From: Yang Zhong Subject: Re: change got_worktree_init, open_worktree to use fds To: Ed Maste , Yang Zhong , gameoftrees@openbsd.org Date: Fri, 4 Dec 2020 07:33:46 -0800 Yes, I've done something similar to that in my proof-of-concept. Instead of an extern, I made a function that opens /tmp and saves the fd. Speaking of mkostempsat: I've been poking around my changes and it seems like many of them depend on mkostempsat, since I often change absolute paths to ones relative to fds. Right now I've written a stand-in opentemp function that (I think) does something equivalent, but it's certainly not something that I can actually commit. On Fri, Dec 4, 2020 at 7:15 AM Stefan Sperling wrote: > > On Fri, Dec 04, 2020 at 09:52:22AM -0500, Ed Maste wrote: > > On Tue, 1 Dec 2020 at 18:11, Stefan Sperling wrote: > > > > > > Couldn't you apply capsicum to open file descriptors provided via newly > > > initialized struct got_worktree and struct got_repository, and enter the > > > sandbox before the main operation logic of the got command starts executing? > > > > Yes, this is likely the approach to take; once the root directories of > > the repository and of the working tree have been located we can enter > > the sandbox and no longer rely on ambient authority or access to > > global namespaces. > > Great! I am glad that this approach can work. > > Apart from fds for work tree and repository, you will also need an fd > for the /tmp directory, correct? As far as I recall, those are generally > the only three directories which Got operations require. > > Since /tmp is a global directory, I suppose a global variable would work? > > If so I'd propose to make the /tmp fd a global variable in opentemp.c. > It could be initialized to -1 at compile-time, and it could be changed > to a valid fd for /tmp before entering the sandbox. Code which creates a > file in /tmp could then use mkostempat(2) with this fd if it isn't -1, > and fall back on mkstemp(2) otherwise. > > Via include/got_opentemp.h you could expose the fd like this: > > /* If not -1, this is an open file descriptor to the /tmp directory. */ > extern int got_tempdir_fd; > > This avoids having to pass an fd for /tmp around all over the place. > > And you would close this fd again during application teardown.