From 6a2fea48bf200372f75ba95b2defa9fddc0fe053 Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Sat, 2 Nov 2019 04:49:03 -0400
Subject: Apply capsicum to calico

---
 dispatch.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

(limited to 'dispatch.c')

diff --git a/dispatch.c b/dispatch.c
index f5a83c6..71f8fc7 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -28,6 +28,10 @@
 #include <sysexits.h>
 #include <unistd.h>
 
+#ifdef __FreeBSD__
+#include <sys/capsicum.h>
+#endif
+
 static struct {
 	struct pollfd *ptr;
 	size_t len, cap;
@@ -193,6 +197,25 @@ int main(int argc, char *argv[]) {
 	if (!binds) errx(EX_UNAVAILABLE, "could not bind any sockets");
 	freeaddrinfo(head);
 
+#ifdef __FreeBSD__
+	error = cap_enter();
+	if (error) err(EX_OSERR, "cap_enter");
+
+	cap_rights_t dirRights, sockRights, unixRights, bindRights;
+	cap_rights_init(&dirRights, CAP_CONNECTAT);
+	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
+	cap_rights_init(&unixRights, CAP_CONNECT, CAP_SEND);
+	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
+	cap_rights_merge(&bindRights, &sockRights);
+
+	error = cap_rights_limit(dir, &dirRights);
+	if (error) err(EX_OSERR, "cap_rights_limit");
+	for (size_t i = 0; i < binds; ++i) {
+		error = cap_rights_limit(event.ptr[i].fd, &bindRights);
+		if (error) err(EX_OSERR, "cap_rights_limit");
+	}
+#endif
+
 	for (size_t i = 0; i < binds; ++i) {
 		error = listen(event.ptr[i].fd, 1);
 		if (error) err(EX_IOERR, "listen");
@@ -249,12 +272,16 @@ int main(int argc, char *argv[]) {
 				continue;
 			}
 
+			struct sockaddr_un addr = { .sun_family = AF_UNIX };
+			strncpy(addr.sun_path, name, sizeof(addr.sun_path));
+
 			int sock = socket(PF_UNIX, SOCK_STREAM, 0);
 			if (sock < 0) err(EX_OSERR, "socket");
 
-			struct sockaddr_un addr = { .sun_family = AF_UNIX };
-			strncpy(addr.sun_path, name, sizeof(addr.sun_path));
 #ifdef __FreeBSD__
+			error = cap_rights_limit(sock, &unixRights);
+			if (error) err(EX_OSERR, "cap_rights_limit");
+
 			error = connectat(
 				dir, sock, (struct sockaddr *)&addr, SUN_LEN(&addr)
 			);
-- 
cgit 1.4.1