On Tue, Dec 10, 2019 at 03:20:15PM +0000, Reyk Floeter wrote: > On Tue, Dec 10, 2019 at 02:39:20PM +0000, Stuart Henderson wrote: > > On 2019/12/10 13:57, Reyk Floeter wrote: > > > +# U2F/FIDO keys > > > +/dev/uhid0 rw > > > +/dev/uhid1 rw > > > +/dev/uhid2 rw > > > +/dev/uhid3 rw > > > +/dev/uhid4 rw > > > +/dev/uhid5 rw > > > +/dev/uhid6 rw > > > +/dev/uhid7 rw > > > +/dev/uhid8 rw > > > +/dev/uhid9 rw > > > > BTW there are several entries in dmesglog with uhid18 (Microsoft Surface > > Type Cover) and one with uhid40 (headset + docking station + others). > > The 40 seems excessive but it might be worth going up to, say, 20. > > (Alternatively it could be dropped to 7 to align with the number of > > device nodes created by MAKEDEV by default ..) > > > > I feared that, OK. Let's go for 20 in this case? > > My authenticator-rs code initially scanned the /dev directory for uhid > devices but I changed it to probe the first 100 uhid devices to work > under unveil(2) (I didn't want to make /dev rx and there's no > unveil(2) way to "read the directory contents without allowing access > to its files"). > > > > +This currently only works with pledge.main = disable. > > > > Another option would be to do this, and remove some lines from the > > pkg-readme... > > > > Hehe, good point and I wouldn't mind. But even if pledge(2) is > enabled with all of its classes, it still limits ioctls and the scope > of other syscalls. I don't know, what do people think about this?
Well, i managed to have a 'video' pledge class, so you can probably get an 'uhidioctl' class :) Landry