On 2026/03/12 11:14, Theo de Raadt wrote: > > > Unveil config would be easier to work with if the file contents were > > _in addition_ to a compiled-in default. i.e. the binary already has what > > it knows is needed and you can open up some additional files/dirs if > > necessary. > > What do you mean "if" and "_in addition_". > > Because that is exactly how unveil works. More refined paths always create > enclaves inside enclaves, with the new permissions. If the paths as > previously specified paths, it replaces the previously specified path. > > I really don't see any reason to have these files user visible or editable.
There are files/paths which are required by the software itself (which can be compiled-in), and those required by the user or user's sysadmin. The person compiling the package can't know that the user might need to use a browser to attach files in /some/nfsserver/docs via webmail, for example.
