Lacking a proper problem description, here's a simpler program to
demonstrate the following issue:
I want the entire tree read-only, except for one file being writable
as well.
No matter in which order / and the exceptional file are unveiled, any
attempt to access files or directories under the same directory of the
writable file will fail.
Here /dev/null is used as an example for the read-writable file, while
/dev/zero is attempted to be opened for reading.
Calling `unveil("/dev/null", "rw")' before `unveil("/", "r")' does not
change the outcome.
$ cat poc.c
#include <err.h>
#include <fcntl.h>
#include <unistd.h>
int
main(void) {
int fd;
if (unveil("/", "r") == -1 ||
unveil("/dev/null", "rw") == -1 ||
unveil(NULL, NULL) == -1)
err(1, "unveil");
if ((fd = open("/dev/zero", O_RDONLY)) == -1)
err(1, "open");
return close(fd);
}
$ cc poc.c
$ ./a.out
a.out: open: No such file or directory
