On 2026/03/12 11:14, Theo de Raadt wrote:
>  
> > Unveil config would be easier to work with if the file contents were
> > _in addition_ to a compiled-in default. i.e. the binary already has what
> > it knows is needed and you can open up some additional files/dirs if
> > necessary.
> 
> What do you mean "if" and "_in addition_".
> 
> Because that is exactly how unveil works.  More refined paths always create
> enclaves inside enclaves, with the new permissions.  If the paths as
> previously specified paths, it replaces the previously specified path.
> 
> I really don't see any reason to have these files user visible or editable.

There are files/paths which are required by the software itself (which
can be compiled-in), and those required by the user or user's sysadmin.

The person compiling the package can't know that the user might need to
use a browser to attach files in /some/nfsserver/docs via webmail, for
example.