That's good.  Another implicit "rw" open of "/dev/null".  nfsd is one
of those programs that relies upon unveil() alone because it cannot
use pledge()

Alexander Bluhm <bluhm@openbsd.org> wrote:

> Hi,
> 
> nfsd(8) complains about unveil(2) violations in accouting.
> It happens during daemon(3) in the child process.
> 
>  54336 nfsd     RET   fork 0
>  54336 nfsd     CALL  setsid()
>  54336 nfsd     RET   setsid 54336/0xd440
>  54336 nfsd     CALL  chdir(0x40886de80d8)
>  54336 nfsd     NAMI  "/"
>  54336 nfsd     RET   chdir -1 errno 2 No such file or directory
>  54336 nfsd     CALL  __pledge_open(0x40886deb837,0x2<O_RDWR>)
>  54336 nfsd     NAMI  "/dev/null"
>  54336 nfsd     RET   __pledge_open -1 errno 2 No such file or directory
> 
> Instead of unveiling / and /dev/null, move unveil(2) after daemon(3).
> 
> ok?
> 
> bluhm
> 
> Index: sbin/nfsd/nfsd.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sbin/nfsd/nfsd.c,v
> diff -u -p -r1.47 nfsd.c
> --- sbin/nfsd/nfsd.c	30 Nov 2025 23:07:17 -0000	1.47
> +++ sbin/nfsd/nfsd.c	27 Mar 2026 18:24:44 -0000
> @@ -113,15 +113,6 @@ main(int argc, char *argv[])
>  	/* Start by writing to both console and log. */
>  	openlog("nfsd", LOG_PID | LOG_PERROR, LOG_DAEMON);
>  
> -	if (unveil("/", "") == -1) {
> -		syslog(LOG_ERR, "unveil /: %s", strerror(errno));
> -		return (1);
> -	}
> -	if (unveil(NULL, NULL) == -1) {
> -		syslog(LOG_ERR, "unveil: %s", strerror(errno));
> -		return (1);
> -	}
> -
>  	while ((ch = getopt(argc, argv, "n:rtu")) != -1)
>  		switch (ch) {
>  		case 'n':
> @@ -171,6 +162,15 @@ main(int argc, char *argv[])
>  		(void)signal(SIGSYS, nonfs);
>  	}
>  	(void)signal(SIGCHLD, reapchild);
> +
> +	if (unveil("/", "") == -1) {
> +		syslog(LOG_ERR, "unveil /: %s", strerror(errno));
> +		return (1);
> +	}
> +	if (unveil(NULL, NULL) == -1) {
> +		syslog(LOG_ERR, "unveil: %s", strerror(errno));
> +		return (1);
> +	}
>  
>  	if (reregister) {
>  		if (udpflag &&
>