On Tue, Jun 15, 2021 at 11:21:03AM +0000, [email protected] wrote: > > "Theo de Raadt" <[email protected]> wrote: > > Have you found anything which implies that unveil persists? > I haven't found anything which implies that unveil doesn't persist either. > Do you think that the documentation should keep developers guessing? > > > unveil and pledge exist for a process to *PROTECT AGAINST IT'S OWN > > MISBEHAVIOUR*. > > > > If you use "exec", you have intentionally and visibly opened an escape > > hatch to run other programs, which are EXPECTED to self-protect against > > their own misbehaviour. > Yet, the documentation doesn't warn about it. It's an easy mistake to make. > Let's say that I want to write a program that is unable to write to the > filesystem, so I put this in main(): > unveil("/", "rx"); > unveil(NULL, NULL); > Obviously, an attacker could easily bypass this with exec. How was I > supposed to know that, if not from the docs?
Why did you add "rx" for a read-only program? Also you should use unveil together with pledge and then you need to have the proc and exec pledge to fork and execute a new process. The unveil docs are a bit vague about behaviour on fork and exec. This is a somewhat on purpose since unveil behaviour is not fully set into stone yet. Initially the goal was to keep unveils on exec but it turned out that it is not feasable. Maybe we can now document the exec behaviour since we will probably not change it again. -- :wq Claudio
