From: Stefan Sperling Subject: Re: split up pack_create.c To: Omar Polo Cc: gameoftrees@openbsd.org Date: Sun, 16 Oct 2022 13:48:05 +0200 On Sun, Oct 16, 2022 at 12:43:55PM +0200, Omar Polo wrote: > to be fair i'm not sure i'm 100% happy about having different > implementations of the same function in different parts, i fear that > some code may end up relying on implementations details of one version > and fail with the others, but it's also not too bad and seems the > easiest way (at least for now.) An alternative would be to make gotd's parent run libexec helpers on demand, when requested by repo_read/repo_write. This is what I had in mind originally. But that approach would be both slower and more complicated than using direct function calls. And there would be little security benefit on OpenBSD, and it would be _worse_ for security in -portable. The libexec helpers are pledged "stdio recvfd", but only on OpenBSD. In -portable they run either wide open, or optionally under landlock/capsicum. repo_read is currently pledged "stdio rpath sendfd recvfd" and runs inside a chroot (which works on any system -portable runs on). chroot restricts filesystem access to the repository directory. This is effectively as good as "stdio recvfd", given that we pass any object files from the repository to the libexec helpers anyway. And the remaining files aren't sensitive, so it is not a huge problem to give a hypothetical rouge repo_read process access to those files. So I believe running this code inside repo_read under chroot is better for -portable, and also better for OpenBSD because we need repo_read to run as fast as possible while creating pack files.