util/nvmutil: Do not allow /dev/urandom on OBSD

There, we use arc4random_buf which does not directly
access /dev/urandom on BSD; it uses a userspace method
instead, which bypasses this.

This is therefore much more restrictive, which is
exactly the point of unveil(2) and pledge(2); restrict
your program's operation while ensuring that it has what
it needs, to help with debugging and prevent common bugs.

Signed-off-by: Leah Rowe <leah@libreboot.org>

1 files changed, 8 insertions, 10 deletions

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index e5982c08..9191f2ea 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -212,18 +212,16 @@ main(int argc, char *argv[])
 	/*
 	 * For restricted filesystem access on early error.
 	 *
-	 * Unveiling the random device early, regardless of
-	 * whether we will use it, prevents operations on any
-	 * GbE files until we permit it, while performing the
-	 * prerequisite error checks.
+	 * This prevents access to /dev/urandom, which we
+	 * should never use in OpenBSD (we use arc4random),
+	 * thus guarding against any future bugs there.
 	 *
-	 * We don't actually use the random device on platforms
-	 * that have arc4random, which includes OpenBSD.
+	 * This also prevents early reads to the GbE file,
+	 * while performing other checks; we will later
+	 * unveil the GbE file, to allow access.
 	 */
-	if (unveil("/dev/urandom", "r") == -1)
-		err(ECANCELED, "unveil '/dev/urandom'");
-	if (unveil("/dev/random", "r") == -1)
-		err(ECANCELED, "unveil '/dev/random'");
+	if (unveil("/dev/null", "r") == -1)
+		err(ECANCELED, "unveil '/dev/null'");
 #endif
 
 	set_cmd(argc, argv);