Use __pledge_open(2) for files that libc urgently needs even in lower

promise levels.  You must be running a kernel at least 4 days old.
Soon, another commit will happen that breaks compatibility even further,
and you'll need new static binaries and new libc.so, along with a new
kernel.  This removes an old pledge design decision which is weak.
Long discussions with david leadbeater and beck

2 files changed, 29 insertions, 10 deletions

diff --git a/src/lib/libc/net/getprotoent.c b/src/lib/libc/net/getprotoent.c
index a218863d07..88de656fca 100644
--- a/src/lib/libc/net/getprotoent.c
+++ b/src/lib/libc/net/getprotoent.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: getprotoent.c,v 1.13 2015/09/14 07:38:38 guenther Exp $ */
+/*      $OpenBSD: getprotoent.c,v 1.14 2026/03/10 00:06:39 deraadt Exp $ */
 /*
  * Copyright (c) 1983, 1993
  *      The Regents of the University of California.  All rights reserved.
@@ -37,13 +37,19 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 void
 setprotoent_r(int f, struct protoent_data *pd)
 {
-        if (pd->fp == NULL)
-                pd->fp = fopen(_PATH_PROTOCOLS, "re" );
-        else
+        if (pd->fp == NULL) {
+                int fd = __pledge_open(_PATH_PROTOCOLS, O_RDONLY|O_CLOEXEC);
+                if (fd != -1)
+                        pd->fp = fdopen(fd, "r" );
+                if (pd->fp == NULL)
+                        close(fd);
+        } else
                 rewind(pd->fp);
         pd->stayopen |= f;
 }
diff --git a/src/lib/libc/net/getservent.c b/src/lib/libc/net/getservent.c
index 220a5851ce..4d0172a2d1 100644
--- a/src/lib/libc/net/getservent.c
+++ b/src/lib/libc/net/getservent.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: getservent.c,v 1.15 2015/09/14 07:38:38 guenther Exp $ */
+/*      $OpenBSD: getservent.c,v 1.16 2026/03/10 00:06:39 deraadt Exp $ */
 /*
  * Copyright (c) 1983, 1993
  *      The Regents of the University of California.  All rights reserved.
@@ -37,13 +37,19 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 void
 setservent_r(int f, struct servent_data *sd)
 {
-        if (sd->fp == NULL)
-                sd->fp = fopen(_PATH_SERVICES, "re" );
-        else
+        if (sd->fp == NULL) {
+                int fd = __pledge_open(_PATH_SERVICES, O_RDONLY|O_CLOEXEC);
+                if (fd != -1)
+                        sd->fp = fdopen(fd, "r" );
+                if (sd->fp == NULL)
+                        close(fd);
+        } else
                 rewind(sd->fp);
         sd->stayopen |= f;
 }
@@ -73,8 +79,15 @@ getservent_r(struct servent *se, struct servent_data *sd)
         long l;
         int serrno;
 
-        if (sd->fp == NULL && (sd->fp = fopen(_PATH_SERVICES, "re" )) == NULL)
-                return (-1);
+        if (sd->fp == NULL) {
+                int fd = __pledge_open(_PATH_SERVICES, O_RDONLY|O_CLOEXEC);
+                if (fd == -1)
+                        return (-1);
+                if ((sd->fp = fdopen(fd, "r" )) == NULL) {
+                        close(fd);
+                        return (-1);
+                }
+        }
 again:
         if ((p = fgetln(sd->fp, &len)) == NULL)
                 return (-1);