FreeBSD support #38

jdm · 2017-10-02T12:59:35Z

   Compiling gaol v0.0.1 (https://github.com/servo/gaol#227ff0ba)
error[E0432]: unresolved import `platform::process`
  --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/sandbox.rs:13:25
   |
13 | use platform::process::{self, Process};
   |                         ^^^^ no `process` in `platform`

error[E0432]: unresolved import `platform::process`
  --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/sandbox.rs:13:15
   |
13 | use platform::process::{self, Process};
   |               ^^^^^^^ Could not find `process` in `platform`

error[E0432]: unresolved import `platform::ChildSandbox`
  --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/sandbox.rs:22:20
   |
22 | pub use platform::{ChildSandbox, Sandbox};
   |                    ^^^^^^^^^^^^ no `ChildSandbox` in `platform`

error[E0432]: unresolved import `platform::Sandbox`
  --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/sandbox.rs:22:34
   |
22 | pub use platform::{ChildSandbox, Sandbox};
   |                                  ^^^^^^^ no `Sandbox` in `platform`

error[E0412]: cannot find type `Operation` in module `platform`
  --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/profile.rs:99:32
   |
99 |     PlatformSpecific(platform::Operation),
   |                                ^^^^^^^^^ not found in `platform`
   |
help: possible candidate is found in another module, you can import it into scope
   |
13 | use profile::Operation;
   |

error[E0599]: no method named `support` found for type `&profile::Operation` in the current scope
   --> /path/to/servo/.cargo/git/checkouts/gaol-c3a1e33941376f84/227ff0b/profile.rs:132:29
    |
132 |             match operation.support() {
    |                             ^^^^^^^
    |
    = help: items from traits can only be used if the trait is implemented and in scope
    = note: the following trait defines an item `support`, perhaps you need to implement it:
            candidate #1: `profile::OperationSupport`

error: aborting due to 6 previous errors

error: Could not compile `gaol`.

The text was updated successfully, but these errors were encountered:

valpackett · 2017-10-02T13:01:19Z

(I was just writing this in servo/servo#11625 … :D)

Gaol is designed around a syscall filtering model like seccomp/pledge, not an object-capability model like Capsicum. (I made a little crate that's better suited for Capsicum — including the awesome openat trick.)

I can add a Capsicum backend for Gaol that disallows everything :) but Servo would have to pass all the descriptors from a privileged process or open them beforehand.

Looks like the content process sandbox only needs /dev/urandom and a resources directory! So it should be possible to open these things before starting the sandbox, and use the openat crate to open the resources under the directory.

valpackett · 2017-10-02T13:20:13Z

Actually /dev/urandom might not even be necessary. If Servo uses the rand crate (I haven't checked), it uses sysctl kern.arandom :)

Add FreeBSD Capsicum support Fixes #38.

jdm mentioned this issue Oct 2, 2017

Servo to compile and run on FreeBSD servo/servo#11625

Open

valpackett mentioned this issue Oct 2, 2017

Add FreeBSD Capsicum support #39

Merged

bors-servo pushed a commit that referenced this issue Dec 2, 2018

Auto merge of #39 - myfreeweb:capsicum, r=jdm

3882c7f

Add FreeBSD Capsicum support Fixes #38.

bors-servo closed this as completed in #39 Dec 2, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

FreeBSD support #38

FreeBSD support #38

jdm commented Oct 2, 2017

valpackett commented Oct 2, 2017

Uh oh!

valpackett commented Oct 2, 2017

Uh oh!

FreeBSD support #38

FreeBSD support #38

Comments

jdm commented Oct 2, 2017

valpackett commented Oct 2, 2017

Uh oh!

valpackett commented Oct 2, 2017

Uh oh!