From 3941274074d310b8b1682b43c2c4bfd513f88199 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Fri, 10 Nov 2023 12:02:19 +0000
Subject: [PATCH] privsep: Note that unveil(2) is not needed

As we are in a chroot.
https://www.mail-archive.com/misc@openbsd.org/msg171664.html
---
 src/privsep.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/privsep.c b/src/privsep.c
index 03f4be91..c3aeab8d 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -622,6 +622,9 @@ ps_entersandbox(const char *_pledge, const char **sandbox)
 #elif defined(HAVE_PLEDGE)
 	if (sandbox != NULL)
 		*sandbox = "pledge";
+	// There is no need to use unveil(2) because we are in an empty chroot
+	// This is encouraged by Theo de Raadt himself:
+	// https://www.mail-archive.com/misc@openbsd.org/msg171655.html
 	return pledge(_pledge, NULL);
 #elif defined(HAVE_SECCOMP)
 	if (sandbox != NULL)