[2nd opinion pls] Re: Shall I make an OpenBSD port of F3? (f3write, f3read)

Sat, 29 Oct 2022 02:25:03 -0700 



Am 22.10.22 um 13:54 schrieb Alexander A. Klimov:



Am 18.10.22 um 11:57 schrieb Stuart Henderson:

On 2022/10/16 14:51, Alexander A. Klimov wrote:

Hello OpenBSD devs!
Hello Michel!

I'd like OpenBSD to have a package of Michel's software "F3".

https://github.com/AltraMayor/f3


Today I checked out the snapshot ports tree, but didn't find F3 even 
there,

nor anything in the ports@ archive.

Is anyone of you (going to) porting it in the near future?

If no, I'm gonna give it a try.

I'm looking forward to hear from you.

Best,
A/K



I've attached a skeleton port for it, but it needs more work, OpenBSD
doesn't have posix_fadvise() or clock_nanosleep().

There is some code to emulate posix_fadvise for MacOS but it uses various
fcntl(2) commands that we don't have.


As you already mentioned, F3 includes MacOS support which emulates 
missing stuff present on other *nixes. I've submitted patches which do 
the same for OpenBSD:


https://github.com/AltraMayor/f3/pull/186


Ideally Michel accepts them and I'll continue with the Security 
Recommendations of the Porting Guide.



Both of these are done. Well, almost done. Before considering
https://github.com/AltraMayor/f3/pull/187/files
ready to merge I'd like to get a second opinion.


Those hardenings (on top of the already merged basic OpenBSD support) in 
a nutshell:


  first of all in main() parse args
  then briefly introduce the program to the caller
+ the program needs exactly one dir at runtime, chroot(2) to it
+   (if allowed)
+ unveil(2) only that dir
+ pledge(2), stdio and *path
  do actual F3 things

I'm not 100% sure whether I shall not include "error" in pledge(2).

I guess it may ease debugging, especially if there's no kdump (despite 
ktrace!), but on the other hand for debugging one has gdb which btw. 
works, i.e. properly shows what exactly violates pledge(2):


Program received signal SIGABRT, Aborted.
chroot () at /tmp/-:3

And as far as I get pledge(2) the philosophy is:
Permit as less as possible.

(Well, no "error" in pledge(2) IS possible, as well as btw. 
execpromises="".)



Oh, and: What's better? (The already present) Explicit unveil(NULL, 
NULL) or only (the already present) pledge(2) forbidding unveil(2)?
























					Reply via email to