Hacker News new | past | comments | ask | show | jobs | submit login

I'm curious. To me, unveil means reveal information, while the intended purpose for this tool is to hide it. Why do you think it's such a descriptive name?



While it implicitely hides everything on the first call, it unveils the arguments. Reads really natural. I imagine typical usage would be:

    fork();
    unveil("/home/jakob/", "w");
    unveil("/etc/some_config_file", "r");
    unveil(0,0);
    exec();


> While it implicitely hides everything on the first call

I think that's the really weird bit, I guess they didn't want multiple functions but it would make more sense to veil() (hide everything), unveil(path, mode) (show that path) and lockveil(), something along those lines. Or maybe use some sort of mode constants e.g. veil(VEIL_INIT), veil(VEIL_REVEAL, path, mode), veil(VEIL_LOCK).


What benefit would requiring veil() before unveil() have? There is no point in calling unveil() if the file system isn't hidden. Making the hiding implicit reduces the number of possible mistakes people can make when using the API.


You could be more sure that something else didn't already unveil things you want hidden in your current invocation.


The end game might be that everything is veiled by default, so if you have no unveil calls then your process can't read anything


That would work just as well with a better API. The initial call would just become a no-op at that point.


what do the 0,0 mean here?


Disallows further use of unveil()


It is stated in the 2nd line of the Description in the manual that this will reveal things with subsequent calls. It’s just the initial call that hides everything.


Tbh, to me the title "Unveil parts of a restricted filesystem view" read like it was about a hack.


Yeah, that was my thought too. This is more like “veil_except”.

That said, “unveil” is good enough.


Why not "restrict"?


Here be dragons! "restrict" is a keyword in C.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: