Theo de Raadt wrote:
> Are we missing a pledge behaviour that would block opening of
> AF_UNIX sockets?
>
> Or is gaining access to other AF_UNIX sockets the main reason why
> the browsers are accessing /tmp?
>
> And of course, the problem with a such a pledge, is that it would affect
> everywhere in the filesystem.  But maybe there is some restriction we can
> impose which blocks this.

I was curious about this and tried adjusting unveil settings for /tmp.
Sure enough, Firefox won't start.

This might be a huge pain, but what comes to mind is an "exclusive" mode
for unveil that would limit access to files created by the process and
subprocesses.

I imagine this would require some kind of filesystem metadata about
which process wrote the file, to control access from there. This would
work best for temporary cache situations, perhaps like Firefox's shm
issue.

Another option might be a remapping feature, where unveil would expose
say ~/.tmp.firefox.pid as /tmp to the process. I have no idea what that
would entail.

Of course if Firefox could play nicely and just store cache in say
~/.cache/firefox, that would be easier than either of these ideas.

-Henrich