svn commit: r347036 - stable/11/usr.sbin/bhyve
John Baldwin
jhb at FreeBSD.org
Fri May 3 00:20:04 UTC 2019
Author: jhb
Date: Fri May 3 00:20:02 2019
New Revision: 347036
URL: https://svnweb.freebsd.org/changeset/base/347036
Log:
MFC 325727:
bhyve: avoid applying capsicum capabilities to file that was not opened
When using -l option targeting file that can't be opened (ie. nmdm module
is not loaded and /dev/nmdm* is specified) bhyve tries to apply capsicum
capabilities to a file that was not opened.
Enclose that code in an if statement and only run it on correctly opened
descriptor also providing meaningful message in case of an error.
Modified:
stable/11/usr.sbin/bhyve/uart_emul.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/usr.sbin/bhyve/uart_emul.c
==============================================================================
--- stable/11/usr.sbin/bhyve/uart_emul.c Fri May 3 00:02:07 2019 (r347035)
+++ stable/11/usr.sbin/bhyve/uart_emul.c Fri May 3 00:20:02 2019 (r347036)
@@ -680,25 +680,35 @@ uart_set_backend(struct uart_softc *sc, const char *op
if (retval == 0)
retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK);
+ if (retval == 0) {
#ifndef WITHOUT_CAPSICUM
- cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
- if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS)
- errx(EX_OSERR, "Unable to apply rights for sandbox");
- if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
- errx(EX_OSERR, "Unable to apply rights for sandbox");
- if (!uart_stdio) {
- cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL, CAP_READ);
- if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS)
+ cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ,
+ CAP_WRITE);
+ if (cap_rights_limit(sc->tty.fd, &rights) == -1 &&
+ errno != ENOSYS)
errx(EX_OSERR, "Unable to apply rights for sandbox");
- if (cap_ioctls_limit(STDIN_FILENO, sicmds, nitems(sicmds)) == -1 && errno != ENOSYS)
+ if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 &&
+ errno != ENOSYS)
errx(EX_OSERR, "Unable to apply rights for sandbox");
- if (cap_fcntls_limit(STDIN_FILENO, CAP_FCNTL_GETFL) == -1 && errno != ENOSYS)
- errx(EX_OSERR, "Unable to apply rights for sandbox");
- }
+ if (!uart_stdio) {
+ cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT,
+ CAP_IOCTL, CAP_READ);
+ if (cap_rights_limit(STDIN_FILENO, &rights) == -1 &&
+ errno != ENOSYS)
+ errx(EX_OSERR,
+ "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(STDIN_FILENO, sicmds,
+ nitems(sicmds)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR,
+ "Unable to apply rights for sandbox");
+ if (cap_fcntls_limit(STDIN_FILENO, CAP_FCNTL_GETFL) ==
+ -1 && errno != ENOSYS)
+ errx(EX_OSERR,
+ "Unable to apply rights for sandbox");
+ }
#endif
-
- if (retval == 0)
uart_opentty(sc);
+ }
return (retval);
}
More information about the svn-src-stable-11
mailing list