ping and traceroute are setuid programs, so increased access-reduction features are worthwhile.
they can both lock their filesystem visibility to "readonly" very early on. the attack model being prevented against is very obscure. it imagines a bug in something between start-of-program and call-to-pledge (which entirely removes filesystem access). implying a getaddrinfo related bug. meanwhile, there is privdrop as another protection. these still feel like improvements. Index: usr.sbin/traceroute/traceroute.c =================================================================== RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v retrieving revision 1.161 diff -u -p -u -r1.161 traceroute.c --- usr.sbin/traceroute/traceroute.c 28 Jun 2019 13:32:51 -0000 1.161 +++ usr.sbin/traceroute/traceroute.c 27 Aug 2019 17:56:56 -0000 @@ -327,6 +327,12 @@ main(int argc, char *argv[]) uid_t ouid, uid; gid_t gid; + /* Cannot pledge due to special setsockopt()s below */ + if (unveil("/", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + if ((conf = calloc(1, sizeof(*conf))) == NULL) err(1,NULL); Index: sbin/ping/ping.c =================================================================== RCS file: /cvs/src/sbin/ping/ping.c,v retrieving revision 1.237 diff -u -p -u -r1.237 ping.c --- sbin/ping/ping.c 20 Jul 2019 00:49:54 -0000 1.237 +++ sbin/ping/ping.c 27 Aug 2019 17:56:17 -0000 @@ -264,6 +264,12 @@ main(int argc, char *argv[]) u_int rtableid = 0; extern char *__progname; + /* Cannot pledge due to special setsockopt()s below */ + if (unveil("/", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + if (strcmp("ping6", __progname) == 0) { v6flag = 1; maxpayload = MAXPAYLOAD6;