From b9b707e00d98453741d6da3391ce1b5ce5316dac Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 27 Mar 2026 19:19:41 +0000
Subject: [PATCH] Fix unveil in NFS daemon.

With process accouting, nfsd(8) complains about unveil(2) violations.
It happens during daemon(3) in the child process.  Instead of
unveiling / and /dev/null, move unveil(2) after daemon(3).

OK deraadt@
---
 sbin/nfsd/nfsd.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/sbin/nfsd/nfsd.c b/sbin/nfsd/nfsd.c
index c492f3b55a7..a5806a59850 100644
--- a/sbin/nfsd/nfsd.c
+++ b/sbin/nfsd/nfsd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfsd.c,v 1.47 2025/11/30 23:07:17 jsg Exp $	*/
+/*	$OpenBSD: nfsd.c,v 1.48 2026/03/27 19:19:41 bluhm Exp $	*/
 /*	$NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $	*/
 
 /*
@@ -113,15 +113,6 @@ main(int argc, char *argv[])
 	/* Start by writing to both console and log. */
 	openlog("nfsd", LOG_PID | LOG_PERROR, LOG_DAEMON);
 
-	if (unveil("/", "") == -1) {
-		syslog(LOG_ERR, "unveil /: %s", strerror(errno));
-		return (1);
-	}
-	if (unveil(NULL, NULL) == -1) {
-		syslog(LOG_ERR, "unveil: %s", strerror(errno));
-		return (1);
-	}
-
 	while ((ch = getopt(argc, argv, "n:rtu")) != -1)
 		switch (ch) {
 		case 'n':
@@ -172,6 +163,15 @@ main(int argc, char *argv[])
 	}
 	(void)signal(SIGCHLD, reapchild);
 
+	if (unveil("/", "") == -1) {
+		syslog(LOG_ERR, "unveil /: %s", strerror(errno));
+		return (1);
+	}
+	if (unveil(NULL, NULL) == -1) {
+		syslog(LOG_ERR, "unveil: %s", strerror(errno));
+		return (1);
+	}
+
 	if (reregister) {
 		if (udpflag &&
 		    (!pmap_set(RPCPROG_NFS, 2, IPPROTO_UDP, NFS_PORT) ||