Remi Locherer <[email protected]> wrote: > On Fri, Oct 26, 2018 at 10:19:01AM -0600, Theo de Raadt wrote: > > Remi Locherer <[email protected]> wrote: > > > > > On Fri, Oct 26, 2018 at 06:01:40PM +0200, Florian Obser wrote: > > > > This breaks usage of the "include" keyword. Something that all the > > > > parse.y daemons support. > > > > > > > > > > Oh, of course! > > > > > > I guess this is similar to unveil files based on a list of command line > > > args. > > > > correct. > > > > Now that unveil is used in the tree, there are 3 types of programs > > > > 1) they use unveil > > 2) they use pledge, heading close towards "stdio" without a "*path" > > 3) they access arbitrary files based upon argv > > > > this is (3), except not argv, it nested inside the config file > > > > Well there are maybe 20 programs beyond that which aren't converted yet, > > but things are looking pretty good. > > > > Since ospfd is not suppose to write or execute files we could make the > file system read only (with the exception of the control socket).
Indeed -- isn't a unveil a funny system?
