git: 2ea65afbd11d - main - md5: extend capabilites

From: Mariusz Zaborski <oshogbo_at_FreeBSD.org>
Date: Mon, 07 Aug 2023 12:19:13 UTC
The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=2ea65afbd11d40df9ada460d6503cf5fc5fbbf9d

commit 2ea65afbd11d40df9ada460d6503cf5fc5fbbf9d
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2023-08-07 12:16:03 +0000
Commit:     Mariusz Zaborski <oshogbo@FreeBSD.org>
CommitDate: 2023-08-07 12:19:26 +0000

    md5: extend capabilites
    
    In 4849767cb16a4, we did a large refactor of the md5(1) source code.
    One of them is that instead of reading data using read(2) syscall, we
    are using binary stream input (fread(3)).
    
    fread(3) requires additional Capsicum capabilities:
    sha256 CAP operation requires CAP_FSTAT, descriptor holds CAP_READ
    sha256 RET fstat -1 errno 93 Capabilities insufficient
    
    Reviewed by:    des
    Differential Revision:  https://reviews.freebsd.org/D41348
---
 sbin/md5/md5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sbin/md5/md5.c b/sbin/md5/md5.c
index 459d364f8ca7..abc542ced82c 100644
--- a/sbin/md5/md5.c
+++ b/sbin/md5/md5.c
@@ -621,7 +621,7 @@ main(int argc, char *argv[])
 			 */
 			if (*(argv + 1) == NULL) {
 #ifdef HAVE_CAPSICUM
-				cap_rights_init(&rights, CAP_READ);
+				cap_rights_init(&rights, CAP_READ, CAP_FSTAT);
 				if (caph_rights_limit(fileno(f), &rights) < 0 ||
 				    caph_enter() < 0)
 					err(1, "capsicum");