Unveiling unveil(2).

This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.

Still needs to send the unveil's across forks and execs before
fully enabling.

Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@

5 files changed, 171 insertions, 6 deletions

diff --git a/lib/libc/Symbols.list b/lib/libc/Symbols.list
index 63420faebdd..55500aea43d 100644
--- a/lib/libc/Symbols.list
+++ b/lib/libc/Symbols.list
@@ -231,6 +231,7 @@ _thread_sys_umask
 _thread_sys_unlink
 _thread_sys_unlinkat
 _thread_sys_unmount
+_thread_sys_unveil
 _thread_sys_utimensat
 _thread_sys_utimes
 _thread_sys_utrace
@@ -434,6 +435,7 @@ umask
 unlink
 unlinkat
 unmount
+unveil
 utimensat
 utimes
 utrace
diff --git a/lib/libc/hidden/unistd.h b/lib/libc/hidden/unistd.h
index bfa424fe795..692951637c8 100644
--- a/lib/libc/hidden/unistd.h
+++ b/lib/libc/hidden/unistd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: unistd.h,v 1.10 2016/09/12 19:36:26 guenther Exp $	*/
+/*	$OpenBSD: unistd.h,v 1.11 2018/07/13 09:25:22 beck Exp $	*/
 /*
  * Copyright (c) 2015 Philip Guenther <guenther@openbsd.org>
  *
@@ -161,6 +161,7 @@ PROTO_NORMAL(ttyname_r);
 PROTO_DEPRECATED(ualarm);
 PROTO_NORMAL(unlink);
 PROTO_NORMAL(unlinkat);
+PROTO_NORMAL(unveil);
 PROTO_DEPRECATED(usleep);
 PROTO_WRAP(vfork);
 PROTO_CANCEL(write);
diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc
index 6823d7472a8..e7792063ae9 100644
--- a/lib/libc/sys/Makefile.inc
+++ b/lib/libc/sys/Makefile.inc
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.154 2018/01/12 04:36:12 deraadt Exp $
+#	$OpenBSD: Makefile.inc,v 1.155 2018/07/13 09:25:22 beck Exp $
 #	$NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $
 #	@(#)Makefile.inc	8.1 (Berkeley) 6/17/93
 
@@ -73,7 +73,7 @@ ASM=	__semctl.o __syscall.o __thrsigdivert.o \
 	shmget.o shutdown.o sigaltstack.o socket.o \
 	socketpair.o stat.o statfs.o swapctl.o symlink.o symlinkat.o \
 	sysarch.o sysctl.o thrkill.o unlink.o unlinkat.o \
-	unmount.o utimensat.o utimes.o utrace.o
+	unmount.o unveil.o utimensat.o utimes.o utrace.o
 
