[email protected] wrote: > Currently, if an unveiled process execs another program, it doesn't > inherit the unveil paths. This means that if the unveiled process > hasn't pledged itself out of the exec syscall and it has a suitable > binary inside of its paths, it can trivially bypass unveil. Here's a > short PoC: https://gist.github.com/dzwdz/d65917e52cbf68262fc7216b9f963a91 > > It isn't mentioned in the man pages, the only mention of that behavior > is in an obscure comment deep in kern_exec.c. I wasn't able to find any > rationale behind the decision to make it this way either. Is there one? > > If there isn't - what about changing the kernel so unveiled paths persist > between execs? That would allow very easy container-like sandboxing.
If it is a shared executable, you would need to encode access to ld.so and all the library environment, and additional strange things used during libc initialization for various subsystems. That would require hard-coding a large number of additional paths into the caller. How would that actually work in practice?
