> >> I am considering replacing all chroot use with unveil in my processes even >> where >> no filesystem access is required. > > I am discouraging this. > > unveil is a complicated mechanism, and we may still discover a bug in > it. > > Almost all the chroot in the tree are to empty unwriteable directories, > in which case chroot is very secure and a very simple mechanism. >
I shall do the same then, thank you for the guidance.
