xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the capabilities are removed from stdin in certain situations.
2024-04-04 12:36:23 +02:00 · 2023-12-21 16:39:53 +08:00 · 2023-12-21 16:39:53 +08:00 · 710cbc186c
commit 710cbc186c
parent 4e1c695676
1 changed files with 1 additions and 0 deletions
--- a/src/xz/file_io.c
+++ b/src/xz/file_io.c
@ -226,6 +226,7 @@ io_sandbox_enter(int src_fd)
 			CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
 		goto error;

+	// If not reading from stdin, remove all capabilities from it.
 	if (src_fd != STDIN_FILENO && cap_rights_limit(
 			STDIN_FILENO, cap_rights_clear(&rights)))
 		goto error;