One of the key aspects of hardening the user-space side of an operating system is to provide mechanisms for restricting which parts of the filesystem hierarchy a given process can access. Linux has a number of mechanisms of varying capability and complexity for this purpose, but other kernels have taken a different approach. Over the last few months, OpenBSD has inaugurated a new system call named unveil() for this type of hardening that differs significantly from the mechanisms found in Linux.
2018-10-12 OpenBSD 8 Comments
Just to try and summarize what this is: The actual unveil() call takes two arguments; a path and a permission string. The first time an application uses it, it loses access to everything except that path and everything underneath it. You can call it again to add more, and you can call it with both arguments NULL to lock it down so you can’t add more. You can also give more specific permissions by passing the path of a subdirectory after a parent directory. Like this:
That would allow reading and writing to anything in my home directory except the .ssh folder – and nothing outside it.
Edited 2018-10-13 09:33 UTC