s/revers/reverse/ (here and below)
also these shouldn't begin with "the"
It's not clear what "those specific structures" means.
Are we only allowing specific addresses to be looked up? Why does the signature take a pointer to a single sockaddr? Are we supposed to call this multiple times, one for each allowed address?
(same applies to other similar functions)
Yes there is not about that
Multiple calls to .Fn cap_net_limit_addr2name_family, .Fn cap_net_limit_addr2name, .Fn cap_net_limit_name2addr_family, .Fn cap_net_limit_name2addr, .Fn cap_net_limit_conenct, and .Fn cap_net_limit_bind is supported, each call is extending previews capabilities.
"small number of the network namespace" doesn't quite make sense - you might say "small portion of the network namespace" or similar.
However I'd be also happy enough to just do a pass over the man page once it's in the tree for these
need a space before the .
Should we have a cap_enter() in the example to clearly distinguish what runs in the sandbox vs what sets up the service?
I don't quite understand why cap_dns is merged into this service. Aren't they mostly orthogonal?
Style: opening brace should be on its own line, there should be newlines between functions.
Why are they obsolete?
We should avoid adding "All rights reserved" to new copyrights.
If addrinfo_unpack() returns NULL, we don't return EAI_MEMORY here.
If prevai == NULL then it must be true that firstai == NULL, so the condition is redundant.
Mixing GAI error values with errno values.
Why do we dup the socket?
IMO it would be a bit cleaner to handle salimits == NULL in net_allowed_bsaddr_impl().
Shouldn't it be an errno value? Ditto above.
I think we should start defining constants for the command strings. Otherwise the compiler can't catch typos.
This file is inconsistent in the way that it braces single-line statements. net_command(), below, does not have any.
Maybe add /* Capability functions. */ to complement /* Limit functions. */ below.
Hmm, I guess this ensures that we don't trigger error handling in the caller? We could provide a static non-NULL pointer instead, like (void *)(uintptr_t)0x1.
cap_sysctl has the same problem.
Mariusz replied on IRC, this just reflects the fact that getaddrinfo() and getnameinfo() are preferred over gethost*() per the man page for these functions.
Thats a good question I'm not sure.
There is caph_enter_casper which is cap_enter which check if the casper is buildin.
I added space.
We don't have to we can just take it from nvlist.
We can't do that. Here if the capdnscache is NULL we return ENOTCAPABLE, but in case of the net_allowed_bsaddr which is used much offten if the right are not defined it means that we allow all bsaddr.
Not really sure what to do with that ;(
Thats a good idea. I started with the limits name for know.
The flags after the development. The CASPER_SERVICE_FD nor the CASPER_SERVICE_STDIO in not needed.
Yes. As well as we ensure working with the proper descriptor. For example in fileargs we are doing much more checks.