Hi,
ospf6d does not support reloading so its parent proc does not need
filesystem access with the exception of the control socket cleanup on
exit. Once we teach it how to reload the config it is easy to unveil "/"
readonly as I just did for ospfd.
OK?
Remi
cvs diff: Diffing .
Index: ospf6d.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospf6d/ospf6d.c,v
retrieving revision 1.39
diff -u -p -r1.39 ospf6d.c
--- ospf6d.c 1 Sep 2018 19:21:10 -0000 1.39
+++ ospf6d.c 29 Oct 2018 22:20:45 -0000
@@ -274,6 +274,11 @@ main(int argc, char *argv[])
fatalx("control socket setup failed");
main_imsg_compose_ospfe_fd(IMSG_CONTROLFD, 0, control_fd);
+ if (unveil(ospfd_conf->csock, "c") == -1)
+ fatal("unveil");
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
+
if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
ospfd_conf->rdomain) == -1)
fatalx("kr_init failed");
