Differential D57255
cut(1), rev(1): add Capsicum sandboxing Authored by nick_spun.io on Tue, May 26, 5:03 PM. Tags None Referenced Files
Details Open file arguments through Casper's cap_fileargs service and enter capability mode after limiting stdio rights, so cut(1) and rev(1) run sandboxed. cut(1) is a bootstrap tool, so the Makefile drops the Casper libraries and -DWITH_CASPER while BOOTSTRAPPING; <casper/cap_fileargs.h> then resolves fileargs_*() to plain fopen(3), matching wc(1)/head(1).
Diff Detail
Event TimelineComment Actions I've emailed -arch about this, there's been some feedback / concern about performance implications about starting a casper service each time these tools are called. So let's hold off and dig into this a bit more. Comment Actions We have a handful of similarly-positioned tools in base that do the same - this implementation was mostly lifted from head(1) - it should only fork when called with argv[] and should not fork when used with stdin/stdout so I think the sandboxing path should be relatively rare Might be worth collecting some metrics here, as well as perhaps revisiting some of our other similar implementations depending on what we do with this - probably should try to remain consistent one way or the other |