On 2025/04/30 06:22, Crystal Kolipe wrote:
> On Wed, Apr 30, 2025 at 09:33:11AM +0100, Stuart Henderson wrote:
> > as described in unveil(2), the first call to unveil hides all filesystem
> > access apart from the listed file or directory subtree.
> > 
> > subsequent calls open up ("unveil") access to other files/dirs, this is
> > repeated until all wanted dirs are "unveiled", the list is then locked.
> > 
> > the mechanism doesn't allow "permit /foo but deny /foo/bar".
> 
> Regarding unveil, (rather than the specific application to firefox and
> ssh-agent sockets), surely you can achieve what you are saying by applying
> stricter permissions to /foo/bar after having unveiled /foo?

hmm, ok it does look that's the case.

it doesn't reliably help with ssh-agent sockets though, because the
path of those is random.