Hi, xserver's priv proc is responsible for opening devices in O_RDWR mode and send their fds over to the parent proc. Knowing this then we already have a list of all possible devices that might be opened in the future and we can unveil(2) them by traversing allowed_devices and yes it's a long list, but we won't hit the limit defined by UNVEIL_MAX_VNODES (currently set to 128). But yes, this change might be disputable due to a limitation of vnodes available.
Additionally, by this point we already fork(2)ed so we can drop "proc" promise from pledge(2) and I didn't run into any troubles with both these changes. Comments on either unveil or pledge? OK? Index: privsep.c =================================================================== RCS file: /cvs/xenocara/xserver/os/privsep.c,v retrieving revision 1.29 diff -u -p -u -r1.29 privsep.c --- privsep.c 6 Aug 2018 20:11:34 -0000 1.29 +++ privsep.c 16 Oct 2018 10:51:10 -0000 @@ -274,7 +274,11 @@ priv_init(uid_t uid, gid_t gid) setproctitle("[priv]"); close(socks[1]); - if (pledge("stdio rpath wpath sendfd proc", NULL) == -1) + for (dev = allowed_devices; dev->name != NULL; dev++) { + if (unveil(dev->name, "rw") == -1) + err(1, "unveil"); + } + if (pledge("stdio rpath wpath sendfd", NULL) == -1) err(1, "pledge"); while (1) {