Before ypconnect(2) addition, "getpw" was a horrible "hole" that triggered

on libc trying to open /var/run/ypbind.lock, so pledge had to BYPASSUNVEIL
accesses to this file.  We accepted the opening of that file for a small
period for build cross-over, but that waiting period ends now.

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index d3bbe22..f2378fc 100644 (file)
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_pledge.c,v 1.291 2022/08/02 11:04:25 deraadt Exp $       */
+/*     $OpenBSD: kern_pledge.c,v 1.292 2022/08/08 01:53:01 deraadt Exp $       */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -656,16 +656,6 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath)
                        ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
                        return (0);
                }
-               /*
-                * XXX delete before 7.2.
-                * Old static binaries may try this file in getpwent and friends
-                */
-               if ((ni->ni_pledge == PLEDGE_RPATH) &&
-                   (pledge & PLEDGE_GETPW) &&
-                   strcmp(path, "/var/run/ypbind.lock") == 0) {
-                       ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
-                       return (0);
-               }
                break;
        case SYS_open:
                /* daemon(3) or other such functions */
@@ -723,17 +713,6 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath)
                        }
                }
 
-               /*
-                * XXX delete before 7.2.
-                * Old static binaries may try this file in getpwent and friends
-                */
-               if ((ni->ni_pledge == PLEDGE_RPATH) &&
-                   (pledge & PLEDGE_GETPW) &&
-                   strcmp(path, "/var/run/ypbind.lock") == 0) {
-                       ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
-                       return (0);
-               }
-
                /* tzset() needs these. */
                if ((ni->ni_pledge == PLEDGE_RPATH) &&
                    strncmp(path, "/usr/share/zoneinfo/",