Stuart Henderson <stu@spacehopper.org> wrote:

> On 2026/03/16 10:45, Theo de Raadt wrote:
> > I doubt you need "rx".
> > 
> > Does "x" not work?
> 
> it does, but / is already unveiled 'r' so using just 'x' for those
> doesn't seem any better?

Whoa, I am hearing a big misunderstanding.

Unveil creates a series of nested enclaves.

The permissions from a higher level are IRRELEVANT in a nested enclave.

If you do

   unveil("/", "r");
   unveil("/bin/ksh", "x);

That does not allow you read /bin/ksh.