Date: Wed, 8 Oct 2025 21:39:08 +0300 From: Gleb Popov <arrowd@freebsd.org> To: =?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?= <vini.ipsmaker@gmail.com> Cc: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Capsicum revocable (proxy) file descriptors Message-ID: <CALH631nEsS_r2zFX5Ab%2B6YTMHymaGYQbTDGHCWM7NU-SRLkHNA@mail.gmail.com> In-Reply-To: <CAK9Rve%2B6hDMibMsE1=hU4ADssQxgiW5T3F09L90P4i95HyOaaQ@mail.gmail.com> References: <CAK9RveLzVt=c-9Y18_A79KbNtopiJtjZHBjdjXLBvH-bBwht2w@mail.gmail.com> <A1E5388B-684B-49E8-BCF0-CFC9926DEA54@FreeBSD.org> <CAK9RveJX_Am05TaT0uxyi=dT7DhrfTtNWhPJg_T8e1_x6UGQKQ@mail.gmail.com> <CALH631nDJN6bgDq56ZagZNCHoT-DhEdTM5hEEzn_4JCYme=c=Q@mail.gmail.com> <CAK9RveKAcC-RaDTFLHcz6cwaAenWWO6=Cuk8-HTb59LQZZi61g@mail.gmail.com> <CALH631k_bYhJwdQfFWQmbhpCcDv7zhn9TbbaN%2B4BhUxHyQDWZA@mail.gmail.com> <CAK9Rve%2B6hDMibMsE1=hU4ADssQxgiW5T3F09L90P4i95HyOaaQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On Wed, Oct 8, 2025 at 8:42 PM Vinícius dos Santos Oliveira <vini.ipsmaker@gmail.com> wrote: > > In the Firefox FlatPak portal example, the thing implementing the file > dialog and the D-Bus API would open the file for write, call > revokfd_create() to a get a new (proxy) fd for the actual file, > probably use cap_rights_limit() to forbid openat() and mmap(), and > pass that to the Firefox process. Once the user wants to shutdown the > file dialog server process, it'll call revokfd_revoke on all revoker > fds to block Firefox (and/or others) from having write access to user > dirs. What I'm saying is that instead of inventing all this revoking machinery, the portal might just open a temporary file and pass its descriptor to the browser. Then the browser just writes into it and when done the portal copies it to the final destination. This proxy/revoking scheme will come in handy if we want to share some precious descriptor with an untrusted app, but IMO it is better to find a way to not share such fds at all.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALH631nEsS_r2zFX5Ab%2B6YTMHymaGYQbTDGHCWM7NU-SRLkHNA>