From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To: Jay Acuna <mysidia@gmail.com>, Ted Unangst <tedu@tedunangst.com>,  Theo de Raadt <deraadt@openbsd.org>, Jesper Wallin <jesper@ifconfig.se>, tech@openbsd.org
Date: Wed, 30 Apr 2025 14:43:44 +0100

On 2025/04/30 06:22, Crystal Kolipe wrote:
> On Wed, Apr 30, 2025 at 09:33:11AM +0100, Stuart Henderson wrote:
> > as described in unveil(2), the first call to unveil hides all filesystem
> > access apart from the listed file or directory subtree.
> > 
> > subsequent calls open up ("unveil") access to other files/dirs, this is
> > repeated until all wanted dirs are "unveiled", the list is then locked.
> > 
> > the mechanism doesn't allow "permit /foo but deny /foo/bar".
> 
> Regarding unveil, (rather than the specific application to firefox and
> ssh-agent sockets), surely you can achieve what you are saying by applying
> stricter permissions to /foo/bar after having unveiled /foo?

hmm, ok it does look that's the case.

it doesn't reliably help with ssh-agent sockets though, because the
path of those is random.