PERFORCE change 164703 for review
Robert Watson
rwatson at FreeBSD.org
Fri Jun 19 12:31:16 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=164703
Change 164703 by rwatson at rwatson_freebsd_capabilities on 2009/06/19 12:30:24
Make it easy to grant stdout access to a sandbox.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#23 edit
.. //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#20 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#23 (text+ko) ====
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#22 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability.h#23 $
*/
#ifndef _LIBCAPABILITY_H_
@@ -78,6 +78,7 @@
* Flags to lch_start_flags:
*/
#define LCH_PERMIT_STDERR 0x00000001
+#define LCH_PERMIT_STDOUT 0x00000002
/*
* Interfaces to query state about capability mode sandboxs.
==== //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#20 (text+ko) ====
@@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#19 $
+ * $P4: //depot/projects/trustedbsd/capabilities/src/lib/libcapability/libcapability_host.c#20 $
*/
#include <sys/param.h>
@@ -178,7 +178,12 @@
return;
fd_array[0] = fd_devnull;
- fd_array[1] = fd_devnull;
+ if (flags & LCH_PERMIT_STDOUT) {
+ if (lc_limitfd(STDOUT_FILENO, CAP_SEEK | CAP_WRITE) < 0)
+ return;
+ fd_array[1] = STDOUT_FILENO;
+ } else
+ fd_array[1] = fd_devnull;
if (flags & LCH_PERMIT_STDERR) {
if (lc_limitfd(STDERR_FILENO, CAP_SEEK | CAP_WRITE) < 0)
return;
More information about the p4-projects
mailing list