From e5d7c3e3a26dc0334e447c7b3e54b3915eaccb0b Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Mon, 2 Mar 2026 16:34:59 +0000
Subject: util/nvmutil: split unveil handling

urandom in main. this is because i'm going to further
harden the use of pledge and unveil in a future patch,
and this is a prerequisite.

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'util')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 735dda2c..6384bc43 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -89,6 +89,7 @@ main(int argc, char *argv[])
 	checkdir("/dev/urandom");
 	checkdir(fname);
 #ifdef __OpenBSD__
+	err_if(unveil("/dev/urandom", "r") == -1);
 	block_unveil();
 #endif
 	openFiles(fname);
@@ -446,8 +447,6 @@ swap(int partnum)
 void
 block_unveil(void)
 {
-	err_if(unveil("/dev/urandom", "r") == -1);
-
 	if (flags == O_RDONLY) {
 		err_if(unveil(fname, "r") == -1);
 		err_if(unveil(NULL, NULL) == -1);
-- 
cgit v1.2.1