On Wed, 4 Dec 2019, at 14:08, Theo de Raadt wrote:
> unveil("/", "");
> unveil(NULL, NULL);
Thank you. I didn't realise that was possible.
I tried to write an update to the man page for unveil(2). Is this
accurate? Should I send it along to tech@?
Index: lib/libc/sys/unveil.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/unveil.2,v
retrieving revision 1.19
diff -u -p -u -r1.19 unveil.2
--- lib/libc/sys/unveil.2 25 Jul 2019 13:47:40 -0000 1.19
+++ lib/libc/sys/unveil.2 4 Dec 2019 17:38:58 -0000
@@ -95,6 +95,12 @@ promise
.Qq cpath .
.El
.Pp
+If
+.Fa permissions
+is an empty string then all operations for
+.Fa path
+are denied.
+.Pp
A
.Fa path
that is a directory will enable all filesystem access underneath
No comments:
Post a Comment