commit 4dffd8d6f49cc4e67a2e4685a648461673ce5f75
parent 343d8bbbaa30c9acf9862d231103ef65b5840ee6
Author: Chris Bracken <chris@bracken.jp>
Date: Mon, 17 Nov 2025 18:37:26 +0900
Add locking unveil call
unveil(NULL, NULL) must be called to lock in the restrictions. This adds
that call.
Diffstat:
1 file changed, 5 insertions(+), 0 deletions(-)
diff --git a/security.c b/security.c
@@ -33,6 +33,11 @@ void restrict_filesystem_access(const char* readonly_paths[],
err(1, "unveil: %s", path);
}
}
+
+ // Lock in the filesystem restrictions.
+ if (unveil(NULL, NULL) == -1) {
+ err(1, "unveil: failed to lock");
+ }
}
void restrict_system_operations(RestrictionType type) {
