dz...@disroot.org wrote:
> > If you use "exec", you have intentionally and visibly opened an escape
> > hatch to run other programs, which are EXPECTED to self-protect against
> > their own misbehaviour.
> Yet, the documentation doesn't warn about it. It's an easy mistake to make.
> Let's say that I want to write a program that is unable to write to the
> filesystem, so I put this in main():
> unveil("/", "rx");
> unveil(NULL, NULL);
> Obviously, an attacker could easily bypass this with exec. How was I
> supposed to know that, if not from the docs?
your example is so incredibly vague.
you have a program which does these unveils, and allows exec of any
binary in the system.
"attacker"?
Seems to be working as intended. You are letting someone run all binaries.
Or is it your expectation is that all binaries should crash when they
cannot start ld.so or load libc?
I'd say the problem is whoever wrote this code unrealistic 2-liner code
example, oh wait, that is you.
