On Mon, Jul 30, 2018 at 11:26:16AM +0200, Alexandre Ratchov wrote: > > The other sndiod process has neither of rpath, wpath, cpath, or exec, > so it doesn't need unveil, right?
I am just replying for this aspect of unveil/pledge. Yes, if the process doesn't have such promises, calling unveil(2) is unnecessary. In fact, if you called unveil(2) previously, when you will call pledge(2), the kernel code will check if you need your unveil configuration or not, and free it if it isn't the case. -- Sebastien Marie
