On Tue, Jun 26, 2018 at 7:05 PM Edgar Pettijohn III <ed...@pettijohn-web.com> wrote: > > > > On 06/26/18 13:50, Raul Miller wrote: > > Personally, I can't totally figure out what this policy would be. > > > > My current best approximation is: there's a period of time when > > pkg_add and syspatch are running and that is a time when writes are > > allowed, other than that, not. > > > > I could maybe rig up something more complicated using inherited > > cryptographic tokens but the potential special cases wind up with > > approximately the same effect. > > > > You could mount everything ro and have a wrapper script around pkg_add > that remounts it rw and when its done remount it ro. Of course other > processes would then be able to write as well. Seems like you would need > a new system call or some such mechanism to truly accomplish what you want. >
http://man.openbsd.org/unveil.2 🎉 -- -- --------------------------------------------------------------------------------------------------------------------- Knowing is not enough; we must apply. Willing is not enough; we must do
