Hi, One missing piece when I added pledge(2) to dhcpd(8) was in the code path when it's invoked with either -A/-C/-L, which at the time I left alone due to some forbidden ioctls by pledge(2).
Now we have unveil(2) and this path can be further restricted by using it instead of chroot(2) since this "sandbox" (not sure why people call sandbox to about everything these days) can be escaped with *at(2) calls. Since no filesystem access is needed here then we can disable its access by calling unveil("/", "") unveil(NULL, NULL). Comments? OK? Index: pfutils.c =================================================================== RCS file: /cvs/src/usr.sbin/dhcpd/pfutils.c,v retrieving revision 1.20 diff -u -p -u -r1.20 pfutils.c --- pfutils.c 28 Jun 2019 13:32:47 -0000 1.20 +++ pfutils.c 6 Aug 2019 13:28:11 -0000 @@ -54,14 +54,16 @@ pftable_handler() if ((fd = open(_PATH_DEV_PF, O_RDWR|O_NOFOLLOW, 0660)) == -1) fatal("can't open pf device"); - if (chroot(_PATH_VAREMPTY) == -1) - fatal("chroot %s", _PATH_VAREMPTY); - if (chdir("/") == -1) - fatal("chdir(\"/\")"); + if (setgroups(1, &pw->pw_gid) || setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) fatal("can't drop privileges"); + + if (unveil("/", "") == -1) + fatal("unveil"); + if (unveil(NULL, NULL) == -1) + fatal("unveil"); setproctitle("pf table handler"); l = sizeof(struct pf_cmd);