FreeBSD: Limit rights on log directory

author: June McEnroe <june@causal.agency> 2021-06-24 18:17:52 -0400
committer: June McEnroe <june@causal.agency> 2021-06-25 12:19:11 -0400
commit: 56c31ae4429310e8af3864d2b78b930fe14126c4 (patch)
tree: 43f865b28cb53082ba0de417662952f397ade1ff /log.c
parent: FreeBSD: Limit rights on save file (diff)
download: catgirl-56c31ae4429310e8af3864d2b78b930fe14126c4.tar.gz
catgirl-56c31ae4429310e8af3864d2b78b930fe14126c4.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/log.c b/log.c
index 415e1dc..fab5a41 100644
--- a/log.c
+++ b/log.c
@@ -38,6 +38,10 @@
 #include <time.h>
 #include <unistd.h>
 
+#ifdef __FreeBSD__
+#include <sys/capsicum.h>
+#endif
+
 #include "chat.h"
 
 static int logDir = -1;
@@ -47,6 +51,16 @@ void logOpen(void) {
 	const char *path = dataMkdir("log");
 	logDir = open(path, O_RDONLY | O_CLOEXEC);
 	if (logDir < 0) err(EX_CANTCREAT, "%s", path);
+
+#ifdef __FreeBSD__
+	cap_rights_t rights;
+	cap_rights_init(
+		&rights, CAP_MKDIRAT, CAP_CREATE, CAP_WRITE,
+		/* for fdopen(3) */ CAP_FCNTL, CAP_FSTAT
+	);
+	int error = cap_rights_limit(logDir, &rights);
+	if (error) err(EX_OSERR, "cap_rights_limit");
+#endif
 }
 
 static void logMkdir(const char *path) {
author	June McEnroe <june@causal.agency>	2021-06-24 18:17:52 -0400
committer	June McEnroe <june@causal.agency>	2021-06-25 12:19:11 -0400
commit	56c31ae4429310e8af3864d2b78b930fe14126c4 (patch)
tree	43f865b28cb53082ba0de417662952f397ade1ff /log.c
parent	FreeBSD: Limit rights on save file (diff)
download	catgirl-56c31ae4429310e8af3864d2b78b930fe14126c4.tar.gz catgirl-56c31ae4429310e8af3864d2b78b930fe14126c4.zip