From: Stefan Sperling Subject: Re: capsicum work: mkostempsat() question To: Yang Zhong Cc: gameoftrees@openbsd.org Date: Thu, 17 Dec 2020 03:46:11 +0100 On Wed, Dec 16, 2020 at 04:59:03PM -0800, Yang Zhong wrote: > On Wed, Dec 16, 2020 at 4:58 PM Yang Zhong wrote: > > > Fork + exec'd programs automatically start in Capability mode. > > They appear to still work with Capsicum so I don't think there's an > > issue here, unless I'm missing something. In my changes, I know > > that the code calls quite a few of the helpers without issue, but not > > all. > *as in, there are some that the code doesn't call; all the ones that it > does all work. OK, that sounds good then. I wasn't aware that cap_enter is implicitly inherited to child processes. All helpers operate on file descriptors which are opened by the parent. If the ones involved in 'got checkout' are working, then most, if not all, helpers should be ok. Maybe 'got-fetch-pack' needs special attention since it operates on sockets in addition to plain files, if that makes any difference.