From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Subject: Re: FreeBSD - Progress on applying Capsicum to got
To: Ed Maste <emaste@freebsd.org>
Cc: stsp@stsp.name, Yang Zhong <yzhong@freebsdfoundation.org>, gameoftrees@openbsd.org
Date: Wed, 25 Nov 2020 13:39:41 -0700

On Wed, 25 Nov 2020 14:05:28 -0500, Ed Maste wrote:

> One of our goals in starting this now is to see how things can be made
> Capsicum-sandbox friendly; it is indeed much easier to apply Capsicum
> sandboxing during design than adding it to an existing, complete
> program. In a nutshell the idea of a Capsicum sandbox is that there is
> no access to global namespaces or ambient authority, so all resources
> need to be explicitly passed to the sandbox. Some of the functionality
> that exists in FreeBSD comes as a natural consequence of that - e.g.
> mkostempsat is needed when there's no concept of "/" in the sandbox.
> Similarly AT_FDCWD isn't usable in the sandbox.

FWIW, adding mkostempsat(3) to OpenBSD is trivial to do.  I have
no objection to adding it...

 - todd