got-portable: sandboxing got-notify-*

From:: Thomas Adam <thomas@xteddy.org>
Subject:: Re: got-portable: sandboxing got-notify-*
To:: Omar Polo <op@omarpolo.com>
Cc:: gameoftrees@openbsd.org
Date:: Fri, 26 Apr 2024 12:33:39 +0100

Download raw body.

Thread

2024-04-09 07:26 Omar Polo:
got-portable: sandboxing got-notify-*
- 2024-04-26 11:02 Omar Polo:
  got-portable: sandboxing got-notify-*
- - 2024-04-26 11:33 Thomas Adam:
    got-portable: sandboxing got-notify-*
  - - 2024-04-26 11:43 Omar Polo:
      got-portable: sandboxing got-notify-*

Hi,

On Fri, 26 Apr 2024 at 12:03, Omar Polo <op@omarpolo.com> wrote:
>
> On 2024/04/09 09:26:18 +0200, Omar Polo <op@omarpolo.com> wrote:
> > similarly to what we do for the other libexecs.  When we
> > pledge("stdio"), we're in an environment where we can enter capsicum on
> > FreeBSD or remove all the filesystem access on linux.
> >
> > so far only tested on freebsd by manually calling got-notify-http and
> > regress/gotd/http-server to verify the output.  I have destroyed my
> > linux vm accidentally so can't test there atm but don't expect
> > surprises.
> >
> > ok?
>
> ping.  I've tested on linux with landlock enabled too (with a
> self-signed certificate and TLS validation disabled.)

I've also given this some testing -- looks good to me.

Kindly,
Thomas

2024-04-09 07:26 Omar Polo:
got-portable: sandboxing got-notify-*
- 2024-04-26 11:02 Omar Polo:
  got-portable: sandboxing got-notify-*
- - 2024-04-26 11:33 Thomas Adam:
    got-portable: sandboxing got-notify-*
  - - 2024-04-26 11:43 Omar Polo:
      got-portable: sandboxing got-notify-*