revi-archive/xz-archive
1
0
Fork 0
mirror of https://git.tukaani.org/xz.git synced 2024-04-04 12:36:23 +02:00
Code Activity

xz: Reorder cap_enter() to beginning of capsicum sandbox code.

Browse source 
cap_enter() puts the process into the sandbox. If later calls to
cap_rights_limit() fail, then the process can still have some extra
protections.
This commit is contained in:
Jia Tan 2023-03-06 21:08:26 +08:00
parent f1ab1f6b33
commit f070722b57
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/xz/file_io.c
View file

@ -192,6 +192,9 @@ io_sandbox_enter(int src_fd)
// Capsicum needs FreeBSD 10.0 or later.
cap_rights_t rights;
if (cap_enter())
goto error;
if (cap_rights_limit(src_fd, cap_rights_init(&rights,
CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
goto error;
@ -209,9 +212,6 @@ io_sandbox_enter(int src_fd)
CAP_WRITE)))
goto error;
if (cap_enter())
goto error;
#elif defined(HAVE_PLEDGE)
// pledge() was introduced in OpenBSD 5.9.
//