xz: Make Capsicum sandbox more strict with stdin and stdout.

This commit is contained in:
Lasse Collin 2023-03-07 19:59:23 +02:00 committed by Jia Tan
parent 916448d624
commit a0eecc235d
1 changed files with 8 additions and 0 deletions

View File

@ -199,11 +199,19 @@ io_sandbox_enter(int src_fd)
CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK))) CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
goto capsicum_error; goto capsicum_error;
if (src_fd != STDIN_FILENO && cap_rights_limit(
STDIN_FILENO, cap_rights_clear(&rights)))
goto capsicum_error;
if (cap_rights_limit(STDOUT_FILENO, cap_rights_init(&rights, if (cap_rights_limit(STDOUT_FILENO, cap_rights_init(&rights,
CAP_EVENT, CAP_FCNTL, CAP_FSTAT, CAP_LOOKUP, CAP_EVENT, CAP_FCNTL, CAP_FSTAT, CAP_LOOKUP,
CAP_WRITE, CAP_SEEK))) CAP_WRITE, CAP_SEEK)))
goto capsicum_error; goto capsicum_error;
if (cap_rights_limit(STDERR_FILENO, cap_rights_init(&rights,
CAP_WRITE)))
goto capsicum_error;
if (cap_rights_limit(user_abort_pipe[0], cap_rights_init(&rights, if (cap_rights_limit(user_abort_pipe[0], cap_rights_init(&rights,
CAP_EVENT))) CAP_EVENT)))
goto capsicum_error; goto capsicum_error;