On 2026/03/12 11:14, Theo de Raadt wrote:
>
> > Unveil config would be easier to work with if the file contents were
> > _in addition_ to a compiled-in default. i.e. the binary already has what
> > it knows is needed and you can open up some additional files/dirs if
> > necessary.
>
> What do you mean "if" and "_in addition_".
>
> Because that is exactly how unveil works. More refined paths always create
> enclaves inside enclaves, with the new permissions. If the paths as
> previously specified paths, it replaces the previously specified path.
>
> I really don't see any reason to have these files user visible or editable.
There are files/paths which are required by the software itself (which
can be compiled-in), and those required by the user or user's sysadmin.
The person compiling the package can't know that the user might need to
use a browser to attach files in /some/nfsserver/docs via webmail, for
example.
No comments:
Post a Comment