On 2024/07/18 05:27, Theo de Raadt wrote:
> This is not right.
> 
> Only a maximum number of unveil's are allowed, before it starts returning
> E2BIG.  That amount is not a public #define, to discourage what you are
> doing.
> 
> You are trying to shove an unbounded number of them into the kernel, based
> upon getenv and argv.
> 
> When you run out, and will exit with error.  That's not very nice is it?
> 

I think the place where unveil really gives the most benefit is for
software which needs both network and filesystem access in the same
process. Much of the protection that Lorenz is looking for would come
from pledge without needing to consider unveil.

The set of library functions used is pretty small, so it should be easy
enough to reason about adding pledge.

$ nm -s /usr/local/bin/harec | awk '/^ *U / { print $2 }' | column
__assert2	atexit		fseek		memset		strerror
__errno		bsearch		fstat		open_memstream	strlen
__isinf		calloc		getenv		optarg		strncmp
__isinff	exit		getline		optind		strtod
__isinfl	fclose		getopt		perror		strtoul
__isnan		feof		isalnum		qsort		strtoumax
__isnanf	fgetc		isalpha		realloc		vfprintf
__isnanl	fileno		isatty		snprintf	vsnprintf
__isthreaded	fmemopen	isdigit		stat
__sF		fopen		isprint		strchr
_csu_finish	fread		memcmp		strcmp
abort		free		memcpy		strdup