23:19:49 deraadt Exp $   */
+/*     $OpenBSD: firmload.c,v 1.16 2018/08/13 23:12:39 deraadt Exp $   */
 
 /*
  * Copyright (c) 2004 Theo de Raadt <deraadt@openbsd.org>
@@ -25,6 +25,7 @@
 #include <sys/malloc.h>
 #include <sys/proc.h>
 #include <sys/device.h>
+#include <sys/pledge.h>
 
 int
 loadfirmware(const char *name, u_char **bufp, size_t *buflen)
@@ -50,8 +51,9 @@ loadfirmware(const char *name, u_char **bufp, size_t *buflen)
                goto err;
        }
 
-       NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, path, p);
-       nid.ni_cnd.cn_flags |= BYPASSUNVEIL;
+       NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF|KERNELPATH,
+           UIO_SYSSPACE, path, p);
+       nid.ni_pledge = PLEDGE_RPATH;
        error = namei(&nid);
 #ifdef RAMDISK_HOOKS
        /* try again with mounted disk */
@@ -62,8 +64,9 @@ loadfirmware(const char *name, u_char **bufp, size_t *buflen)
                        goto err;
                }
 
-               NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, path, p);
-               nid.ni_cnd.cn_flags |= BYPASSUNVEIL;
+               NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF|KERNELPATH,
+                   UIO_SYSSPACE, path, p);
+               nid.ni_pledge = PLEDGE_RPATH;
                error = namei(&nid);
        }
 #endif