Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Dec 2018 17:48:38 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r342222 - stable/12/sbin/ping
Message-ID:  <201812191748.wBJHmclf089171@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: markj
Date: Wed Dec 19 17:48:37 2018
New Revision: 342222
URL: https://svnweb.freebsd.org/changeset/base/342222

Log:
  Revert r342219.
  
  It depends on a Capsicum helper not present in stable/12.

Modified:
  stable/12/sbin/ping/ping.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sbin/ping/ping.c
==============================================================================
--- stable/12/sbin/ping/ping.c	Wed Dec 19 17:45:16 2018	(r342221)
+++ stable/12/sbin/ping/ping.c	Wed Dec 19 17:48:37 2018	(r342222)
@@ -85,7 +85,6 @@ __FBSDID("$FreeBSD$");
 #include <netipsec/ipsec.h>
 #endif /*IPSEC*/
 
-#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -259,6 +258,7 @@ main(int argc, char *const *argv)
 	policy_in = policy_out = NULL;
 #endif
 	cap_rights_t rights;
+	bool cansandbox;
 
 	/*
 	 * Do the stuff that we need root priv's for *first*, and
@@ -709,20 +709,27 @@ main(int argc, char *const *argv)
 		ip->ip_dst = to->sin_addr;
         }
 
+	if (options & F_NUMERIC)
+		cansandbox = true;
+	else if (capdns != NULL)
+		cansandbox = CASPER_SUPPORT;
+	else
+		cansandbox = false;
+
 	/*
 	 * Here we enter capability mode. Further down access to global
 	 * namespaces (e.g filesystem) is restricted (see capsicum(4)).
 	 * We must connect(2) our socket before this point.
 	 */
-	caph_cache_catpages();
-	if (caph_enter_casper() < 0)
+	if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
 		err(1, "cap_enter");
 
 	cap_rights_init(&rights, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT);
-	if (caph_rights_limit(srecv, &rights) < 0)
+	if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS)
 		err(1, "cap_rights_limit srecv");
+
 	cap_rights_init(&rights, CAP_SEND, CAP_SETSOCKOPT);
-	if (caph_rights_limit(ssend, &rights) < 0)
+	if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS)
 		err(1, "cap_rights_limit ssend");
 
 	/* record route option */
@@ -807,14 +814,14 @@ main(int argc, char *const *argv)
 	    sizeof(hold));
 	/* CAP_SETSOCKOPT removed */
 	cap_rights_init(&rights, CAP_RECV, CAP_EVENT);
-	if (caph_rights_limit(srecv, &rights) < 0)
+	if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS)
 		err(1, "cap_rights_limit srecv setsockopt");
 	if (uid == 0)
 		(void)setsockopt(ssend, SOL_SOCKET, SO_SNDBUF, (char *)&hold,
 		    sizeof(hold));
 	/* CAP_SETSOCKOPT removed */
 	cap_rights_init(&rights, CAP_SEND);
-	if (caph_rights_limit(ssend, &rights) < 0)
+	if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS)
 		err(1, "cap_rights_limit ssend setsockopt");
 
 	if (to->sin_family == AF_INET) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191748.wBJHmclf089171>