From 63fcc0891f2a2cef9a5c92b1ac17afce9fe53ad5 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sun, 8 Mar 2026 02:45:20 +0000 Subject: util/nvmutil: Do not allow /dev/urandom on OBSD There, we use arc4random_buf which does not directly access /dev/urandom on BSD; it uses a userspace method instead, which bypasses this. This is therefore much more restrictive, which is exactly the point of unveil(2) and pledge(2); restrict your program's operation while ensuring that it has what it needs, to help with debugging and prevent common bugs. Signed-off-by: Leah Rowe --- util/nvmutil/nvmutil.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index e5982c08..9191f2ea 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -212,18 +212,16 @@ main(int argc, char *argv[]) /* * For restricted filesystem access on early error. * - * Unveiling the random device early, regardless of - * whether we will use it, prevents operations on any - * GbE files until we permit it, while performing the - * prerequisite error checks. + * This prevents access to /dev/urandom, which we + * should never use in OpenBSD (we use arc4random), + * thus guarding against any future bugs there. * - * We don't actually use the random device on platforms - * that have arc4random, which includes OpenBSD. + * This also prevents early reads to the GbE file, + * while performing other checks; we will later + * unveil the GbE file, to allow access. */ - if (unveil("/dev/urandom", "r") == -1) - err(ECANCELED, "unveil '/dev/urandom'"); - if (unveil("/dev/random", "r") == -1) - err(ECANCELED, "unveil '/dev/random'"); + if (unveil("/dev/null", "r") == -1) + err(ECANCELED, "unveil '/dev/null'"); #endif set_cmd(argc, argv); -- cgit v1.2.1