Hi,
I have a program with unexpected unveil violation.
I put the whole / read-only, and next few programs executable (the
purpose is to restrict the executable files to only a small set).
The directory containing the executable is not visible anymore.
$ cat test.c
#include <sys/stat.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int
main(int argc, char *argv[])
{
struct stat sb;
if (unveil("/", "r") == -1)
err(EXIT_FAILURE, "unveil: /");
if (unveil("/usr/bin/id", "rx") == -1)
err(EXIT_FAILURE, "unveil: /usr/bin/id");
if (unveil(NULL, NULL) == -1)
err(EXIT_FAILURE, "unveil");
if (stat("/usr/bin", &sb) == -1)
err(EXIT_FAILURE, "stat: /usr/bin");
return EXIT_SUCCESS;
}
$ cc -Wall test.c
$ ./a.out
a.out: stat: /usr/bin: No such file or directory
If I explicity add `unveil("/usr/bin", "r")`, it is working as expected.
The order of unveil("/") and unveil("/usr/bin/id") doesn't change the
problem. unveil(NULL, NULL) isn't required for reproducing.
Thanks.
--
Sebastien Marie
