Hello,

I'm the intern working on applying Capsicum to got. I have adapted the
init and checkout commands to use Capsicum, as a proof of concept. The
changes need polish for things like the names of variables and the order
of include directives, and there are some very minor unresolved issues,
but it's enough to get a good idea of what is necessary. Almost all of the
changes are for checkout, so I'll be discussing that.

The first of the following diffs contains all the relevant Capsicum changes.
The second contains the FreeBSD compatibility changes on top of which I
worked.
https://people.freebsd.org/~emaste/got/got_cap_poc.diff
https://people.freebsd.org/~emaste/got/freebsd-0.43.diff

Most changes involve turning open() style functions to openat() style
ones, and many functions now take in fds to support this. The got_repo
and got_worktree structs also now store fds corresponding to their paths.
In general, the program now passes around fds for the root worktree and
repo directories, and operates on paths relative to those fds.

As a consequence to this, got_worktree_open now takes in the fd of its
associated repository, as capsicum's capability mode needs the directory
to be pre-opened. For checkout this works since we call got_repo_open
beforehand anyway, which requires the same fd. However, future commands
will need a function that grabs the repository path from a worktree
directory, or similar, to run before entering capability mode.

Another consequence: got_repo_open no longer loops through progressively
higher directories to find the repo's root, as this must be done before
entering capability mode. The new function got_repo_find_git_path does
the looping, and we call it early on.

The rest of the changes are self-contained: got_privsep_wait_for_child
replaces wait4 with kqueue, as the former is forbidden in capability
mode. Similarly, got_privsep_exec_child uses fexecve instead of execl.
Since some of these aren't suitable for upstream, I'd appreciate your
thoughts on how these areas could be abstracted going forward.

A note: these changes affect the signatures of many common functions
(got_repo_open, got_worktree_open, got_ref_open, etc). I've filled
them with dummy parameters in places where they aren't being
called, and have added printed warnings before them for my reference.
This means that commands other than init and checkout will not work.

I've lightly tested my work, and checkout works with both got- and
git-style repositories. All the flags work in simple cases as well.

Is the direction of these changes agreeable? I believe that changes in
this style will suffice to Capsicumize almost all of got. I'd greatly
appreciate any feedback on how suitable these changes are. If these
changes are agreeable, we'll apply them to the rest of got and submit
them as logically-separated patches.

Yang Zhong