Hi,
/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function
priv_constraint_child() which is called before we reach the code below,
therefore we don't need to unveil(2) it nor having pledge(2) "rpath".
Comments? OK?
Index: ntpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.129
diff -u -p -u -r1.129 ntpd.c
--- ntpd.c 12 Feb 2020 19:14:56 -0000 1.129
+++ ntpd.c 8 Jul 2021 07:35:51 -0000
@@ -283,11 +283,9 @@ main(int argc, char *argv[])
* Constraint processes are forked with certificates in memory,
* then privdrop into chroot before speaking to the outside world.
*/
- if (unveil(tls_default_ca_cert_file(), "r") == -1)
- err(1, "unveil");
if (unveil("/usr/sbin/ntpd", "x") == -1)
err(1, "unveil");
- if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
+ if (pledge("stdio inet settime proc exec id", NULL) == -1)
err(1, "pledge");
while (quit == 0) {
