util/nvmutil: split unveil handling

urandom in main. this is because i'm going to further harden the use of pledge and unveil in a future patch, and this is a prerequisite. Signed-off-by: Leah Rowe <leah@libreboot.org>
author: Leah Rowe <leah@libreboot.org> 2026-03-02 16:34:59 +0000
committer: Leah Rowe <leah@libreboot.org> 2026-03-02 16:34:59 +0000
commit: e5d7c3e3a26dc0334e447c7b3e54b3915eaccb0b (patch)
tree: fa99727c47f7b46674df8cb9c33b063d896a5d46 /util/nvmutil
parent: 896f0ea1df8333ef3d19cf1aa11dcd8354d86be0 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 735dda2c..6384bc43 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -89,6 +89,7 @@ main(int argc, char *argv[])
 	checkdir("/dev/urandom");
 	checkdir(fname);
 #ifdef __OpenBSD__
+	err_if(unveil("/dev/urandom", "r") == -1);
 	block_unveil();
 #endif
 	openFiles(fname);
@@ -446,8 +447,6 @@ swap(int partnum)
 void
 block_unveil(void)
 {
-	err_if(unveil("/dev/urandom", "r") == -1);
-
 	if (flags == O_RDONLY) {
 		err_if(unveil(fname, "r") == -1);
 		err_if(unveil(NULL, NULL) == -1);
author	Leah Rowe <leah@libreboot.org>	2026-03-02 16:34:59 +0000
committer	Leah Rowe <leah@libreboot.org>	2026-03-02 16:34:59 +0000
commit	e5d7c3e3a26dc0334e447c7b3e54b3915eaccb0b (patch)
tree	fa99727c47f7b46674df8cb9c33b063d896a5d46 /util/nvmutil
parent	896f0ea1df8333ef3d19cf1aa11dcd8354d86be0 (diff)