It is not possible to unveil(2) all arguments passed to file(1), as this would require walking *argv. Instead, we can unveil("/", "r") to permit readonly access to the entire filesystem, while restricting all execute write, and create operations.
This only provides some additional early protection for the parent, as the privsep magic(5) parser already pledged tightly. It might be possible to use pledge instead, but this since this process doesn't do much more than opening files and passing descriptors, unveil alone should be enough.. Needs the recent unveil(2) commit in -current by Bob Beck. ok? Index: file.c =================================================================== RCS file: /cvs/src/usr.bin/file/file.c,v retrieving revision 1.66 diff -u -p -u -r1.66 file.c --- usr.bin/file/file.c 15 Jan 2018 19:45:51 -0000 1.66 +++ usr.bin/file/file.c 3 Jan 2019 23:07:41 -0000 @@ -168,6 +168,11 @@ main(int argc, char **argv) } else if (argc == 0) usage(); + if (unveil("/", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + magicfp = NULL; if (geteuid() != 0 && !issetugid()) { home = getenv("HOME");