git: dfd52321b7be - main - nl(1): Capsicumise the utility

From: Mariusz Zaborski <oshogbo_at_FreeBSD.org>
Date: Thu, 12 Dec 2024 08:27:05 UTC
The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=dfd52321b7beba716fa2bdd4f54e57e9ac806e96

commit dfd52321b7beba716fa2bdd4f54e57e9ac806e96
Author:     Faraz Vahedi <kfv@kfv.io>
AuthorDate: 2024-10-13 20:03:25 +0000
Commit:     Mariusz Zaborski <oshogbo@FreeBSD.org>
CommitDate: 2024-12-12 08:24:31 +0000

    nl(1): Capsicumise the utility
    
    Signed-off-by: Faraz Vahedi <kfv@kfv.io>
    Reviewed by:    markj, oshogbo
    MFC after:      1 week
    Pull Request:   https://github.com/freebsd/freebsd-src/pull/1465
---
 usr.bin/nl/nl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/usr.bin/nl/nl.c b/usr.bin/nl/nl.c
index a6a14239f582..573e03e4ad0d 100644
--- a/usr.bin/nl/nl.c
+++ b/usr.bin/nl/nl.c
@@ -42,6 +42,8 @@
 #include <unistd.h>
 #include <wchar.h>
 
+#include <capsicum_helpers.h>
+
 typedef enum {
 	number_all,		/* number all lines */
 	number_nonempty,	/* number non-empty lines */
@@ -244,6 +246,11 @@ main(int argc, char *argv[])
 		/* NOTREACHED */
 	}
 
+	/* Limit standard descriptors and enter capability mode */
+	caph_cache_catpages();
+	if (caph_limit_stdio() < 0 || caph_enter() < 0)
+		err(EXIT_FAILURE, "capsicum");
+
 	/* Generate the delimiter sequence */
 	memcpy(delim, delim1, delim1len);
 	memcpy(delim + delim1len, delim2, delim2len);