Unveil
unveil is like pledge
, but for files: it allows the developer of an
application to provide a whitelist of allowed paths, and to mask the rest of
the filesystem. But contrary to pledge
, it won’t abort the process in case of
a violation, it will simply tell it that the path doesn’t exist, so that the
application can gracefully handle the error and continue its execution.
It’s currently not very used in OpenBSD’s ports, the only big software using it is Chrome, but apparently, the number are steadily increasing:
As of OpenBSD 6.6, released in October 2019, unveil(2) is now used in 77 userland programs to redact filesystem access.
This is a really nice mitigation in my opinion, preventing random compromised software from accessing private parts of the filesystem to grab encryption keys or family pictures: An other example of attack-surface reduction.
It’s a bit similar to what AppArmor is providing on Linux, except that the rules are directly integrated in the program itself, allowing for more granularity, and likely less surprise-breakages.