I said you could get them from a cooperating uncapsicumed process. But, it's not... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

toast0 on Sept 15, 2021 | parent | context | favorite | on: OpenBSD's Pledge and Unveil from Python

I said you could get them from a cooperating uncapsicumed process. But, it's not simple, and what are you going to write that loophole process in, and why does it get access to the filesystem if it only needed sockets, etc.

Capsicum is simply not flexible in this way. Maybe if there was a way to open a new socket with a capability you setup earlier, that would be flexible enough.

trasz on Sept 15, 2021 [–]

It is pretty simple - implementing that for irssi(1) took a dozen or two lines of C, IIRC. Sure, it could be simpler, and hopefully libcasper(3) will make it happen, but it's not much of a difference.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact