CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/17 11:27:35
Modified files:
usr.bin/mandoc : main.c
Log message:
Refine unveil(2) usage.
* Process man.conf(5) early before unveil(2) because it needs realpath(3).
* Rather than unveiling the whole file system for reading and execution,
only reveal the manpaths actually needed for reading, and /usr/share/locale/
if needed, and only reveal the pager binary for execution.
* Only reveal the whole file system for reading if input file names
are listed individually on the command line.
* Rather than unveiling /tmp unconditionally, only do so when it is
actually needed for the pager.
* When -O outfilename or -O tagfilename is specified, rather than
unveiling the current working directory for writing, only unveil
the specific filenames needed.
Using some feedback from deraadt@, in particular reducing the number
of vnodes that are held, and avoiding use of the "unveil" pledge(2).
