Chris Rawnsley <chris@puny.agency> wrote:
> On Wed, 4 Dec 2019, at 14:08, Theo de Raadt wrote:
> > unveil("/", "");
> > unveil(NULL, NULL);
>
> Thank you. I didn't realise that was possible.
>
> I tried to write an update to the man page for unveil(2). Is this
> accurate? Should I send it along to tech@?
>
> Index: lib/libc/sys/unveil.2
> ===================================================================
> RCS file: /cvs/src/lib/libc/sys/unveil.2,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 unveil.2
> --- lib/libc/sys/unveil.2 25 Jul 2019 13:47:40 -0000 1.19
> +++ lib/libc/sys/unveil.2 4 Dec 2019 17:38:58 -0000
> @@ -95,6 +95,12 @@ promise
> .Qq cpath .
> .El
> .Pp
> +If
> +.Fa permissions
> +is an empty string then all operations for
> +.Fa path
> +are denied.
> +.Pp
> A
> .Fa path
> that is a directory will enable all filesystem access underneath
I think it is implied, if no permissions are listed. Maybe a tweak
like
The permissions argument points to a string consisting of zero or more
of the following characters:
But I don't know, I feel it is is not neccessary.
