Luke Small <lukensm...@gmail.com> wrote: > I'm not sure that I wasn't ambiguous. I want to be able to set up all > necessary unveil > promises then from that point on, be able to only reduce unveil permissions. > I don't > know the mechanism by which is unveil works, but perhaps it could be an > unveil command > similar to unveil(NULL, NULL) instead of a pledge command? It apparently > knows if it is > an increase in permissions, can't it be set to only permit them? > > On Thu, Aug 16, 2018 at 2:00 PM Luke Small <lukensm...@gmail.com> wrote: > > Ok. Thanks. > On Thu, Aug 16, 2018 at 1:59 PM Theo de Raadt <dera...@openbsd.org> wrote: > > Luke Small <lukensm...@gmail.com> wrote: > > Could you have a promise for unveil reductions only? > > That won't actually help much, and people will fall into some > pretty significant traps. > > Sorry it would require a really long explanation.
Cannot be done. Will not work how you expect it to. Will result in only prividing a subset of the security boundary unveil users expect, unexpectedly, when they least expect it files or dirs will be exposed. symbolic links. Not going to explain further. You want something magic which cannot exist.
