From ad461ab28a2cbe087d31c8300749b3783dc8849f Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 18 Feb 2026 15:25:01 +0000
Subject: [PATCH] Instead of pledge "tmppath rpath", setup a "rwc" unveil on
 "/tmp", a "r" unveil on "/", and then pledge "rpath wpath cpath". ok semarie
 and others

---
 usr.bin/diff/diff.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/usr.bin/diff/diff.c b/usr.bin/diff/diff.c
index 2add825a7b7..f7ae5fa2182 100644
--- a/usr.bin/diff/diff.c
+++ b/usr.bin/diff/diff.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: diff.c,v 1.68 2023/01/05 00:00:44 millert Exp $	*/
+/*	$OpenBSD: diff.c,v 1.69 2026/02/18 15:25:01 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2003 Todd C. Miller <millert@openbsd.org>
@@ -211,7 +211,11 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 
-	if (pledge("stdio rpath tmppath", NULL) == -1)
+	if (unveil("/tmp", "rwc") == -1)
+		err(2, "unveil /tmp");
+	if (unveil("/", "r") == -1)
+		err(2, "unveil /");
+	if (pledge("stdio rpath wpath cpath", NULL) == -1)
 		err(2, "pledge");
 
 	/*