Date: Tue, 29 Jul 2025 15:16:48 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 5aaaa1a61024 - stable/14 - beep: Capsicumize Message-ID: <202507291516.56TFGme3018087@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=5aaaa1a61024bb13aafef1716a4fb10f31147b6b commit 5aaaa1a61024bb13aafef1716a4fb10f31147b6b Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2025-06-05 23:44:05 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2025-07-29 14:19:49 +0000 beep: Capsicumize While it's unlikely that beep(1) will be used in a context where a sandbox is particularly valuable, it does offer a simple demonstration of entering a capability sandbox after opening required fds, and is trivial to do. Reviewed by: christos Event: Kitchener-Waterloo Hackathon 202506 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D50709 (cherry picked from commit 54eda43cc1e6b1d73804b6c397a15002e3519555) --- usr.bin/beep/beep.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr.bin/beep/beep.c b/usr.bin/beep/beep.c index 0bdfe2cf97a7..9d274770ad75 100644 --- a/usr.bin/beep/beep.c +++ b/usr.bin/beep/beep.c @@ -25,6 +25,7 @@ #include <sys/soundcard.h> +#include <capsicum_helpers.h> #include <err.h> #include <errno.h> #include <fcntl.h> @@ -204,6 +205,9 @@ main(int argc, char **argv) if (f < 0) err(1, "Failed to open '%s'", oss_dev); + if (caph_enter() == -1) + err(1, "Failed to enter capability mode"); + c = 1; /* mono */ if (ioctl(f, SOUND_PCM_WRITE_CHANNELS, &c) != 0) errx(1, "ioctl SOUND_PCM_WRITE_CHANNELS(1) failed");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507291516.56TFGme3018087>