"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Yang Zhong <yzhong@freebsdfoundation.org>
Subject:
Re: change got_worktree_init, open_worktree to use fds
To:
Ed Maste <emaste@freebsd.org>, Yang Zhong <yzhong@freebsdfoundation.org>, gameoftrees@openbsd.org
Date:
Fri, 4 Dec 2020 07:33:46 -0800

Download raw body.

Thread 
Yes, I've done something similar to that in my proof-of-concept.
Instead of an extern, I made a function that opens /tmp and
saves the fd.

Speaking of mkostempsat: I've been poking around my changes
and it seems like many of them depend on mkostempsat, since
I often change absolute paths to ones relative to fds. Right now
I've written a stand-in opentemp function that (I think) does
something equivalent, but it's certainly not something that I
can actually commit.

On Fri, Dec 4, 2020 at 7:15 AM Stefan Sperling <stsp@stsp.name> wrote:
>
> On Fri, Dec 04, 2020 at 09:52:22AM -0500, Ed Maste wrote:
> > On Tue, 1 Dec 2020 at 18:11, Stefan Sperling <stsp@stsp.name> wrote:
> > >
> > > Couldn't you apply capsicum to open file descriptors provided via newly
> > > initialized struct got_worktree and struct got_repository, and enter the
> > > sandbox before the main operation logic of the got command starts executing?
> >
> > Yes, this is likely the approach to take; once the root directories of
> > the repository and of the working tree have been located we can enter
> > the sandbox and no longer rely on ambient authority or access to
> > global namespaces.
>
> Great! I am glad that this approach can work.
>
> Apart from fds for work tree and repository, you will also need an fd
> for the /tmp directory, correct? As far as I recall, those are generally
> the only three directories which Got operations require.
>
> Since /tmp is a global directory, I suppose a global variable would work?
>
> If so I'd propose to make the /tmp fd a global variable in opentemp.c.
> It could be initialized to -1 at compile-time, and it could be changed
> to a valid fd for /tmp before entering the sandbox. Code which creates a
> file in /tmp could then use mkostempat(2) with this fd if it isn't -1,
> and fall back on mkstemp(2) otherwise.
>
> Via include/got_opentemp.h you could expose the fd like this:
>
>         /* If not -1, this is an open file descriptor to the /tmp directory. */
>         extern int got_tempdir_fd;
>
> This avoids having to pass an fd for /tmp around all over the place.
>
> And you would close this fd again during application teardown.