From: Omar Polo <op@omarpolo.com>
Subject: Re: got-portable: sandboxing got-notify-*
To: Thomas Adam <thomas@xteddy.org>
Cc: gameoftrees@openbsd.org
Date: Fri, 26 Apr 2024 13:43:23 +0200

On 2024/04/26 12:33:39 +0100, Thomas Adam <thomas@xteddy.org> wrote:
> Hi,
> 
> On Fri, 26 Apr 2024 at 12:03, Omar Polo <op@omarpolo.com> wrote:
> >
> > On 2024/04/09 09:26:18 +0200, Omar Polo <op@omarpolo.com> wrote:
> > > similarly to what we do for the other libexecs.  When we
> > > pledge("stdio"), we're in an environment where we can enter capsicum on
> > > FreeBSD or remove all the filesystem access on linux.
> > >
> > > so far only tested on freebsd by manually calling got-notify-http and
> > > regress/gotd/http-server to verify the output.  I have destroyed my
> > > linux vm accidentally so can't test there atm but don't expect
> > > surprises.
> > >
> > > ok?
> >
> > ping.  I've tested on linux with landlock enabled too (with a
> > self-signed certificate and TLS validation disabled.)
> 
> I've also given this some testing -- looks good to me.

i've committed it then, thanks!

> Kindly,
> Thomas