this one's better - use the correct unveil pattern, pointed out by brynet@ - argv[0] vs. argv[i], pointed out by Matthew Martin and Mario Campos
diff --git ifconfig.c ifconfig.c index 9bfb1751aab..20154059394 100644 --- ifconfig.c +++ ifconfig.c @@ -676,10 +676,15 @@ main(int argc, char *argv[]) int create = 0; int Cflag = 0; int gflag = 0; + int found_rulefile = 0; int i; /* If no args at all, print all interfaces. */ if (argc < 2) { + if (unveil("/", "") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); aflag = 1; printif(NULL, 0); return (0); @@ -721,6 +726,21 @@ main(int argc, char *argv[]) } else if (strlcpy(name, *argv, sizeof(name)) >= IFNAMSIZ) errx(1, "interface name '%s' too long", *argv); argc--, argv++; + + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "rulefile") == 0) { + found_rulefile = 1; + break; + } + } + + if (!found_rulefile) { + if (unveil("/", "") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + } + if (argc > 0) { for (afp = rafp = afs; rafp->af_name; rafp++) if (strcmp(rafp->af_name, *argv) == 0) { -- I'm not entirely sure you are real.