sftp-server: add a flag to call unveil on starting directory

[Theo de Raadt]

Jochen Bern <Jochen.Bern at binect.de> wrote:

> If so, and if unveil() is sufficiently similar to chroot(), this new
> option would effectively hand every user a means to deny the sysadmins
> a log of his activities: Just unveil() to a subtree of your choice
> where no /dev/log is available.

On OpenBSD, where unveil comes from, the use of syslog doesn't require
ANY filesystem access -- sending a syslog message always works in all
security-configurations, whether that is chroot, or unveil, or pledge
without paths.  The guts of syslog were entirely reconstructed to avoid
concerns abound program misbehaviour during file descriptor exhaustion,
using a sendsyslog(2) system call which tunnels the messages through the
kernel to the syslog daemon.  After a couple more similar libc / kernel
interface changes it got me thinking and the pledge(2) mechanism was
created.  We tried to incorporate pathname access control into pledge
but it limited us to simple solutions, so we eventually developed
unveil(2) as a seperate mechanism that works nicely in parallel to
pledge.  Anyways, I'm just saying that losing syslog messages on an
operating system with unveil is not a real concern.