Date: Tue, 7 Oct 2025 12:25:40 -0300 From: =?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?= <vini.ipsmaker@gmail.com> To: freebsd-hackers@freebsd.org Subject: Capsicum revocable (proxy) file descriptors Message-ID: <CAK9RveLzVt=c-9Y18_A79KbNtopiJtjZHBjdjXLBvH-bBwht2w@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I was wondering what design choices other developers would have when designing a new file descriptor type for access revocation purposes in a capability system. The standard practice to revoke capabilities is to create a new capability in a domain the user has control over and can revoke at any later time[1]. For Capsicum, we can't quite do that. If a new file descriptor type were to be designed just to forward requests (which the creator could revoke later), what design concerns should be taken into consideration? [1] http://wiki.erights.org/wiki/Walnut/Secure_Distributed_Computing/Capability_Patterns#Revocable_Capabilities
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK9RveLzVt=c-9Y18_A79KbNtopiJtjZHBjdjXLBvH-bBwht2w>