From: Yang Zhong Subject: FreeBSD - Progress on applying Capsicum to got To: gameoftrees@openbsd.org Date: Tue, 24 Nov 2020 12:13:05 -0800 Hello, I'm the intern working on applying Capsicum to got. I have adapted the init and checkout commands to use Capsicum, as a proof of concept. The changes need polish for things like the names of variables and the order of include directives, and there are some very minor unresolved issues, but it's enough to get a good idea of what is necessary. Almost all of the changes are for checkout, so I'll be discussing that. The first of the following diffs contains all the relevant Capsicum changes. The second contains the FreeBSD compatibility changes on top of which I worked. https://people.freebsd.org/~emaste/got/got_cap_poc.diff https://people.freebsd.org/~emaste/got/freebsd-0.43.diff Most changes involve turning open() style functions to openat() style ones, and many functions now take in fds to support this. The got_repo and got_worktree structs also now store fds corresponding to their paths. In general, the program now passes around fds for the root worktree and repo directories, and operates on paths relative to those fds. As a consequence to this, got_worktree_open now takes in the fd of its associated repository, as capsicum's capability mode needs the directory to be pre-opened. For checkout this works since we call got_repo_open beforehand anyway, which requires the same fd. However, future commands will need a function that grabs the repository path from a worktree directory, or similar, to run before entering capability mode. Another consequence: got_repo_open no longer loops through progressively higher directories to find the repo's root, as this must be done before entering capability mode. The new function got_repo_find_git_path does the looping, and we call it early on. The rest of the changes are self-contained: got_privsep_wait_for_child replaces wait4 with kqueue, as the former is forbidden in capability mode. Similarly, got_privsep_exec_child uses fexecve instead of execl. Since some of these aren't suitable for upstream, I'd appreciate your thoughts on how these areas could be abstracted going forward. A note: these changes affect the signatures of many common functions (got_repo_open, got_worktree_open, got_ref_open, etc). I've filled them with dummy parameters in places where they aren't being called, and have added printed warnings before them for my reference. This means that commands other than init and checkout will not work. I've lightly tested my work, and checkout works with both got- and git-style repositories. All the flags work in simple cases as well. Is the direction of these changes agreeable? I believe that changes in this style will suffice to Capsicumize almost all of got. I'd greatly appreciate any feedback on how suitable these changes are. If these changes are agreeable, we'll apply them to the rest of got and submit them as logically-separated patches. Yang Zhong