 SRCS+=	${SRCS_${MACHINE_CPU}}
 .for i in ${SRCS_${MACHINE_CPU}}
@@ -195,4 +195,4 @@ MAN+=	__get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \
 	sigprocmask.2 sigreturn.2 sigsuspend.2 socket.2 \
 	socketpair.2 stat.2 statfs.2 swapctl.2 symlink.2 \
 	sync.2 sysarch.2 syscall.2 sysctl.2 thrkill.2 truncate.2 \
-	umask.2 unlink.2 utimes.2 utrace.2 vfork.2 wait.2 write.2
+	umask.2 unlink.2 unveil.2 utimes.2 utrace.2 vfork.2 wait.2 write.2
diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2
index ab606be7960..3c32586c478 100644
--- a/lib/libc/sys/pledge.2
+++ b/lib/libc/sys/pledge.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pledge.2,v 1.52 2018/03/16 07:11:03 jmc Exp $
+.\" $OpenBSD: pledge.2,v 1.53 2018/07/13 09:25:22 beck Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 16 2018 $
+.Dd $Mdocdate: July 13 2018 $
 .Dt PLEDGE 2
 .Os
 .Sh NAME
@@ -553,6 +553,10 @@ Allow
 operation for statistics collection from a
 .Xr bpf 4
 device.
+.It Va unveil
+Allow
+.Xr unveil 2
+to be called.
 .It Va error
 Rather than killing the process upon violation, indicate error with
 .Er ENOSYS .
diff --git a/lib/libc/sys/unveil.2 b/lib/libc/sys/unveil.2
new file mode 100644
index 00000000000..d98515dd6a2
--- /dev/null
+++ b/lib/libc/sys/unveil.2
@@ -0,0 +1,158 @@
+.\" $OpenBSD: unveil.2,v 1.1 2018/07/13 09:25:22 beck Exp $
+.\"
+.\" Copyright (c) 2018 Bob Beck <beck@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 13 2018 $
+.Dt UNVEIL 2
+.Os
+.Sh NAME
+.Nm unveil
+.Nd unveil parts of a restricted filesystem view
+.Sh SYNOPSIS
+.In unistd.h
+.Ft int
+.Fn unveil "const char *path" "const char *flags"
+.Sh DESCRIPTION
+The first call to
+.Nm
+removes visibility of the envire filesystem from all other
+filesystem-related system calls (
+.Xr open 2 ,
+.Xr chmod 2 ,
+.Xe rename 2,
+etc).
+except for the specified
+.Ar path.
+Subequent calls to
+.Nm
+expose additional views of the filesystem.
+.Pp
+The
+.Nm
+call is treated specially and can continue to see the filesystem for
+subsequent calls.
+.Nm
+can be locked,
+preventing further filesytem exposure by calling
+.Nm
+with two
+.Ar NULL
+arguments.
+.Xr pledge 2
+may alternatively be used
+to remove the "unveil" permission.
+.Pp
+The
+.Fa flags
+argument points to a string consisting of the following characters. 
+.Pp
+.Bl -tag -width c -offset indent -compact
+.It Dv r
+.Ar path
+hould be made  be available for read operations corresponding to
+.Xr pledge 2
+promise
+.Ar rpath .
+.It Dv w
+.Ar path
+should be available for write operations corresponding to
+.Xr pledge 2
+promise
+.Ar wpath .
+.It Dv x
+.Ar path
+should be available for execute operations corresponding to 
+.Xr pledge 2
+promise
+.Ar wpath .
+.It Dv c
+.Ar path
+should be allowed to be created and removed, corresponding to 
+.Xr pledge 2
+promise
+.Ar cpath .
+.El
+.Pp
+A
+.Ar path
+that is a directory will enable all filesystem access underneath
+.Ar path
+using
+.Ar flags
+if and only if no more specific matching
+.Fn unveil
+exists at a lower level.
+.Pp
+Attempts to access paths not allowed by
+.Nm
+will result in an error of
+.Ar EACCES
+when the
+.Ar flags
+argument does not match the attempted operation.
+.Ar ENOENT
+is returned for paths for which no
+.Nm
+flags are present.
+.Pp
+As with
+.Xr pledge 2 ,
+the use of
+.Fn unveil
+in an application will require lots of study and understanding
+of the interfaces called.
+In most cases it is best practice to unveil the directories
+in which an application makes use of files.
+It is important to consider that directory results are remembered at
+the time of a call to
+.Fn unveil .
+This means that a directory that is removed and recreated after a call to
+.Fn unveil
+will appear to not exist.
+Non directories are remembered by name within their containing directory,
+and so may be created, removed, or re-created after a call to
+.Fn unveil
+and still appear to exist.
+.Sh RETURN VALUES
+.Fn unveil
+returns 0 on success or -1 on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It E2BIG
+The addition of
+.Ar path
+would exceed the per-process limit for pledged paths.
+.It ENOENT
+A directory in
+.Ar path
+did not exist.
+.It EINVAL
+An invalid value of
+.Ar flags
+was used.
+.It EPERM
+An attempt to add permission to
+.Ar flags
+was made, or
+.Ar path
+was not accessible, or
+.Nm
+was called after it was locked
+.El
+.Sh HISTORY
+The
+.Fn unveil
+system call first appeared in
+.Ox 6.4 .