Re: Capsicum revocable (proxy) file descriptors

In reply to: Vinícius_dos_Santos_Oliveira : "Capsicum revocable (proxy) file descriptors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Vadim Goncharov <vadimnuclight_at_gmail.com>
Date: Tue, 07 Oct 2025 16:56:03 UTC

On Tue, 7 Oct 2025 12:25:40 -0300
Vinícius dos Santos Oliveira <vini.ipsmaker@gmail.com> wrote:

> I was wondering what design choices other developers would have when
> designing a new file descriptor type for access revocation purposes in
> a capability system.

As I understand, that was done due to ability to send a file descriptor over
Unix socket, also supported in libnv (also very bad choice compared to CBOR,
but we stuck with it).

> The standard practice to revoke capabilities is to create a new
> capability in a domain the user has control over and can revoke at any
> later time[1]. For Capsicum, we can't quite do that.
> 
> If a new file descriptor type were to be designed just to forward
> requests (which the creator could revoke later), what design concerns
> should be taken into consideration?
> 
> [1] http://wiki.erights.org/wiki/Walnut/Secure_Distributed_Computing/Capability_Patterns#Revocable_Capabilities
> 



-- 
WBR, @nuclight