Re: [capsicum] Should accept(cap_fd,...) give a capability?




On 5 Feb 2014, at 10:58, David Drysdale <drysdale at google.com> wrote:

> But it doesn't really matter, because the real conclusion here is,
> I think, we should use Casper for that, where we can have filesystem
> service, which can provided more fine-grained access to file system
> objects.

Right. But we still need to decide what the sensible behaviour is
(especially since we would like to limit even Casper as much as we
can...).

For the time being in the Linux port, I've gone for making accept(2) like the current behaviour of openat(2), just inheriting the rights of the parent file descriptor as-is -- let me know if you want/implement something different in FreeBSD.

The main merit of the current approach is that it is simple and easy-to-understand, even if we don't like all of its consequences. When combining the properties of a capability system with a conventional UNIX OS design, that's about as good as it gets. We pondered for quite a while how to deal with "descriptors inherited from descriptors" and most of the variations aren't much fun, as they require additional rights masks and hence increase the potential for developer confusion leading to security surprises. I'm happy to keep having the conversation as I also agree that the current API isn't great, though.

Robert



This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.