On Tue, 24 Nov 2020 at 16:16, Stefan Sperling <stsp@stsp.name> wrote:
>
> The changes are larger than I expected, in my ignorance of capsicum.
> I did not expect capsicum to require this many changes to existing code.

Thanks for looking at the patch Stefan.

One of our goals in starting this now is to see how things can be made
Capsicum-sandbox friendly; it is indeed much easier to apply Capsicum
sandboxing during design than adding it to an existing, complete
program. In a nutshell the idea of a Capsicum sandbox is that there is
no access to global namespaces or ambient authority, so all resources
need to be explicitly passed to the sandbox. Some of the functionality
that exists in FreeBSD comes as a natural consequence of that - e.g.
mkostempsat is needed when there's no concept of "/" in the sandbox.
Similarly AT_FDCWD isn't usable in the sandbox.

It seems that in general passing fds (and directory fds) around cleans
up some things and avoids races etc., in addition to being friendly to
(Capsicum) sandboxing.  I'm happy if we can submit those changes, and
keep the Capsicum-specific changes ourselves for now. The primary goal
with this patch was to provide a proof of concept to demonstrate the
sorts of change necessary, and serve to guide the discussion.

We can rebase (on an ongoing basis) the changes, keeping them in three sets
- individual upstreamable changes, such as rename to renameat
- rebased version of naddy's FreeBSD porting changes
- WIP and Capsicum-specific changes

By default we'd probably just end up hosting these in a GitHub repo,
but if it's convenient for you I'd be happy to have you host it.
Collaborating with naddy@ on the FreeBSD changes in a shared repo also
makes sense. I'm not quite sure this is ready to rise to the level of
being a -portable just yet, but seems like a step on that path.

Best,
Ed