socsvn commit: r254452 - soc2013/dpl/head/contrib/xz/src/xz

dpl at FreeBSD.org dpl at FreeBSD.org
Tue Jul 9 07:15:59 UTC 2013 

Author: dpl
Date: Tue Jul  9 07:15:59 2013
New Revision: 254452
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=254452

Log:
  Added functions to enter capability mode, and limitfds.
  

Modified:
  soc2013/dpl/head/contrib/xz/src/xz/file_io.c

Modified: soc2013/dpl/head/contrib/xz/src/xz/file_io.c
==============================================================================
--- soc2013/dpl/head/contrib/xz/src/xz/file_io.c	Tue Jul  9 07:13:20 2013	(r254451)
+++ soc2013/dpl/head/contrib/xz/src/xz/file_io.c	Tue Jul  9 07:15:59 2013	(r254452)
@@ -604,6 +604,7 @@
 			free(pair->dest_name);
 			return true;
 		}
+		limitfd(pair);
 	}
 
 	// If this really fails... well, we have a safe fallback.
@@ -956,14 +957,49 @@
 	return io_write_buf(pair, buf->u8, size);
 }
 
-#if CAPSICUM
+#if defined(CAPSICUM)
 extern void
-limitfd(struct file_pair *pair)
+limitfd(file_pair *pair)
 {
 	cap_rights_t rights = 0;
 
-	
+	rights |= CAP_READ;
+	if (cap_rights_limit(pair->src_fd, rights) < 0 && errno != ENOSYS){
+		message_error("%s: %s", pair->src_name, strerror(errno));
+		exit(E_ERROR);
+	}
 
+	rights |= CAP_WRITE|CAP_FSTAT|CAP_FCHOWN;
+	rights |= CAP_FCHMOD|CAP_FUTIMES;
+	if (cap_rights_limit(pair->dest_fd, rights) < 0 && errno != ENOSYS){
+		message_error("%s: %s", pair->dest_name, strerror(errno));
+		exit(E_ERROR);
+	}
 	return;
 }
-#endif
\ No newline at end of file
+
+extern void
+cap_init(void)
+{
+	if (cap_rights_limit(STDIN_FILENO, CAP_READ) < 0 && errno != ENOSYS){
+		message_error("%d: %s", STDIN_FILENO, strerror(errno));
+		exit(E_ERROR);
+	}
+
+	if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE) < 0 && errno != ENOSYS){
+		message_error("%d: %s", STDOUT_FILENO, strerror(errno));
+		exit(E_ERROR);
+	}
+
+	if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0 && errno != ENOSYS){
+		message_error("%d: %s", STDERR_FILENO, strerror(errno));
+		exit(E_ERROR);
+	}
+
+	if (cap_enter() < 0 && errno != ENOSYS){
+		message_error("cap_enter: %s", strerror(errno));
+		exit(E_ERROR);
+	}
+	return;
+}
+#endif

More information about the svn-soc-all mailing list