HomeFreeBSD
Diffusion FreeBSD ports repository f0180f270779

devel/got: use Capsicum
f0180f270779
Actions

Description

devel/got: use Capsicum

Thanks to the design of Got, the libexec helpers don't need any resource
(in fact they run under pledge "stdio recvfd" on OpenBSD) and so using
cap_enter(2) on FreeBSD is dead-easy.

While the main process can't be sandboxed on FreeBSD (needs to exec the
helpers), all the tough work is done by these small libexec helpers
which is also the biggest attack surface.

Obstained from: Omar Polo

Details

Provenance
naddyAuthored on Jul 2 2022, 7:45 PM
Parents
R11:fd19387d6ccb: net/traefik: Update to upstream release 2.8.0
Branches
Unknown
Tags
Unknown

Changes (13)

PathSize
devel/
got/
files/

R11:f0180f270779

View Options

devel/got/Makefile

Loading...
View Options

devel/got/files/patch-libexec_got-fetch-pack_got-fetch-pack.c

Loading...
View Options

devel/got/files/patch-libexec_got-index-pack_got-index-pack.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-blob_got-read-blob.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-commit_got-read-commit.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-gitconfig_got-read-gitconfig.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-gotconfig_got-read-gotconfig.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-object_got-read-object.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-pack_got-read-pack.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-patch_got-read-patch.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-tag_got-read-tag.c

Loading...
View Options

devel/got/files/patch-libexec_got-read-tree_got-read-tree.c

Loading...
View Options

devel/got/files/patch-libexec_got-send-pack_got-send-pack.c

Loading...