From 31a5ab3e1571f1e5b3e5faafaf27abc182d219bc Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Mon, 16 Mar 2026 17:30:03 +0000
Subject: util/nvmutil: fix unveil usage

arandom probably isn't available on super old obsd right??????

rather, unveil isn't. on systems that have arandom

yet we should not unveil something that may not
exist on modern systems

just don't unveil arandom, and don't check arandom
if unveil is enabled

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'util/nvmutil')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 851eb0fb..1f91de0a 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -756,6 +756,8 @@ main(int argc, char *argv[])
 		err(errno, "pledge, unveil");
 	if (unveil("/dev/urandom", "r") == -1)
 		err(errno, "unveil: /dev/urandom");
+	if (unveil("/dev/random", "r") == -1)
+		err(errno, "unveil: /dev/random");
 #else
 	if (pledge("stdio flock rpath wpath cpath", NULL) == -1)
 		err(errno, "pledge");
@@ -1415,8 +1417,10 @@ read_urandom(void)
 	if (fd < 0) {
 
 		fd = open("/dev/urandom", O_RDONLY | O_NONBLOCK);
+#ifndef NVMUTIL_UNVEIL
 		if (fd < 0) /* older openbsd */
 			fd = open("/dev/arandom", O_RDONLY | O_NONBLOCK);
+#endif
 		if (fd < 0) /* super old unix (could block) */
 			fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
 
-- 
cgit v1.2.1