"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: split up pack_create.c
To:
Omar Polo <op@omarpolo.com>
Cc:
gameoftrees@openbsd.org
Date:
Sun, 16 Oct 2022 13:48:05 +0200

Download raw body.

Thread
On Sun, Oct 16, 2022 at 12:43:55PM +0200, Omar Polo wrote:
> to be fair i'm not sure i'm 100% happy about having different
> implementations of the same function in different parts, i fear that
> some code may end up relying on implementations details of one version
> and fail with the others, but it's also not too bad and seems the
> easiest way (at least for now.)

An alternative would be to make gotd's parent run libexec helpers
on demand, when requested by repo_read/repo_write. This is what I
had in mind originally. But that approach would be both slower
and more complicated than using direct function calls.

And there would be little security benefit on OpenBSD, and it
would be _worse_ for security in -portable.

The libexec helpers are pledged "stdio recvfd", but only on OpenBSD.
In -portable they run either wide open, or optionally under landlock/capsicum.

repo_read is currently pledged "stdio rpath sendfd recvfd" and runs
inside a chroot (which works on any system -portable runs on).
chroot restricts filesystem access to the repository directory.
This is effectively as good as "stdio recvfd", given that we pass
any object files from the repository to the libexec helpers anyway.
And the remaining files aren't sensitive, so it is not a huge problem
to give a hypothetical rouge repo_read process access to those files.

So I believe running this code inside repo_read under chroot is better
for -portable, and also better for OpenBSD because we need repo_read
to run as fast as possible while creating pack files.