Ted Unangst <t...@tedunangst.com> wrote:
> Bryan Steele wrote:
> > It is not possible to unveil(2) all arguments passed to file(1), as this
> > would require walking *argv. Instead, we can unveil("/", "r") to permit
> > readonly access to the entire filesystem, while restricting all execute
> > write, and create operations.
>
> Why not? Because of the limit? We can still try unveil up to a certain
> limit.
Absolutely not. Unveiled paths are held vnodes. When you allow
processes to have a gigantic pile of them, and allow many processes a
gigantic pile of such vnodes, system performance *will* be impacted.
The design of unveil is supposed to encourage developers to narrowly define
their usage, but at the same time to unveil all argv[] before opening them
because then you are hogging resources.
So I think your advice here is misguided.
