On Fri, Dec 04, 2020 at 09:52:22AM -0500, Ed Maste wrote:
> On Tue, 1 Dec 2020 at 18:11, Stefan Sperling <stsp@stsp.name> wrote:
> >
> > Couldn't you apply capsicum to open file descriptors provided via newly
> > initialized struct got_worktree and struct got_repository, and enter the
> > sandbox before the main operation logic of the got command starts executing?
> 
> Yes, this is likely the approach to take; once the root directories of
> the repository and of the working tree have been located we can enter
> the sandbox and no longer rely on ambient authority or access to
> global namespaces.

Great! I am glad that this approach can work.

Apart from fds for work tree and repository, you will also need an fd
for the /tmp directory, correct? As far as I recall, those are generally
the only three directories which Got operations require.

Since /tmp is a global directory, I suppose a global variable would work?

If so I'd propose to make the /tmp fd a global variable in opentemp.c.
It could be initialized to -1 at compile-time, and it could be changed
to a valid fd for /tmp before entering the sandbox. Code which creates a
file in /tmp could then use mkostempat(2) with this fd if it isn't -1,
and fall back on mkstemp(2) otherwise.

Via include/got_opentemp.h you could expose the fd like this:

	/* If not -1, this is an open file descriptor to the /tmp directory. */
	extern int got_tempdir_fd;

This avoids having to pass an fd for /tmp around all over the place.

And you would close this fd again during application teardown.