On 2026/03/16 11:01, Theo de Raadt wrote:
> Stuart Henderson <stu@spacehopper.org> wrote:
> 
> > On 2026/03/16 10:45, Theo de Raadt wrote:
> > > I doubt you need "rx".
> > > 
> > > Does "x" not work?
> > 
> > it does, but / is already unveiled 'r' so using just 'x' for those
> > doesn't seem any better?
> 
> Whoa, I am hearing a big misunderstanding.
> 
> Unveil creates a series of nested enclaves.
> 
> The permissions from a higher level are IRRELEVANT in a nested enclave.
> 
> If you do
> 
>    unveil("/", "r");
>    unveil("/bin/ksh", "x);
> 
> That does not allow you read /bin/ksh.
> 


Index: calendar.c
===================================================================
RCS file: /cvs/src/usr.bin/calendar/calendar.c,v
diff -u -p -r1.41 calendar.c
--- calendar.c	16 Mar 2026 16:58:03 -0000	1.41
+++ calendar.c	16 Mar 2026 17:05:49 -0000
@@ -130,12 +130,12 @@ main(int argc, char *argv[])
 			err(1, "unveil /tmp");
 		if (unveil("/dev/null", "rw") == -1)
 			err(1, "unveil /dev/null");
-		if (unveil(_PATH_SENDMAIL, "rx") == -1)
-			err(1, "unveil " _PATH_SENDMAIL);
-		if (unveil(_PATH_CPP, "rx") == -1)
-			err(1, "unveil " _PATH_CPP);
 		if (unveil("/", "r") == -1)
 			err(1, "unveil /");
+		if (unveil(_PATH_SENDMAIL, "x") == -1)
+			err(1, "unveil " _PATH_SENDMAIL);
+		if (unveil(_PATH_CPP, "x") == -1)
+			err(1, "unveil " _PATH_CPP);
 		if (pledge("stdio rpath wpath cpath fattr getpw id proc exec",
 		    NULL) == -1)
 			err(1, "pledge");