From: Crystal Kolipe <kolipe.c@exoticsilicon.com>
Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To: Jay Acuna <mysidia@gmail.com>, Ted Unangst <tedu@tedunangst.com>, Theo de Raadt <deraadt@openbsd.org>, Jesper Wallin <jesper@ifconfig.se>, tech@openbsd.org
Date: Wed, 30 Apr 2025 06:22:31 -0300

On Wed, Apr 30, 2025 at 09:33:11AM +0100, Stuart Henderson wrote:
> as described in unveil(2), the first call to unveil hides all filesystem
> access apart from the listed file or directory subtree.
> 
> subsequent calls open up ("unveil") access to other files/dirs, this is
> repeated until all wanted dirs are "unveiled", the list is then locked.
> 
> the mechanism doesn't allow "permit /foo but deny /foo/bar".

Regarding unveil, (rather than the specific application to firefox and
ssh-agent sockets), surely you can achieve what you are saying by applying
stricter permissions to /foo/bar after having unveiled /foo?

Or is this not what you are trying to do?

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>

int main()
{
int fd;
int res;

mkdir ("foo", 0755);
mkdir ("foo/bar", 0755);

fd=open ("foo/test_1", O_RDWR | O_CREAT, 0644);
write (fd, "DATA", 4);
close (fd);

fd=open ("foo/bar/test_1", O_RDWR | O_CREAT, 0644);
write (fd, "DATA", 4);
close (fd);

res=unveil ("foo", "rwc");
printf ("%d\n", res);
unveil ("foo/bar", "");
printf ("%d\n", res);

fd=open ("foo/test_2", O_RDWR | O_CREAT, 0644);
write (fd, "DATA", 4);
close (fd);

fd=open ("foo/bar/test_2", O_RDWR | O_CREAT, 0644);
write (fd, "DATA", 4);
close (fd);

fd=open ("foo/test_1", O_RDONLY, 0644);
printf ("%d\n", fd);
close (fd);

fd=open ("foo/bar/test_2", O_RDONLY, 0644);
printf ("%d\n", fd);
close (fd);
}