
OpenBSD – unveil(2) usage in base - aomix
https://marc.info/?l=openbsd-tech&m=153262228632102&w=2
======
aomix
OpenBSD's filesystem restriction utility is starting to be implemented in the
base system. This first large commit from Theo de Raadt is intended to give an
example of the intended usage of unveil(2).

~~~
gigatexal
for the noob like me, how does this compare to setting a permissions or
ownership bit on a folder?

~~~
aomix
Unveil is programmatic so the developer can restrict the software to only
perform expected behaviors. Like the earlier pledge(2) call OpenBSD introduced
a few versions ago. A piece of software may have far more access to the
filesystem than is needed. So it can be restricted to the handful of
directories or files that it actually needs during execution. And it can
progressively relinquish access as it runs and end up in a state where it
can't access the filesystem at all.

