.\" $OpenBSD: unveil.2,v 1.17 2019/03/24 19:55:31 jmc Exp $ .\" .\" Copyright (c) 2018 Bob Beck .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: March 24 2019 $ .Dt UNVEIL 2 .Os .Sh NAME .Nm unveil .Nd unveil parts of a restricted filesystem view .Sh SYNOPSIS .In unistd.h .Ft int .Fn unveil "const char *path" "const char *permissions" .Sh DESCRIPTION The first call to .Nm removes visibility of the entire filesystem from all other filesystem-related system calls (such as .Xr open 2 , .Xr chmod 2 and .Xr rename 2 ) , except for the specified .Ar path and .Ar permissions . .Pp The .Nm system call remains capable of traversing to any .Ar path in the filesystem, so additional calls can set permissions at other points in the filesystem hierarchy. .Pp After establishing a collection of .Ar path and .Ar permissions rules, future calls to .Nm can be disabled by passing two .Ar NULL arguments. Alternatively, .Xr pledge 2 may be used to remove the .Va unveil promise. .Pp The .Fa permissions argument points to a string consisting of the following characters: .Pp .Bl -tag -width "XXXX" -offset indent -compact .It Dv r Make .Ar path available for read operations, corresponding to the .Xr pledge 2 promise .Ar rpath . .It Dv w Make .Ar path available for write operations, corresponding to the .Xr pledge 2 promise .Ar wpath . .It Dv x Make .Ar path available for execute operations, corresponding to the .Xr pledge 2 promise .Ar exec . .It Dv c Allow .Ar path to be created and removed, corresponding to the .Xr pledge 2 promise .Ar cpath . .El .Pp A .Ar path that is a directory will enable all filesystem access underneath .Ar path using .Ar permissions if and only if no more specific matching .Fn unveil exists at a lower level. Directories are remembered at the time of a call to .Fn unveil . This means that a directory that is removed and recreated after a call to .Fn unveil will appear to not exist. .Pp Non-directory paths are remembered by name within their containing directory, and so may be created, removed, or re-created after a call to .Fn unveil and still appear to exist. .Pp Attempts to access paths not allowed by .Nm will result in an error of .Ar EACCES when the .Ar permissions argument does not match the attempted operation. .Ar ENOENT is returned for paths for which no .Nm permissions qualify. .Pp .Fn unveil use can be tricky because programs misbehave badly when their files unexpectedly disappear. In many cases it is easier to unveil the directories in which an application makes use of files. .Sh RETURN VALUES .Rv -std .Sh ERRORS .Bl -tag -width Er .It E2BIG The addition of .Ar path would exceed the per-process limit for unveiled paths. .It ENOENT A directory in .Ar path did not exist. .It EINVAL An invalid value of .Ar permissions was used. .It EPERM An attempt to increase permissions was made, or the .Ar path was not accessible, or .Nm was called after locking. .El .Sh HISTORY The .Fn unveil system call first appeared in .Ox 6.4 . .Sh BUGS .Xr readlink 2 partially bypasses .Nm restrictions required by .Xr realpath 3 . Future changes intend to repair this problem.