Re: Capsicum revocable (proxy) file descriptors

Reply: Gleb Popov : "Re: Capsicum revocable (proxy) file descriptors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Vinícius_dos_Santos_Oliveira <vini.ipsmaker_at_gmail.com>
Date: Wed, 08 Oct 2025 16:38:11 UTC

Em qua., 8 de out. de 2025 às 08:08, Gleb Popov <arrowd@freebsd.org> escreveu:
> [...] provide a fd pointing to some temporary file and copy it
> to the intended destination once Firefox side is done with it.

You just described the implementation of a proxy, but it's inefficient
(more context switches, more writes on disk, etc) and it only works
for files (e.g. it won't work for sockets). I'm asking what an OS
primitive would look like if the kernel had it. What would be the
design constraints? File descriptors already model capabilities to a
great extent (specially on FreeBSD). Proxies with an extra channel to
stop their work is the standard way to revoke delegated capabilities.