Re: Capsicum revocable (proxy) file descriptors

Reply: Vinícius_dos_Santos_Oliveira : "Re: Capsicum revocable (proxy) file descriptors"
In reply to: Vinícius_dos_Santos_Oliveira : "Re: Capsicum revocable (proxy) file descriptors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gleb Popov <arrowd_at_freebsd.org>
Date: Wed, 08 Oct 2025 17:12:08 UTC

On Wed, Oct 8, 2025 at 7:38 PM Vinícius dos Santos Oliveira
<vini.ipsmaker@gmail.com> wrote:
>
> You just described the implementation of a proxy, but it's inefficient
> (more context switches, more writes on disk, etc) and it only works
> for files (e.g. it won't work for sockets). I'm asking what an OS
> primitive would look like if the kernel had it. What would be the
> design constraints? File descriptors already model capabilities to a
> great extent (specially on FreeBSD). Proxies with an extra channel to
> stop their work is the standard way to revoke delegated capabilities.

I'm now even more confused. File descriptor passing is already a
kernel feature, XDP/DBus merely use it. And this kernel mechanism
allows for passing various types of descriptors, not only the file
ones. It is still unclear to me where the need for proxy descriptors
comes from. Do you have some high-level usecase example?