On Wed, Dec 16, 2020 at 4:20 PM Stefan Sperling <stsp@stsp.name> wrote:
> By the way, your proof of concept does not seem to cover any of the helper
> programs in libexec/, even though those programs are the primary consumers
> of untrusted data. On OpenBSD, these programs run with pledge("stdio recvfd").
> Capsicum support should perhaps focus on sandboxing these helpers before
> a lot more additional effort is spent on the main process. Sandboxing only
> the main process does not make a lot of sense, since it is only exposed
> to data which has already been parsed and marshalled across inter-process
> communication pipes. Any malicious repository data will hit code in the
> libexec/ directory first.

Fork + exec'd programs automatically start in Capability mode.
They appear to still work with Capsicum so I don't think there's an
issue here, unless I'm missing something. In my changes, I know
that the code calls quite a few of the helpers without issue, but not
all.

> > Also, if mkostempsat does get added, I imagine that it'll go into
> > the next OpenBSD release. So, if I add changes to got that depend
> > on mkostempsat, got won't be compatible with this and earlier
> > versions of OpenBSD, I imagine. Is this a problem?
>
> No, it is not.
> The 'main' branch of Got only needs to compile on OpenBSD -current.
> It is convenient if the branch can be built on the most recent -stable
> OpenBSD release, but that is not a strict requirement.

OK, that's good to know.