Attachment #2405 for bug #2140




		fatal("can't limit stderr: %m");

	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
	    errno != ENOSYS)
		fatal("%s: failed to limit the network socket", __func__);
	cap_rights_init(&rights, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
	    errno != ENOSYS)
		fatal("%s: failed to limit the logging socket", __func__);
	if (cap_enter() < 0 && errno != ENOSYS)
		fatal("%s: failed to enter capability mode", __func__);

Return to bug 2140

Lines 94-103 ssh_sandbox_child(struct ssh_sandbox *box) Link Here

(-)a/sandbox-capsicum.c (-2 / +4 lines)
94	fatal("can't limit stderr: %m");	94	fatal("can't limit stderr: %m");
95		95
96	cap_rights_init(&rights, CAP_READ, CAP_WRITE);	96	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
97	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)	97	if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
		98	errno != ENOSYS)
98	fatal("%s: failed to limit the network socket", __func__);	99	fatal("%s: failed to limit the network socket", __func__);
99	cap_rights_init(&rights, CAP_WRITE);	100	cap_rights_init(&rights, CAP_WRITE);
100	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)	101	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
		102	errno != ENOSYS)
101	fatal("%s: failed to limit the logging socket", __func__);	103	fatal("%s: failed to limit the logging socket", __func__);
102	if (cap_enter() < 0 && errno != ENOSYS)	104	if (cap_enter() < 0 && errno != ENOSYS)
103	fatal("%s: failed to enter capability mode", __func__);	105	fatal("%s: failed to enter capability mode", __func__);