From: Stefan Sperling Subject: Re: change got_worktree_init, open_worktree to use fds To: Ed Maste Cc: Yang Zhong , gameoftrees@openbsd.org Date: Fri, 4 Dec 2020 16:15:49 +0100 On Fri, Dec 04, 2020 at 09:52:22AM -0500, Ed Maste wrote: > On Tue, 1 Dec 2020 at 18:11, Stefan Sperling wrote: > > > > Couldn't you apply capsicum to open file descriptors provided via newly > > initialized struct got_worktree and struct got_repository, and enter the > > sandbox before the main operation logic of the got command starts executing? > > Yes, this is likely the approach to take; once the root directories of > the repository and of the working tree have been located we can enter > the sandbox and no longer rely on ambient authority or access to > global namespaces. Great! I am glad that this approach can work. Apart from fds for work tree and repository, you will also need an fd for the /tmp directory, correct? As far as I recall, those are generally the only three directories which Got operations require. Since /tmp is a global directory, I suppose a global variable would work? If so I'd propose to make the /tmp fd a global variable in opentemp.c. It could be initialized to -1 at compile-time, and it could be changed to a valid fd for /tmp before entering the sandbox. Code which creates a file in /tmp could then use mkostempat(2) with this fd if it isn't -1, and fall back on mkstemp(2) otherwise. Via include/got_opentemp.h you could expose the fd like this: /* If not -1, this is an open file descriptor to the /tmp directory. */ extern int got_tempdir_fd; This avoids having to pass an fd for /tmp around all over the place. And you would close this fd again during application teardown.