From: kn <kn@openbsd.org>
Date: Wed, 3 Mar 2021 09:32:11 +0000 (+0000)
Subject: Unveil only /etc/resolv.conf and /etc/resolv.conf.new not /etc/
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=4a8e8d61ba300efed7f1f952c84f7507916af19b;p=openbsd

Unveil only /etc/resolv.conf and /etc/resolv.conf.new not /etc/

Unveiling the entire directory stems from earlier development cycles
and is by no means required now, only the two files are created,
read from and written to.

OK deraadt florian semarie
---

diff --git a/sbin/resolvd/resolvd.c b/sbin/resolvd/resolvd.c
index 1e2ec871d5a..6fe56455bd9 100644
--- a/sbin/resolvd/resolvd.c
+++ b/sbin/resolvd/resolvd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: resolvd.c,v 1.9 2021/03/02 17:11:28 deraadt Exp $	*/
+/*	$OpenBSD: resolvd.c,v 1.10 2021/03/03 09:32:11 kn Exp $	*/
 /*
  * Copyright (c) 2021 Florian Obser <florian@openbsd.org>
  * Copyright (c) 2021 Theo de Raadt <deraadt@openbsd.org>
@@ -216,8 +216,10 @@ main(int argc, char *argv[])
 
 	solicit_dns_proposals(routesock);
 
-	if (unveil("/etc", "rwc") == -1)
-		lerr(1, "unveil /etc");
+	if (unveil(_PATH_RESCONF, "rwc") == -1)
+		lerr(1, "unveil " _PATH_RESCONF);
+	if (unveil(_PATH_RESCONF_NEW, "rwc") == -1)
+		lerr(1, "unveil " _PATH_RESCONF_NEW);
 #ifndef SMALL
 	if (unveil(_PATH_UNWIND_SOCKET, "r") == -1)
 		lerr(1, "unveil " _PATH_UNWIND_SOCKET);