From 5cab21566d4a2d16a43126c48087873b35d856d8 Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Thu, 15 Jul 2021 06:57:02 +0000
Subject: [PATCH] UNVEIL_INSPECT is no longer needed, adjust code accordingly.
 OK semarie@

---
 sys/kern/kern_unveil.c | 20 ++++++--------------
 sys/sys/namei.h        |  3 +--
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/sys/kern/kern_unveil.c b/sys/kern/kern_unveil.c
index b6d896055d7..6e118966ade 100644
--- a/sys/kern/kern_unveil.c
+++ b/sys/kern/kern_unveil.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_unveil.c,v 1.46 2021/07/08 13:33:05 claudio Exp $	*/
+/*	$OpenBSD: kern_unveil.c,v 1.47 2021/07/15 06:57:02 claudio Exp $	*/
 
 /*
  * Copyright (c) 2017-2019 Bob Beck <beck@openbsd.org>
@@ -399,15 +399,7 @@ unveil_add_vnode(struct proc *p, struct vnode *vp)
 	rw_init(&uv->uv_lock, "unveil");
 	RBT_INIT(unvname_rbt, &uv->uv_names);
 	uv->uv_vp = vp;
-
-	/*
-	 * Added vnodes are added with the UNVEIL_INSPECT flag
-	 * to allow operations such as access and stat. This lets
-	 * TOCTOU fans that call access on all components of
-	 * an unveil'ed path before the final operations
-	 * work.
-	 */
-	uv->uv_flags = UNVEIL_INSPECT;
+	uv->uv_flags = 0;
 
 	/* find out what we are covered by */
 	uv->uv_cover = unveil_find_cover(vp, p);
@@ -579,7 +571,7 @@ unveil_flagmatch(struct nameidata *ni, u_char flags)
 #ifdef DEBUG_UNVEIL
 			printf("unveil lacks UNVEIL_READ\n");
 #endif
-			if (flags != UNVEIL_INSPECT)
+			if (flags & UNVEIL_USERSET)
 				ni->ni_unveil_eacces = 1;
 			return 0;
 		}
@@ -589,7 +581,7 @@ unveil_flagmatch(struct nameidata *ni, u_char flags)
 #ifdef DEBUG_UNVEIL
 			printf("unveil lacks UNVEIL_WRITE\n");
 #endif
-			if (flags != UNVEIL_INSPECT)
+			if (flags & UNVEIL_USERSET)
 				ni->ni_unveil_eacces = 1;
 			return 0;
 		}
@@ -599,7 +591,7 @@ unveil_flagmatch(struct nameidata *ni, u_char flags)
 #ifdef DEBUG_UNVEIL
 			printf("unveil lacks UNVEIL_EXEC\n");
 #endif
-			if (flags != UNVEIL_INSPECT)
+			if (flags & UNVEIL_USERSET)
 				ni->ni_unveil_eacces = 1;
 			return 0;
 		}
@@ -609,7 +601,7 @@ unveil_flagmatch(struct nameidata *ni, u_char flags)
 #ifdef DEBUG_UNVEIL
 			printf("unveil lacks UNVEIL_CREATE\n");
 #endif
-			if (flags != UNVEIL_INSPECT)
+			if (flags & UNVEIL_USERSET)
 				ni->ni_unveil_eacces = 1;
 			return 0;
 		}
diff --git a/sys/sys/namei.h b/sys/sys/namei.h
index f392dbff9e6..64541cfa761 100644
--- a/sys/sys/namei.h
+++ b/sys/sys/namei.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: namei.h,v 1.46 2021/07/08 13:33:05 claudio Exp $	*/
+/*	$OpenBSD: namei.h,v 1.47 2021/07/15 06:57:02 claudio Exp $	*/
 /*	$NetBSD: namei.h,v 1.11 1996/02/09 18:25:20 christos Exp $	*/
 
 /*
@@ -270,6 +270,5 @@ struct	nchstats {
 #define	UNVEIL_CREATE	0x04
 #define	UNVEIL_EXEC	0x08
 #define	UNVEIL_USERSET	0x0F
-#define	UNVEIL_INSPECT	0x80
 
 #endif /* !_SYS_NAMEI_H_ */
-- 
2.20.1