From 843678b16716640c8490800ffdc2a3f496f52c6f Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Thu, 1 Sep 2022 12:28:53 +0000
Subject: [PATCH] the VNDIOCSET ioctl path handling bypassed the unveil, so
 root (or .operator) could read a file outside the space. ok semarie benno tb

---
 sys/dev/vnd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/dev/vnd.c b/sys/dev/vnd.c
index bbd124d8325..0834feecdf7 100644
--- a/sys/dev/vnd.c
+++ b/sys/dev/vnd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vnd.c,v 1.177 2021/12/23 10:09:16 bluhm Exp $	*/
+/*	$OpenBSD: vnd.c,v 1.178 2022/09/01 12:28:53 deraadt Exp $	*/
 /*	$NetBSD: vnd.c,v 1.26 1996/03/30 23:06:11 christos Exp $	*/
 
 /*
@@ -455,10 +455,12 @@ vndioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
 		 * them.
 		 */
 		NDINIT(&nd, 0, 0, UIO_SYSSPACE, name, p);
+		nd.ni_unveil = UNVEIL_READ | UNVEIL_WRITE;
 		rw = FREAD|FWRITE;
 		error = vn_open(&nd, FREAD|FWRITE, 0);
 		if (error == EROFS) {
 			NDINIT(&nd, 0, 0, UIO_SYSSPACE, name, p);
+			nd.ni_unveil = UNVEIL_READ | UNVEIL_WRITE;
 			rw = FREAD;
 			error = vn_open(&nd, FREAD, 0);
 		}
-- 
2.20.1