FreeBSD: Limit rights on stdio and socket

author: June McEnroe <june@causal.agency> 2021-06-24 18:06:09 -0400
committer: June McEnroe <june@causal.agency> 2021-06-25 11:50:14 -0400
commit: 1239ffa689964778425a75786116eb363c4961f1 (patch)
tree: f1a333a655bc5d1c989c7b2d09d948d60e46bc60 /chat.c
parent: Remove explicit tls_handshake(3) from ircConnect (diff)
download: catgirl-1239ffa689964778425a75786116eb363c4961f1.tar.gz
catgirl-1239ffa689964778425a75786116eb363c4961f1.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/chat.c b/chat.c
index 873eed9..821d510 100644
--- a/chat.c
+++ b/chat.c
@@ -319,6 +319,18 @@ int main(int argc, char *argv[]) {
 #endif
 
 #ifdef __FreeBSD__
+	struct { cap_rights_t stdin, stdout, stderr, irc; } rights;
+	cap_rights_init(&rights.stdin, CAP_READ, CAP_EVENT);
+	cap_rights_init(&rights.stdout, CAP_WRITE, CAP_IOCTL);
+	cap_rights_init(&rights.stderr, CAP_WRITE);
+	cap_rights_init(&rights.irc, CAP_SEND, CAP_RECV, CAP_EVENT);
+	int error = 0
+		|| cap_rights_limit(STDIN_FILENO, &rights.stdin)
+		|| cap_rights_limit(STDOUT_FILENO, &rights.stdout)
+		|| cap_rights_limit(STDERR_FILENO, &rights.stderr)
+		|| cap_rights_limit(irc, &rights.irc);
+	if (error) err(EX_OSERR, "cap_rights_limit");
+
 	if (self.restricted) {
 		int error = cap_enter();
 		if (error) err(EX_OSERR, "cap_enter");
author	June McEnroe <june@causal.agency>	2021-06-24 18:06:09 -0400
committer	June McEnroe <june@causal.agency>	2021-06-25 11:50:14 -0400
commit	1239ffa689964778425a75786116eb363c4961f1 (patch)
tree	f1a333a655bc5d1c989c7b2d09d948d60e46bc60 /chat.c
parent	Remove explicit tls_handshake(3) from ircConnect (diff)
download	catgirl-1239ffa689964778425a75786116eb363c4961f1.tar.gz catgirl-1239ffa689964778425a75786116eb363c4961f1.zip