From: Yang Zhong Subject: Re: capsicum work: mkostempsat() question To: Yang Zhong , gameoftrees@openbsd.org Date: Wed, 16 Dec 2020 16:58:02 -0800 On Wed, Dec 16, 2020 at 4:20 PM Stefan Sperling wrote: > By the way, your proof of concept does not seem to cover any of the helper > programs in libexec/, even though those programs are the primary consumers > of untrusted data. On OpenBSD, these programs run with pledge("stdio recvfd"). > Capsicum support should perhaps focus on sandboxing these helpers before > a lot more additional effort is spent on the main process. Sandboxing only > the main process does not make a lot of sense, since it is only exposed > to data which has already been parsed and marshalled across inter-process > communication pipes. Any malicious repository data will hit code in the > libexec/ directory first. Fork + exec'd programs automatically start in Capability mode. They appear to still work with Capsicum so I don't think there's an issue here, unless I'm missing something. In my changes, I know that the code calls quite a few of the helpers without issue, but not all. > > Also, if mkostempsat does get added, I imagine that it'll go into > > the next OpenBSD release. So, if I add changes to got that depend > > on mkostempsat, got won't be compatible with this and earlier > > versions of OpenBSD, I imagine. Is this a problem? > > No, it is not. > The 'main' branch of Got only needs to compile on OpenBSD -current. > It is convenient if the branch can be built on the most recent -stable > OpenBSD release, but that is not a strict requirement. OK, that's good to know.