svn commit: r341837 - head/sbin/ping

Mark Johnston markj at FreeBSD.org
Wed Dec 12 02:33:02 UTC 2018 

Author: markj
Date: Wed Dec 12 02:33:01 2018
New Revision: 341837
URL: https://svnweb.freebsd.org/changeset/base/341837

Log:
  Use Capsicum helpers in ping(8).
  
  Also use caph_cache_catpages() to ensure that strerror() works when
  run with kern.trap_enotcap=1.
  
  Reviewed by:	oshogbo
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D18514

Modified:
  head/sbin/ping/ping.c

Modified: head/sbin/ping/ping.c
==============================================================================
--- head/sbin/ping/ping.c	Tue Dec 11 22:14:37 2018	(r341836)
+++ head/sbin/ping/ping.c	Wed Dec 12 02:33:01 2018	(r341837)
@@ -85,6 +85,7 @@ __FBSDID("$FreeBSD$");
 #include <netipsec/ipsec.h>
 #endif /*IPSEC*/
 
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -258,7 +259,6 @@ main(int argc, char *const *argv)
 	policy_in = policy_out = NULL;
 #endif
 	cap_rights_t rights;
-	bool cansandbox;
 
 	/*
 	 * Do the stuff that we need root priv's for *first*, and
@@ -702,27 +702,20 @@ main(int argc, char *const *argv)
 		ip->ip_dst = to->sin_addr;
         }
 
-	if (options & F_NUMERIC)
-		cansandbox = true;
-	else if (capdns != NULL)
-		cansandbox = CASPER_SUPPORT;
-	else
-		cansandbox = false;
-
 	/*
 	 * Here we enter capability mode. Further down access to global
 	 * namespaces (e.g filesystem) is restricted (see capsicum(4)).
 	 * We must connect(2) our socket before this point.
 	 */
-	if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
+	caph_cache_catpages();
+	if (caph_enter() < 0)
 		err(1, "cap_enter");
 
 	cap_rights_init(&rights, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT);
-	if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS)
+	if (caph_rights_limit(srecv, &rights) < 0)
 		err(1, "cap_rights_limit srecv");
-
 	cap_rights_init(&rights, CAP_SEND, CAP_SETSOCKOPT);
-	if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS)
+	if (caph_rights_limit(ssend, &rights) < 0)
 		err(1, "cap_rights_limit ssend");
 
 	/* record route option */
@@ -807,14 +800,14 @@ main(int argc, char *const *argv)
 	    sizeof(hold));
 	/* CAP_SETSOCKOPT removed */
 	cap_rights_init(&rights, CAP_RECV, CAP_EVENT);
-	if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS)
+	if (caph_rights_limit(srecv, &rights) < 0)
 		err(1, "cap_rights_limit srecv setsockopt");
 	if (uid == 0)
 		(void)setsockopt(ssend, SOL_SOCKET, SO_SNDBUF, (char *)&hold,
 		    sizeof(hold));
 	/* CAP_SETSOCKOPT removed */
 	cap_rights_init(&rights, CAP_SEND);
-	if (cap_rights_limit(ssend, &rights) < 0 && errno != ENOSYS)
+	if (caph_rights_limit(ssend, &rights) < 0)
 		err(1, "cap_rights_limit ssend setsockopt");
 
 	if (to->sin_family == AF_INET) {

More information about the svn-src-all mailing list