git: 5aaaa1a61024 - stable/14 - beep: Capsicumize
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Jul 2025 15:16:48 UTC
The branch stable/14 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=5aaaa1a61024bb13aafef1716a4fb10f31147b6b
commit 5aaaa1a61024bb13aafef1716a4fb10f31147b6b
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-06-05 23:44:05 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-07-29 14:19:49 +0000
beep: Capsicumize
While it's unlikely that beep(1) will be used in a context where a
sandbox is particularly valuable, it does offer a simple demonstration
of entering a capability sandbox after opening required fds, and is
trivial to do.
Reviewed by: christos
Event: Kitchener-Waterloo Hackathon 202506
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50709
(cherry picked from commit 54eda43cc1e6b1d73804b6c397a15002e3519555)
---
usr.bin/beep/beep.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/usr.bin/beep/beep.c b/usr.bin/beep/beep.c
index 0bdfe2cf97a7..9d274770ad75 100644
--- a/usr.bin/beep/beep.c
+++ b/usr.bin/beep/beep.c
@@ -25,6 +25,7 @@
#include <sys/soundcard.h>
+#include <capsicum_helpers.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -204,6 +205,9 @@ main(int argc, char **argv)
if (f < 0)
err(1, "Failed to open '%s'", oss_dev);
+ if (caph_enter() == -1)
+ err(1, "Failed to enter capability mode");
+
c = 1; /* mono */
if (ioctl(f, SOUND_PCM_WRITE_CHANNELS, &c) != 0)
errx(1, "ioctl SOUND_PCM_WRITE_CHANNELS(1) failed");