From nobody Tue Oct 7 16:56:03 2025 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ch2Mw3qyNz6Bcbw for ; Tue, 07 Oct 2025 16:56:12 +0000 (UTC) (envelope-from vadimnuclight@gmail.com) Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ch2Mv4dTMz3jjL for ; Tue, 07 Oct 2025 16:56:11 +0000 (UTC) (envelope-from vadimnuclight@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=SyBa2reC; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of vadimnuclight@gmail.com designates 2a00:1450:4864:20::22c as permitted sender) smtp.mailfrom=vadimnuclight@gmail.com Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-3612c38b902so68262541fa.2 for ; Tue, 07 Oct 2025 09:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759856169; x=1760460969; darn=freebsd.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=eTt7Le2lDXZMdr6EjoOapbWtJrxEvAqaEdBogHIls2E=; b=SyBa2reCxv0/jjgIU7ubKZrmnU5li2ypiQnOEvvZbVsRAqfKtwFG8adqBqCdTB8Mf/ hrGN9nb5jGeGDRcr+361i+C634fclQtOjGPfA5m5w5Cj0LXFNYK5K0gfFnhsJySOoIyY rZJAqwT0BOYZNZJIeRI422Q32vUfrYjkMmV7QuiGy9+aTyL+Lpgd5ifYujk8c0K3tbah uLg88u8j+MrcpSzJOygbytQc2fY3g2trTkA0Ao1tnOPosvTvu+cE4WGjT3nIfxtCGyC/ XQtUzPzF08guAnmEiRxFOAqUekmymkr0suVjozSYT8ARWuHr8WQpSGdk8zmZWFVwyW/J 1Akw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759856169; x=1760460969; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eTt7Le2lDXZMdr6EjoOapbWtJrxEvAqaEdBogHIls2E=; b=QFwr825DsmRUTQWa1zdzbWMjvspkROQwwDDqxf+B89ZJu32cxsKfbQYD+OaD3MqEIc DQVU+Fxwqwh9Wtez1xgPWcGTTiEOHeGz3oWn0oEdZl/vlcdYlSwYVG2BJCtqEIZP24XN hjVrCLZaf5t9nFvWjmKfDkt08Xsz6ytvvOv9Nmwt5yuePBSRpNYHLbF9/lGC7nys7bU2 6dQi0k5HQ5rZu8AW6FRo4FWCa2O3llAVeds2FhNeUUnXYYPYwia3BllXEPsph0jeGjkv FI+ohXaIG7asjnPxUZv0WabCXdC0PUkd+G3RPXsr51wcWSUqGMIyXkIVAHx+4bNcU3vZ M6ig== X-Gm-Message-State: AOJu0Yxm7lfM+6zcCSZ0reglx2GPkYDCSisTQaEFKqawRqTBLFGUkKSK HC9BPAEZh/d5ids7UQE9Uif0rzXgm1pAkbxRpAVT+5yjI5smr0fTxd1CM8xR8Q== X-Gm-Gg: ASbGncuDAZgddd70QCiLocB0ki9Pc+g0zMP4lquZF/NHKC5ygCFI40aDPn9sEJ1DSZE icRk9ReD7rFMaRuzmviB5KhLRFiLwqWYtRPdt5NEXpnbgvpzdB586tCiMy3nzU55vxvPlmZe3AQ zdKQ211WVuKUaHMAn7ZxQ+yb5YPaqpcflXsn2chiUbKcBm3tPBWBBuNcX37lKpnfBYbwoa9sNN3 JAT715X1T5bTML9IFva7WbeN77tiCB75Z9UOwZAFcCBUHl/umMOnuA5kNkSrKu4YQWh8wn8J/va Bhl49Pl2MuZOP9hKk7MT35hDhJ9Vj4dfuL6ZuvtMjh0WVIEz4N6/xTjfcHLQGi3Tvxraf6/fOa4 tzpuJx1olKwBaek7t6d2vpvScnf08KKuCu4QseHUvmnsxra0WKAtrWKyObktgpeQLKG5eLFdXhm MKA1/vzqcPq329UA== X-Google-Smtp-Source: AGHT+IFq/ATVlRy34SD/NfoXvQXpPhm4rabNfu15F5QlCfX+DtIr0qBxpQvcx9LfD3yfjZ9nvqjpvA== X-Received: by 2002:a2e:bc29:0:b0:372:628b:5cb4 with SMTP id 38308e7fff4ca-37609f4bc65mr314261fa.45.1759856168320; Tue, 07 Oct 2025 09:56:08 -0700 (PDT) Received: from nuclight.lan (broadband-77-37-180-76.ip.moscow.rt.ru. [77.37.180.76]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-375f3b63f1bsm11315211fa.31.2025.10.07.09.56.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 09:56:08 -0700 (PDT) Date: Tue, 7 Oct 2025 19:56:03 +0300 From: Vadim Goncharov To: =?UTF-8?B?Vmluw61jaXVz?= dos Santos Oliveira Cc: freebsd-hackers@freebsd.org Subject: Re: Capsicum revocable (proxy) file descriptors Message-ID: <20251007195603.27701cb4@nuclight.lan> In-Reply-To: References: X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.4) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.68 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_SPAM_SHORT(0.32)[0.316]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TAGGED_RCPT(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::22c:from] X-Rspamd-Queue-Id: 4ch2Mv4dTMz3jjL On Tue, 7 Oct 2025 12:25:40 -0300 Vin=C3=ADcius dos Santos Oliveira wrote: > I was wondering what design choices other developers would have when > designing a new file descriptor type for access revocation purposes in > a capability system. As I understand, that was done due to ability to send a file descriptor over Unix socket, also supported in libnv (also very bad choice compared to CBOR, but we stuck with it). > The standard practice to revoke capabilities is to create a new > capability in a domain the user has control over and can revoke at any > later time[1]. For Capsicum, we can't quite do that. >=20 > If a new file descriptor type were to be designed just to forward > requests (which the creator could revoke later), what design concerns > should be taken into consideration? >=20 > [1] http://wiki.erights.org/wiki/Walnut/Secure_Distributed_Computing/Capa= bility_Patterns#Revocable_Capabilities >=20 --=20 WBR, @nuclight