svn commit: r325727 - head/usr.sbin/bhyve

Bartek Rutkowski robak at FreeBSD.org
Sat Nov 11 22:50:15 UTC 2017 

Author: robak (ports committer)
Date: Sat Nov 11 22:50:14 2017
New Revision: 325727
URL: https://svnweb.freebsd.org/changeset/base/325727

Log:
  bhyve: avoid applying capsicum capabilities to file that was not opened
  
  When using -l option targeting file that can't be opened (ie. nmdm module
  is not loaded and /dev/nmdm* is specified) bhyve tries to apply capsicum
  capabilities to a file that was not opened.
  
  Enclose that code in an if statement and only run it on correctly opened
  descriptor also providing meaningful message in case of an error.
  
  Submitted by:	Pawel Biernacki <pawel.biernacki at gmail.com>
  Reviewed by:	grehan, emaste
  Sponsoied by:	Mysterious Code Ltd.
  Differential Revision:	D12985

Modified:
  head/usr.sbin/bhyve/uart_emul.c

Modified: head/usr.sbin/bhyve/uart_emul.c
==============================================================================
--- head/usr.sbin/bhyve/uart_emul.c	Sat Nov 11 22:39:33 2017	(r325726)
+++ head/usr.sbin/bhyve/uart_emul.c	Sat Nov 11 22:50:14 2017	(r325727)
@@ -678,20 +678,24 @@ uart_set_backend(struct uart_softc *sc, const char *op
 	if (retval == 0)
 		retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK);
 
+	if (retval == 0) {
 #ifndef WITHOUT_CAPSICUM
-	cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS)
-		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
-		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (!uart_stdio) {
-		if (caph_limit_stdin() == -1 && errno != ENOSYS)
+		cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ,
+		    CAP_WRITE);
+		if (cap_rights_limit(sc->tty.fd, &rights) == -1 &&
+		    errno != ENOSYS)
 			errx(EX_OSERR, "Unable to apply rights for sandbox");
-	}
+		if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 &&
+		    errno != ENOSYS)
+			errx(EX_OSERR, "Unable to apply rights for sandbox");
+		if (!uart_stdio) {
+			if (caph_limit_stdin() == -1 && errno != ENOSYS)
+				errx(EX_OSERR,
+				    "Unable to apply rights for sandbox");
+		}
 #endif
-
-	if (retval == 0)
 		uart_opentty(sc);
+	}
 
 	return (retval);
 }

More information about the svn-src-all mailing list