*** UNIX MANUAL PAGE BROWSER ***

A Nergahak database for man pages research.

Navigation

Location: Home > OpenBSD > Section 2 > unveil
Quick Actions: [Home] [Up]

Directory Browser

1Browse 4.4BSD4.4BSD
1Browse Digital UNIXDigital UNIX 4.0e
1Browse FreeBSDFreeBSD 14.3
1Browse MINIXMINIX 3.4.0rc6-d5e4fc0
1Browse NetBSDNetBSD 10.1
1Browse OpenBSDOpenBSD 7.7
1Browse UNIX v7Version 7 UNIX
1Browse UNIX v10Version 10 UNIX

Manual Page Search

Manual Page Result

0 Command: unveil | Section: 2 | Source: OpenBSD | File: unveil.2
UNVEIL(2) FreeBSD System Calls Manual UNVEIL(2) NAME unveil - unveil parts of a restricted filesystem view SYNOPSIS #include <unistd.h> int unveil(const char *path, const char *permissions); DESCRIPTION The first call to unveil() that specifies a path removes visibility of the entire filesystem from all other filesystem-related system calls (such as open(2), chmod(2) and rename(2)), except for the specified path and permissions. The unveil() system call remains capable of traversing to any path in the filesystem, so additional calls can set permissions at other points in the filesystem hierarchy. After establishing a collection of path and permissions rules, future calls to unveil() can be disabled by passing two NULL arguments. Alternatively, pledge(2) may be used to remove the "unveil" promise. The permissions argument points to a string consisting of zero or more of the following characters: r Make path available for read operations, corresponding to the pledge(2) promise "rpath". w Make path available for write operations, corresponding to the pledge(2) promise "wpath". x Make path available for execute operations, corresponding to the pledge(2) promise "exec". c Allow path to be created and removed, corresponding to the pledge(2) promise "cpath". A path that is a directory will enable all filesystem access underneath path using permissions if and only if no more specific matching unveil() exists at a lower level. Directories are remembered at the time of a call to unveil(). This means that a directory that is removed and recreated after a call to unveil() will appear to not exist. Non-directory paths are remembered by name within their containing directory, and so may be created, removed, or re-created after a call to unveil() and still appear to exist. Attempts to access paths not allowed by unveil() will result in an error of EACCES when the permissions argument does not match the attempted operation. ENOENT is returned for paths for which no unveil() permissions qualify. After a process has terminated, lastcomm(1) will mark it with the `U' flag if file access was prevented by unveil(). unveil() use can be tricky because programs misbehave badly when their files unexpectedly disappear. In many cases it is easier to unveil the directories in which an application makes use of files. RETURN VALUES Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error. ERRORS [E2BIG] The addition of path would exceed the per-process limit for unveiled paths. [EFAULT] path or permissions points outside the process's allocated address space. [ENOENT] A directory in path did not exist. [EINVAL] An invalid value of permissions was used. [EPERM] An attempt to increase permissions was made, or the path was not accessible, or unveil() was called after locking. HISTORY The unveil() system call first appeared in OpenBSD 6.4. FreeBSD 14.1-RELEASE-p8 September 6, 2021 FreeBSD 14.1-RELEASE-p8

Navigation Options

Actions: [Home] [Back] [New Search]
Browse: [Browse OpenBSD] [Section 2]
Print/Export: [Print] [Raw Text]
Date: 2025-08-18 Time: 19:30:59 SAST |
Page generated in 0.0214 seconds
Nergahak ManpageViewer v1.4
[Back to Top]