From 40ae8f5fa67cb7ec529f9fea5816fb8804c9bba8 Mon Sep 17 00:00:00 2001
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
Date: Sat, 7 Oct 2017 03:28:02 +0100
Subject: [PATCH] Limit capsicum rights to stdio.

This requires FreeBSD fix (https://reviews.freebsd.org/D12622)
to work properly.
---
 src/core/capsicum.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/core/capsicum.c b/src/core/capsicum.c
index 3b0708cb..1c5c59da 100644
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@@ -37,6 +37,7 @@
 #include <sys/nv.h>
 #include <sys/procdesc.h>
 #include <sys/socket.h>
+#include <capsicum_helpers.h>
 #include <string.h>
 
 #define	OPCODE_CONNECT		1
@@ -410,6 +411,13 @@ static void cmd_capsicum_enter(void)
 	 */
 	signal(SIGCHLD, SIG_IGN);
 
+	error = caph_limit_stdio();
+	if (error != 0) {
+		g_warning("caph_limit_stdio(3) failed: %s", strerror(errno));
+		signal_emit("capability mode failed", 1, strerror(errno));
+		return;
+	}
+
 	error = cap_enter();
 	if (error != 0) {
 		signal_emit("capability mode failed", 1, strerror(errno));