ccardenas@openbsdJan 4, 2019
Bryan Steele 

 

"beck@ modified sys: Fix a collection of covering unveil bugs that prevent unveil's of upper level directories from working when you don't traverse into them starting from /. Most found by brynet@ and a few others. ok brynet@ deraadt@"

https://marc.info/?l=openbsd-cvs&m=154655236614423&w=2

With this change, unveil(2) can become an even more powerful tool that can be used to protect your applications, especially in cases where pledge(2) cannot be used.

#OpenBSD

'CVS: cvs.openbsd.org: src' - MARC

Jan 3, 2019 at 11:30pmWeb
Show threadBryan Steele Jan 3, 2019
If you know in advance that you'll only ever call functions that have read only effects on the filesystem, you can unveil("/", "r") to restrict all write, create operations, and also effectively disable execv*.
Show threadzalandocalrissianJan 3, 2019
@brynet
I don't know much about OpenBSD, but to me that commit message sounds like if it was written by a Markov chain
Show threadBryan Steele Jan 3, 2019
@zalandocalrissian