On Sun, Sep 08, 2019 at 11:30:52AM -0500, joshua stein wrote:
> While fixing pledge for Firefox, I looked at adding unveil support
> to limit those big rpath/wpath/cpath pledges that each process still
> has.
>
> I also learned that the GPU process never got a pledge because
> Firefox doesn't do their internal sandboxing for it on any
> non-Windows platform. This adds a pledge for that process as well,
> though it's not as small as one might hope.
>
Hi,
Thanks for working on this,
imho, it would be great if the unveil paths could obey
the XDG_{CACHE,CONFIG,DATA}_HOME variables.
On machines with NFS shared /home, I use those to keep the crap
in XDG_CACHE_HOME out of NFS and on some machines to keep a
separate configuration.
--
Matthieu Herrb
