From b7996f0bbcaa0720d74f718d16fef7312006fea3 Mon Sep 17 00:00:00 2001 From: beck Date: Mon, 30 Jul 2018 00:30:15 +0000 Subject: [PATCH] document the current limitation (we don't yet find an above covering unveil for relative operations) that I am working on in BUGS --- lib/libc/sys/unveil.2 | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/libc/sys/unveil.2 b/lib/libc/sys/unveil.2 index 4c3a9b0ff8e..69dbd327dbf 100644 --- a/lib/libc/sys/unveil.2 +++ b/lib/libc/sys/unveil.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: unveil.2,v 1.6 2018/07/28 18:06:30 deraadt Exp $ +.\" $OpenBSD: unveil.2,v 1.7 2018/07/30 00:30:15 beck Exp $ .\" .\" Copyright (c) 2018 Bob Beck .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 28 2018 $ +.Dd $Mdocdate: July 30 2018 $ .Dt UNVEIL 2 .Os .Sh NAME @@ -155,6 +155,16 @@ was not accessible, or .Nm was called after it was locked. .El +.Sh BUGS +Filesystem lookups work today when they cross an +.Fn unveil +during +.Xr namei 9 lookup in the kernel. A program that +does relative operations below a higher +.Fn unveil +may currently not see the parts of the filesystem +underneath the high level unveil. This is actively +being worked on. .Sh HISTORY The .Fn unveil -- 2.20.1