On 2023/01/02 18:59:21 +0100, Omar Polo <op@omarpolo.com> wrote:
> On 2022/12/30 19:18:55 +0000, Klemens Nanni <kn@openbsd.org> wrote:
> > Why not simply do the stub unveil here:
> > 
> > 		unveil("/", "");
> > 
> > Then you can leave the promises unchanged, since pleding without
> > "unveil" immediately after your last unveil is equivalent to
> > unveil(NULL, NULL), no?
> 
> (sorry for the late reply)
> 
> Yes, it is, and I'd agree it's cleaner.
> 
> However, in other parts of got you'd find this "pattern" of doing
> pledge("... unveil") and then apply_unveil() to lock it.  (see
> got/got.c and tog/tog.c for example), so this is consistent with the
> rest of the codebase.

ah, and this also ensures that unveil is used even in PROFILE builds
(that disable pledge().)  Not a great deal tho, those builds are just
for profiling and not regular use.