Instead of using BYPASSUNVEIL at NDINIT time, use KERNELPATH to indicate

we want to skip all userland-related checks.  Discussed with beck and
semarie, tested by stsp.

1 files changed, 8 insertions, 5 deletions

diff --git a/sys/dev/firmload.c b/sys/dev/firmload.c
index 9c258d9d80f..e8ade9e3ece 100644
--- a/sys/dev/firmload.c
+++ b/sys/dev/firmload.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: firmload.c,v 1.15 2018/08/05 23:19:49 deraadt Exp $	*/
+/*	$OpenBSD: firmload.c,v 1.16 2018/08/13 23:12:39 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2004 Theo de Raadt <deraadt@openbsd.org>
@@ -25,6 +25,7 @@
 #include <sys/malloc.h>
 #include <sys/proc.h>
 #include <sys/device.h>
+#include <sys/pledge.h>
 
 int
 loadfirmware(const char *name, u_char **bufp, size_t *buflen)
@@ -50,8 +51,9 @@ loadfirmware(const char *name, u_char **bufp, size_t *buflen)
 		goto err;
 	}
 
-	NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, path, p);
-	nid.ni_cnd.cn_flags |= BYPASSUNVEIL;
+	NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF|KERNELPATH,
+	    UIO_SYSSPACE, path, p);
+	nid.ni_pledge = PLEDGE_RPATH;
 	error = namei(&nid);
 #ifdef RAMDISK_HOOKS
 	/* try again with mounted disk */
@@ -62,8 +64,9 @@ loadfirmware(const char *name, u_char **bufp, size_t *buflen)
 			goto err;
 		}
 
-		NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, path, p);
-		nid.ni_cnd.cn_flags |= BYPASSUNVEIL;
+		NDINIT(&nid, LOOKUP, NOFOLLOW|LOCKLEAF|KERNELPATH,
+		    UIO_SYSSPACE, path, p);
+		nid.ni_pledge = PLEDGE_RPATH;
 		error = namei(&nid);
 	}
 #endif