Make Capsicum obligatory.
Needs RevisionPublic
Actions

Authored by oshogbo on May 17 2017, 6:08 PM.

Details

Reviewers

bapt
emaste
rwatson
allanjude
bz
manu

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

oshogbo created this revision.May 17 2017, 6:08 PM

Herald added a reviewer: jhibbits. · View Herald TranscriptMay 17 2017, 6:08 PM

Herald added a subscriber: andrew. · View Herald Transcript

oshogbo removed a reviewer: jhibbits.May 17 2017, 6:08 PM

I like the idea of having it mandatory!

This revision is now accepted and ready to land.May 17 2017, 7:09 PM

I like this. Before it goes in I'd like to have some sense of the kernel (.text) size difference with Capsicum included/excluded.

% size GENERIC-NODEBUG-NOCAPSICUM/kernel GENERIC-NODEBUG/kernel
      text      data       bss        dec         hex   filename
  21849813   1326228   5010208   28186249   0x1ae1689   GENERIC-NODEBUG-NOCAPSICUM/kernel
  21854636   1326409   5010208   28191253   0x1ae2a15   GENERIC-NODEBUG/kernel

with GENERIC-NODEBUG-NOCAPSICUM containing:

include GENERIC-NODEBUG

ident   GENERIC-NODEBUG-NOCAPSICUM

nooptions       CAPABILITY_MODE
nooptions       CAPABILITIES

rwatson added a reviewer: bz.May 18 2017, 3:24 PM

I really don't like the idea of losing the #ifdefs.
There are people how are trying to figure out the costs of these things (like me, possibly for CAPSICUM) and having the ifdef really helps.

Also I see no real justification as to "why?" given on the review. Can someone provide this information as it would have to go into a possible commit message anyway.

This revision now requires changes to proceed.May 18 2017, 4:37 PM

In D10776#223734, @bz wrote:

I really don't like the idea of losing the #ifdefs.
There are people how are trying to figure out the costs of these things (like me, possibly for CAPSICUM) and having the ifdef really helps.

I'll grant you the ability to build with/without Capsicum has value, including the basic size comparison I did above.

Also I see no real justification as to "why?" given on the review. Can someone provide this information as it would have to go into a possible commit message anyway.

One reason for doing this is the expectation it sets about the operating system -- i.e., is a system built without Capsicum FreeBSD? Is it acceptable if some binaries fail?

Is it acceptable if some binaries fail?

This has become a real issue - @sbruno found wc did not work on ERL, fixed in rS341140. This is somewhat independent of whether we have the #ifdefs or not though.

Herald added a reviewer: manu. · View Herald TranscriptNov 28 2018, 6:41 PM

Herald added subscribers: jonathan, jhibbits. · View Herald Transcript

In D10776#390549, @emaste wrote:

Is it acceptable if some binaries fail?

This has become a real issue - @sbruno found wc did not work on ERL, fixed in rS341140. This is somewhat independent of whether we have the #ifdefs or not though.

So, if Capsicum is made default/mandatory/whatever, the qemu-user mode code will break as it doesn't support any Capsicum syscalls. I'm not saying "don't do it" but understand that this will definitely cause ... um ... drama. qemu-user mode is how we cross compile mips32, mips64 and armv6/7 packages today for our tier-2 architectures. I suspect the armv6/7 will be replaced by some compat32 and assorted glue on ARM64.

https://github.com/seanbruno/qemu-bsd-user/issues/30

If folks have time to implement the syscalls and do all the endian/size changes needed I'm more than happy to integrate and accept pull requests.

markj mentioned this in D43257: file: Use the right fd in fgetvp_lookup().Dec 31 2023, 9:44 PM