Sebastien Marie wrote: > On Thu, Sep 17, 2020 at 06:51:51PM +0200, Stefan Hagen wrote: > > Sebastien Marie wrote: > > > The following diff is a backport of > > > https://github.com/luakit/luakit/commit/4b22c18d5eb5594136091b7b615dc8f9ded0e32f > > > commit in order to avoid using rm(1) process to remove a file, but use > > > os.remove() lua function. > > > > > > It permits to me to remove a spawn call whereas I am looking to > > > properly unveil(2) luakit process. > > > > > > Comments or OK ? > > > > Looks good. OK from my side. > > Do you have an unveiled version already? > > yes :-) > > I am using/experimenting with the following (see attached files): > > - unveil.lua : it unveils the luakit process. > currently, it is mostly used for removing execve(2) capability. > > - unveil_wm.lua : it unveils the WebKitProcess (content process) > the filesystem is readonly except drm devices and /tmp > > with lariza (another webkit based browser), WebKitProcess needs to > execve(2) "lpr" to print. here, I don't have test it for now so it > is still commented. > > - openbsd.c : lua module for unveil(2) (and pledge(2)) binding
I like this. Especially that it's an extension that can be loaded at will. Feel free to send it upstream once it's properly tested. All we would need in the port then is a little sed the puts the require "unveil" in place. Or some uname check in lua... Thank you! Stefan
