Limit capsicum rights to stdio.

This requires FreeBSD fix (https://reviews.freebsd.org/D12622) to work properly.
2024-12-04 14:46:39 -05:00 · 2017-10-07 03:28:02 +01:00 · 2017-10-07 03:28:02 +01:00 · 40ae8f5fa6
commit 40ae8f5fa6
parent 92dbb1895b
1 changed files with 8 additions and 0 deletions
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@ -37,6 +37,7 @@
 #include <sys/nv.h>
 #include <sys/procdesc.h>
 #include <sys/socket.h>
+#include <capsicum_helpers.h>
 #include <string.h>

 #define	OPCODE_CONNECT		1
@ -410,6 +411,13 @@ static void cmd_capsicum_enter(void)
 	 */
 	signal(SIGCHLD, SIG_IGN);

+	error = caph_limit_stdio();
+	if (error != 0) {
+		g_warning("caph_limit_stdio(3) failed: %s", strerror(errno));
+		signal_emit("capability mode failed", 1, strerror(errno));
+		return;
+	}
+
 	error = cap_enter();
 	if (error != 0) {
 		signal_emit("capability mode failed", 1, strerror(errno));