On Wed, 4 Dec 2019, at 14:08, Theo de Raadt wrote:
> unveil("/", "");
> unveil(NULL, NULL);Thank you. I didn't realise that was possible. I tried to write an update to the man page for unveil(2). Is this accurate? Should I send it along to tech@? Index: lib/libc/sys/unveil.2 =================================================================== RCS file: /cvs/src/lib/libc/sys/unveil.2,v retrieving revision 1.19 diff -u -p -u -r1.19 unveil.2 --- lib/libc/sys/unveil.2 25 Jul 2019 13:47:40 -0000 1.19 +++ lib/libc/sys/unveil.2 4 Dec 2019 17:38:58 -0000 @@ -95,6 +95,12 @@ promise .Qq cpath . .El .Pp +If +.Fa permissions +is an empty string then all operations for +.Fa path +are denied. +.Pp A .Fa path that is a directory will enable all filesystem access underneath
