Re: Capsicum revocable (proxy) file descriptors

In reply to: Vinícius_dos_Santos_Oliveira : "Re: Capsicum revocable (proxy) file descriptors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gleb Popov <arrowd_at_freebsd.org>
Date: Wed, 08 Oct 2025 18:39:08 UTC

On Wed, Oct 8, 2025 at 8:42 PM Vinícius dos Santos Oliveira
<vini.ipsmaker@gmail.com> wrote:
>
> In the Firefox FlatPak portal example, the thing implementing the file
> dialog and the D-Bus API would open the file for write, call
> revokfd_create() to a get a new (proxy) fd for the actual file,
> probably use cap_rights_limit() to forbid openat() and mmap(), and
> pass that to the Firefox process. Once the user wants to shutdown the
> file dialog server process, it'll call revokfd_revoke on all revoker
> fds to block Firefox (and/or others) from having write access to user
> dirs.

What I'm saying is that instead of inventing all this revoking
machinery, the portal might just open a temporary file and pass its
descriptor to the browser. Then the browser just writes into it and
when done the portal copies it to the final destination.

This proxy/revoking scheme will come in handy if we want to share some
precious descriptor with an untrusted app, but IMO it is better to
find a way to not share such fds at all.