summary refs log tree commit diff
path: root/bounce.c
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2019-10-27 21:50:56 -0400
committerJune McEnroe <june@causal.agency>2019-11-01 01:01:17 -0400
commit0c667f1dc709c0104f244169983289ef1164f862 (patch)
treee229ab9daf6ed61a6a3dd3d3ad5521fe6c59ed97 /bounce.c
parentUse capsicum (diff)
downloadpounce-0c667f1dc709c0104f244169983289ef1164f862.tar.gz
pounce-0c667f1dc709c0104f244169983289ef1164f862.zip
Re-read cert and key from the same FILEs
Diffstat (limited to '')
-rw-r--r--bounce.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/bounce.c b/bounce.c
index bb4f902..a5b448a 100644
--- a/bounce.c
+++ b/bounce.c
@@ -194,6 +194,12 @@ int main(int argc, char *argv[]) {
 	ringAlloc(ring);
 	if (save) saveLoad(save);
 
+	FILE *cert = fopen(certPath, "r");
+	if (!cert) err(EX_NOINPUT, "%s", certPath);
+	FILE *priv = fopen(privPath, "r");
+	if (!priv) err(EX_NOINPUT, "%s", privPath);
+	listenConfig(cert, priv);
+
 	int bind[8];
 	listenConfig(certPath, privPath);
 	size_t binds = listenBind(bind, 8, bindHost, bindPort);
@@ -204,11 +210,14 @@ int main(int argc, char *argv[]) {
 	int error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");
 
-	cap_rights_t sockRights, bindRights;
+	cap_rights_t fileRights, sockRights, bindRights;
+	cap_rights_init(&fileRights, CAP_FSTAT, CAP_PREAD);
 	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
 	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
 	cap_rights_merge(&bindRights, &sockRights);
 
+	cap_rights_limit(fileno(cert), &fileRights);
+	cap_rights_limit(fileno(priv), &fileRights);
 	for (size_t i = 0; i < binds; ++i) {
 		error = cap_rights_limit(bind[i], &bindRights);
 		if (error) err(EX_OSERR, "cap_rights_limit");
@@ -248,7 +257,7 @@ int main(int argc, char *argv[]) {
 			signals[SIGINFO] = 0;
 		}
 		if (signals[SIGUSR1]) {
-			listenConfig(certPath, privPath);
+			listenConfig(cert, priv);
 			signals[SIGUSR1] = 0;
 		}