Matthieu Herrb <matth...@openbsd.org> wrote:
> On Sun, Sep 08, 2019 at 11:30:52AM -0500, joshua stein wrote:
> > While fixing pledge for Firefox, I looked at adding unveil support
> > to limit those big rpath/wpath/cpath pledges that each process still
> > has.
> >
> > I also learned that the GPU process never got a pledge because
> > Firefox doesn't do their internal sandboxing for it on any
> > non-Windows platform. This adds a pledge for that process as well,
> > though it's not as small as one might hope.
> >
> Hi,
>
> Thanks for working on this,
>
> imho, it would be great if the unveil paths could obey
> the XDG_{CACHE,CONFIG,DATA}_HOME variables.
>
> On machines with NFS shared /home, I use those to keep the crap
> in XDG_CACHE_HOME out of NFS and on some machines to keep a
> separate configuration.
Do be careful, I believe you are getting close to the number of vnodes
unveil will hold. We could always increase it a little bit.
Also take note, I think pre-execve vnodes can also be loaded and will
stick around.... that might be a concern.
