[cap-talk] Piping capability communication, data vs. descriptor capability strengths

[Marcus Brinkmann]

lists at notatla.org.uk wrote:
> Jed Donnelley <capability at webstart.com> writes
> 
>> Even in Unix I've heard that open file descriptors can be sent 
>> through a pipe.  If that's so, what's the syntax (e.g. as above) look 
>> like?  How are the descriptors sent and received specified (by the 
>> sender on sending and by the OS on receiving to the receiver)?
> 
> You can send descriptors as seen in
> "Advanced Programming in the Unix Environment" section 15.3.
> which uses ioctl() with I_SENDFD .
> http://opengroup.org/onlinepubs/007908799/xsh/ioctl.html
> 
> The sender already has the descriptor it's sending and refers to it
> by number (small integer) and ioctl() produces from that a value
> related to kernel tables that will be meaningful to an ioctl() with
> I_REVCFD in the receiving program.
> 
> I've never done that - normally when I set up one pipe between a pair
> of processes I can set up two.  You'd rarely pass a descriptor to a
> program you call directly and I don't think there's any shell pipeline
> syntax to do so.

We use that in libassuan to send I/O pipes over a unix domain socket to a
long running server process, because in this case the number of needed file
descriptors is unbounded.

A shell syntax is not needed, as a shell invocation is written before the
program executes, so you can simply setup the FD table as desired
("3>/tmp/out 4</tmp/in").

It could be useful in a shell that remains interactive while the executed
program is running.  For libassuan, we have a program gpg-connect-agent
that acts as such an interactive shell and supports such operations.

Thanks,
Marcus