Author: cem Date: Fri Dec 16 02:03:40 2016 New Revision: 310143 URL: https://svnweb.freebsd.org/changeset/base/310143
Log: hexdump(1): First cut capsicumification For now, only enter the sandbox for the last file processed (including stdin for zero-argument mode). Sandboxing all inputs will require a little restructuring of the program. Feedback by: emaste@ (earlier versions) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D7915 Modified: head/usr.bin/hexdump/display.c head/usr.bin/hexdump/hexdump.c Modified: head/usr.bin/hexdump/display.c ============================================================================== --- head/usr.bin/hexdump/display.c Fri Dec 16 01:59:28 2016 (r310142) +++ head/usr.bin/hexdump/display.c Fri Dec 16 02:03:40 2016 (r310143) @@ -36,10 +36,13 @@ static char sccsid[] = "@(#)display.c 8. __FBSDID("$FreeBSD$"); #include <sys/param.h> +#include <sys/capsicum.h> #include <sys/stat.h> +#include <capsicum_helpers.h> #include <ctype.h> #include <err.h> +#include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -355,6 +358,19 @@ next(char **argv) return(0); statok = 0; } + + if (caph_limit_stream(fileno(stdin), CAPH_READ) < 0) + err(1, "unable to restrict %s", + statok ? _argv[-1] : "stdin"); + + /* + * We've opened our last input file; enter capsicum sandbox. + */ + if (*_argv == NULL) { + if (cap_enter() < 0 && errno != ENOSYS) + err(1, "unable to enter capability mode"); + } + if (skip) doskip(statok ? *_argv : "stdin", statok); if (*_argv) Modified: head/usr.bin/hexdump/hexdump.c ============================================================================== --- head/usr.bin/hexdump/hexdump.c Fri Dec 16 01:59:28 2016 (r310142) +++ head/usr.bin/hexdump/hexdump.c Fri Dec 16 02:03:40 2016 (r310143) @@ -42,6 +42,9 @@ static char sccsid[] = "@(#)hexdump.c 8. __FBSDID("$FreeBSD$"); #include <sys/types.h> +#include <sys/capsicum.h> +#include <capsicum_helpers.h> +#include <err.h> #include <locale.h> #include <stdlib.h> #include <stdio.h> @@ -76,6 +79,14 @@ main(int argc, char *argv[]) for (tfs = fshead; tfs; tfs = tfs->nextfs) rewrite(tfs); + /* + * Cache NLS data, for strerror, for err(3), before entering capability + * mode. + */ + caph_cache_catpages(); + if (caph_limit_stdio() < 0) + err(1, "capsicum"); + (void)next(argv); display(); exit(exitval); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
