Date: Tue, 9 Jul 2013 07:15:59 GMT From: dpl@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r254452 - soc2013/dpl/head/contrib/xz/src/xz Message-ID: <201307090715.r697FxxE030319@socsvn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dpl Date: Tue Jul 9 07:15:59 2013 New Revision: 254452 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=254452 Log: Added functions to enter capability mode, and limitfds. Modified: soc2013/dpl/head/contrib/xz/src/xz/file_io.c Modified: soc2013/dpl/head/contrib/xz/src/xz/file_io.c ============================================================================== --- soc2013/dpl/head/contrib/xz/src/xz/file_io.c Tue Jul 9 07:13:20 2013 (r254451) +++ soc2013/dpl/head/contrib/xz/src/xz/file_io.c Tue Jul 9 07:15:59 2013 (r254452) @@ -604,6 +604,7 @@ free(pair->dest_name); return true; } + limitfd(pair); } // If this really fails... well, we have a safe fallback. @@ -956,14 +957,49 @@ return io_write_buf(pair, buf->u8, size); } -#if CAPSICUM +#if defined(CAPSICUM) extern void -limitfd(struct file_pair *pair) +limitfd(file_pair *pair) { cap_rights_t rights = 0; - + rights |= CAP_READ; + if (cap_rights_limit(pair->src_fd, rights) < 0 && errno != ENOSYS){ + message_error("%s: %s", pair->src_name, strerror(errno)); + exit(E_ERROR); + } + rights |= CAP_WRITE|CAP_FSTAT|CAP_FCHOWN; + rights |= CAP_FCHMOD|CAP_FUTIMES; + if (cap_rights_limit(pair->dest_fd, rights) < 0 && errno != ENOSYS){ + message_error("%s: %s", pair->dest_name, strerror(errno)); + exit(E_ERROR); + } return; } -#endif \ No newline at end of file + +extern void +cap_init(void) +{ + if (cap_rights_limit(STDIN_FILENO, CAP_READ) < 0 && errno != ENOSYS){ + message_error("%d: %s", STDIN_FILENO, strerror(errno)); + exit(E_ERROR); + } + + if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE) < 0 && errno != ENOSYS){ + message_error("%d: %s", STDOUT_FILENO, strerror(errno)); + exit(E_ERROR); + } + + if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0 && errno != ENOSYS){ + message_error("%d: %s", STDERR_FILENO, strerror(errno)); + exit(E_ERROR); + } + + if (cap_enter() < 0 && errno != ENOSYS){ + message_error("cap_enter: %s", strerror(errno)); + exit(E_ERROR); + } + return; +} +#endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307090715.r697FxxE030319>