Stuart Henderson <stu@spacehopper.org> wrote:

> On 2025/04/30 06:22, Crystal Kolipe wrote:
> > On Wed, Apr 30, 2025 at 09:33:11AM +0100, Stuart Henderson wrote:
> > > as described in unveil(2), the first call to unveil hides all filesystem
> > > access apart from the listed file or directory subtree.
> > > 
> > > subsequent calls open up ("unveil") access to other files/dirs, this is
> > > repeated until all wanted dirs are "unveiled", the list is then locked.
> > > 
> > > the mechanism doesn't allow "permit /foo but deny /foo/bar".
> > 
> > Regarding unveil, (rather than the specific application to firefox and
> > ssh-agent sockets), surely you can achieve what you are saying by applying
> > stricter permissions to /foo/bar after having unveiled /foo?
> 
> hmm, ok it does look that's the case.
> 
> it doesn't reliably help with ssh-agent sockets though, because the
> path of those is random.

This is increasingly silly.

It's like the idea being proposed is to walk the area of the filesystem,
find all the ones of concern, then block them.  Really amazing.