From ea28d34768912164db23baebc26c9773bcafe22b Mon Sep 17 00:00:00 2001
From: Curtis McEnroe <june@causal.agency>
Date: Fri, 4 Jan 2019 19:47:18 -0500
Subject: Add cap_rights_limit calls to client and server

---
 client.c |  5 +++++
 server.c | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/client.c b/client.c
index c9800cf..8f7e901 100644
--- a/client.c
+++ b/client.c
@@ -707,6 +707,11 @@ int main(int argc, char *argv[]) {
 #ifdef __FreeBSD__
 	error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");
+
+	cap_rights_t rights;
+	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT);
+	error = cap_rights_limit(client, &rights);
+	if (error) err(EX_OSERR, "cap_rights_limit");
 #endif
 
 	struct pollfd fds[2] = {
diff --git a/server.c b/server.c
index 356387f..a2e3578 100644
--- a/server.c
+++ b/server.c
@@ -410,7 +410,21 @@ int main(int argc, char *argv[]) {
 	error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");
 
+	cap_rights_t rights;
+	cap_rights_init(
+		&rights,
+		CAP_LISTEN, CAP_ACCEPT, CAP_EVENT,
+		CAP_READ, CAP_WRITE, CAP_SETSOCKOPT
+	);
+	error = cap_rights_limit(server, &rights);
+	if (error) err(EX_OSERR, "cap_rights_limit");
+
 	if (pid) {
+		cap_rights_init(&rights, CAP_PWRITE, CAP_FSTAT, CAP_FTRUNCATE);
+		error = cap_rights_limit(pidfile_fileno(pid), &rights);
+		if (error) err(EX_OSERR, "cap_rights_limit");
+
+		// FIXME: daemon(3) can't chdir or open /dev/null in capability mode.
 		error = daemon(0, 0);
 		if (error) err(EX_OSERR, "daemon");
 		pidfile_write(pid);
-- 
cgit 1.4.1