about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-06-24 18:06:09 -0400
committerJune McEnroe <june@causal.agency>2021-06-25 11:50:14 -0400
commit1239ffa689964778425a75786116eb363c4961f1 (patch)
treef1a333a655bc5d1c989c7b2d09d948d60e46bc60
parentRemove explicit tls_handshake(3) from ircConnect (diff)
downloadcatgirl-1239ffa689964778425a75786116eb363c4961f1.tar.gz
catgirl-1239ffa689964778425a75786116eb363c4961f1.zip
FreeBSD: Limit rights on stdio and socket
Diffstat (limited to '')
-rw-r--r--chat.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/chat.c b/chat.c
index 873eed9..821d510 100644
--- a/chat.c
+++ b/chat.c
@@ -319,6 +319,18 @@ int main(int argc, char *argv[]) {
 #endif
 
 #ifdef __FreeBSD__
+	struct { cap_rights_t stdin, stdout, stderr, irc; } rights;
+	cap_rights_init(&rights.stdin, CAP_READ, CAP_EVENT);
+	cap_rights_init(&rights.stdout, CAP_WRITE, CAP_IOCTL);
+	cap_rights_init(&rights.stderr, CAP_WRITE);
+	cap_rights_init(&rights.irc, CAP_SEND, CAP_RECV, CAP_EVENT);
+	int error = 0
+		|| cap_rights_limit(STDIN_FILENO, &rights.stdin)
+		|| cap_rights_limit(STDOUT_FILENO, &rights.stdout)
+		|| cap_rights_limit(STDERR_FILENO, &rights.stderr)
+		|| cap_rights_limit(irc, &rights.irc);
+	if (error) err(EX_OSERR, "cap_rights_limit");
+
 	if (self.restricted) {
 		int error = cap_enter();
 		if (error) err(EX_OSERR, "cap_enter");