svn commit: r317165 - head/usr.bin/pom
Emmanuel Vadot
manu at FreeBSD.org
Wed Apr 19 20:27:50 UTC 2017
Author: manu
Date: Wed Apr 19 20:27:48 2017
New Revision: 317165
URL: https://svnweb.freebsd.org/changeset/base/317165
Log:
Capsicumize pom
Since pom is the only binary that can save lives, capsicumize it to be
sure that it's safe to run it.
Reviewed by: bapt
Modified:
head/usr.bin/pom/pom.c
Modified: head/usr.bin/pom/pom.c
==============================================================================
--- head/usr.bin/pom/pom.c Wed Apr 19 20:27:13 2017 (r317164)
+++ head/usr.bin/pom/pom.c Wed Apr 19 20:27:48 2017 (r317165)
@@ -53,6 +53,11 @@ __FBSDID("$FreeBSD$");
*
*/
+#include <sys/capsicum.h>
+#include <capsicum_helpers.h>
+
+#include <err.h>
+#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <math.h>
@@ -81,6 +86,7 @@ static void usage(char *progname);
int
main(int argc, char **argv)
{
+ cap_rights_t rights;
time_t tt;
struct tm GMT, tmd;
double days, today, tomorrow;
@@ -88,6 +94,14 @@ main(int argc, char **argv)
char *odate = NULL, *otime = NULL;
char *progname = argv[0];
+ if (caph_limit_stdio() < 0)
+ err(1, "unable to limit capabitilities for stdio");
+ cap_rights_init(&rights, CAP_WRITE);
+
+ caph_cache_catpages();
+ if (cap_enter() < 0 && errno != ENOSYS)
+ err(1, "unable to enter capability mode");
+
while ((ch = getopt(argc, argv, "d:pt:")) != -1)
switch (ch) {
case 'd':
More information about the svn-src-all
mailing list