Allow running in single user mode where /var/empty doesn't exist by

switching from chroot("/var/empty") to unveil("/", "").
This is just an extra pair of suspenders since these processes
pledge(2) to not access the filesystem.
OK deraadt

diff --git a/sbin/slaacd/engine.c b/sbin/slaacd/engine.c
index 07e55b9..c39f50b 100644 (file)
--- a/sbin/slaacd/engine.c
+++ b/sbin/slaacd/engine.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: engine.c,v 1.71 2021/03/21 18:25:24 florian Exp $     */
+/*     $OpenBSD: engine.c,v 1.72 2021/05/01 11:53:06 florian Exp $     */
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -364,11 +364,14 @@ engine(int debug, int verbose)
        if ((pw = getpwnam(SLAACD_USER)) == NULL)
                fatal("getpwnam");
 
-       if (chroot(pw->pw_dir) == -1)
-               fatal("chroot");
        if (chdir("/") == -1)
                fatal("chdir(\"/\")");
 
+       if (unveil("/", "") == -1)
+               fatal("unveil(\"/\", \"\")");
+       if (unveil(NULL, NULL) == -1)
+               fatal("unveil(NULL, NULL)");
+
        setproctitle("%s", "engine");
        log_procinit("engine");
 

diff --git a/sbin/slaacd/frontend.c b/sbin/slaacd/frontend.c
index 10fd6b8..3553595 100644 (file)
--- a/sbin/slaacd/frontend.c
+++ b/sbin/slaacd/frontend.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: frontend.c,v 1.55 2021/03/21 18:25:24 florian Exp $   */
+/*     $OpenBSD: frontend.c,v 1.56 2021/05/01 11:53:06 florian Exp $   */
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -145,11 +145,14 @@ frontend(int debug, int verbose)
        if ((pw = getpwnam(SLAACD_USER)) == NULL)
                fatal("getpwnam");
 
-       if (chroot(pw->pw_dir) == -1)
-               fatal("chroot");
        if (chdir("/") == -1)
                fatal("chdir(\"/\")");
 
+       if (unveil("/", "") == -1)
+               fatal("unveil(\"/\", \"\")");
+       if (unveil(NULL, NULL) == -1)
+               fatal("unveil(NULL, NULL)");
+
        setproctitle("%s", "frontend");
        log_procinit("frontend");