Date: Wed, 12 Dec 2018 02:33:01 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r341837 - head/sbin/ping Message-ID: <201812120233.wBC2X1pP066614@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Wed Dec 12 02:33:01 2018 New Revision: 341837 URL: https://svnweb.freebsd.org/changeset/base/341837 Log: Use Capsicum helpers in ping(8). Also use caph_cache_catpages() to ensure that strerror() works when run with kern.trap_enotcap=1. Reviewed by: oshogbo MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D18514 Modified: head/sbin/ping/ping.c Modified: head/sbin/ping/ping.c ============================================================================== --- head/sbin/ping/ping.c Tue Dec 11 22:14:37 2018 (r341836) +++ head/sbin/ping/ping.c Wed Dec 12 02:33:01 2018 (r341837) @@ -85,6 +85,7 @@ __FBSDID("$FreeBSD$"); #include <netipsec/ipsec.h> #endif /*IPSEC*/ +#include <capsicum_helpers.h> #include <ctype.h> #include <err.h> #include <errno.h> @@ -258,7 +259,6 @@ main(int argc, char *const *argv) policy_in = policy_out = NULL; #endif cap_rights_t rights; - bool cansandbox; /* * Do the stuff that we need root priv's for *first*, and @@ -702,27 +702,20 @@ main(int argc, char *const *argv) ip->ip_dst = to->sin_addr; } - if (options & F_NUMERIC) - cansandbox = true; - else if (capdns != NULL) - cansandbox = CASPER_SUPPORT; - else - cansandbox = false; - /* * Here we enter capability mode. Further down access to global * namespaces (e.g filesystem) is restricted (see capsicum(4)). * We must connect(2) our socket before this point. */ - if (cansandbox && cap_enter() < 0 && errno != ENOSYS) + caph_cache_catpages(); + if (caph_enter() < 0) err(1, "cap_enter"); cap_rights_init(&rights, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT); - if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS) + if (caph_rights_limit(srecv, &rights) < 0) err(1, "cap_rights_limit srecv"); - cap_rights_init(&rights, CAP_SEND, CAP_SETSOCKOPT); - if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS) + if (caph_rights_limit(ssend, &rights) < 0) err(1, "cap_rights_limit ssend"); /* record route option */ @@ -807,14 +800,14 @@ main(int argc, char *const *argv) sizeof(hold)); /* CAP_SETSOCKOPT removed */ cap_rights_init(&rights, CAP_RECV, CAP_EVENT); - if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS) + if (caph_rights_limit(srecv, &rights) < 0) err(1, "cap_rights_limit srecv setsockopt"); if (uid == 0) (void)setsockopt(ssend, SOL_SOCKET, SO_SNDBUF, (char *)&hold, sizeof(hold)); /* CAP_SETSOCKOPT removed */ cap_rights_init(&rights, CAP_SEND); - if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS) + if (caph_rights_limit(ssend, &rights) < 0) err(1, "cap_rights_limit ssend setsockopt"); if (to->sin_family == AF_INET) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812120233.wBC2X1pP066614>