xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.
This commit is contained in:
Jia Tan 2023-12-21 16:39:53 +08:00
parent 8191720eac
commit 9e96ca8c48
1 changed files with 1 additions and 0 deletions

View File

@ -199,6 +199,7 @@ io_sandbox_enter(int src_fd)
CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK))) CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
goto error; goto error;
// If not reading from stdin, remove all capabilities from it.
if (src_fd != STDIN_FILENO && cap_rights_limit( if (src_fd != STDIN_FILENO && cap_rights_limit(
STDIN_FILENO, cap_rights_clear(&rights))) STDIN_FILENO, cap_rights_clear(&rights)))
goto error; goto error;