From 0c667f1dc709c0104f244169983289ef1164f862 Mon Sep 17 00:00:00 2001
From: Curtis McEnroe <june@causal.agency>
Date: Sun, 27 Oct 2019 21:50:56 -0400
Subject: Re-read cert and key from the same FILEs

---
 bounce.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'bounce.c')

diff --git a/bounce.c b/bounce.c
index bb4f902..a5b448a 100644
--- a/bounce.c
+++ b/bounce.c
@@ -194,6 +194,12 @@ int main(int argc, char *argv[]) {
 	ringAlloc(ring);
 	if (save) saveLoad(save);
 
+	FILE *cert = fopen(certPath, "r");
+	if (!cert) err(EX_NOINPUT, "%s", certPath);
+	FILE *priv = fopen(privPath, "r");
+	if (!priv) err(EX_NOINPUT, "%s", privPath);
+	listenConfig(cert, priv);
+
 	int bind[8];
 	listenConfig(certPath, privPath);
 	size_t binds = listenBind(bind, 8, bindHost, bindPort);
@@ -204,11 +210,14 @@ int main(int argc, char *argv[]) {
 	int error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");
 
-	cap_rights_t sockRights, bindRights;
+	cap_rights_t fileRights, sockRights, bindRights;
+	cap_rights_init(&fileRights, CAP_FSTAT, CAP_PREAD);
 	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
 	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
 	cap_rights_merge(&bindRights, &sockRights);
 
+	cap_rights_limit(fileno(cert), &fileRights);
+	cap_rights_limit(fileno(priv), &fileRights);
 	for (size_t i = 0; i < binds; ++i) {
 		error = cap_rights_limit(bind[i], &bindRights);
 		if (error) err(EX_OSERR, "cap_rights_limit");
@@ -248,7 +257,7 @@ int main(int argc, char *argv[]) {
 			signals[SIGINFO] = 0;
 		}
 		if (signals[SIGUSR1]) {
-			listenConfig(certPath, privPath);
+			listenConfig(cert, priv);
 			signals[SIGUSR1] = 0;
 		}
 
-- 
cgit 1.4.1