FreeBSD - Progress on applying Capsicum to got

From:: "Todd C. Miller" <Todd.Miller@sudo.ws>
Subject:: Re: FreeBSD - Progress on applying Capsicum to got
To:: Ed Maste <emaste@freebsd.org>
Cc:: stsp@stsp.name, Yang Zhong <yzhong@freebsdfoundation.org>, gameoftrees@openbsd.org
Date:: Wed, 25 Nov 2020 13:39:41 -0700

Download raw body.

Thread

2020-11-24 21:16 Stefan Sperling:
FreeBSD - Progress on applying Capsicum to got
- 2020-11-25 19:05 Ed Maste:
  FreeBSD - Progress on applying Capsicum to got
- - 2020-11-25 20:39 Todd C. Miller:
    FreeBSD - Progress on applying Capsicum to got

On Wed, 25 Nov 2020 14:05:28 -0500, Ed Maste wrote:

> One of our goals in starting this now is to see how things can be made
> Capsicum-sandbox friendly; it is indeed much easier to apply Capsicum
> sandboxing during design than adding it to an existing, complete
> program. In a nutshell the idea of a Capsicum sandbox is that there is
> no access to global namespaces or ambient authority, so all resources
> need to be explicitly passed to the sandbox. Some of the functionality
> that exists in FreeBSD comes as a natural consequence of that - e.g.
> mkostempsat is needed when there's no concept of "/" in the sandbox.
> Similarly AT_FDCWD isn't usable in the sandbox.

FWIW, adding mkostempsat(3) to OpenBSD is trivial to do.  I have
no objection to adding it...

 - todd

2020-11-24 21:16 Stefan Sperling:
FreeBSD - Progress on applying Capsicum to got
- 2020-11-25 19:05 Ed Maste:
  FreeBSD - Progress on applying Capsicum to got
- - 2020-11-25 20:39 Todd C. Miller:
    FreeBSD - Progress on applying Capsicum to got