From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: watch(1) - periodically execute a command and display its output
Cc: Job Snijders <job@openbsd.org>, tech@cvs.openbsd.org
Date: Mon, 19 May 2025 19:04:16 -0600

Theo de Raadt <deraadt@openbsd.org> wrote:

> This use of pledge "unveil" and unveil() is very ineffective.
> 
> There is no point in doing
> 
> fork + unveil + execve
>               ^
>               |
>   apparently a patch access bug happens here?

                 (path)
 
> Implausible.  These unveils are either too late, or not serving any purpose.
> 
> I believe cmdv[0] and _PATH_BSHELL are known a very long time earlier in
> the program, and that is where unveil would get called.
>