diff options
author | Vitaliy Gusev <gusev.vitaliy@gmail.com> | 2023-03-06 11:36:40 +0000 |
---|---|---|
committer | Corvin Köhne <corvink@FreeBSD.org> | 2023-03-17 10:26:35 +0000 |
commit | 2193f12bf8db21ed1c99dbe02573bb0705a1466e (patch) | |
tree | fbbd23be908c77bab28dd08b97a32c78d5be346b | |
parent | c8b5f347317d1d0dca53acf2f40682314ad0b64e (diff) | |
download | src-2193f12bf8db21ed1c99dbe02573bb0705a1466e.tar.gz src-2193f12bf8db21ed1c99dbe02573bb0705a1466e.zip |
bhyve: add cap limits for ipc socket
Reviewed by: corvink, markj
MFC after: 1 week
Sponsored by: vStack
Differential Revision: https://reviews.freebsd.org/D38856
(cherry picked from commit 577ddca90877e377e5b40c8baa15fa5b7a3c9965)
-rw-r--r-- | usr.sbin/bhyve/snapshot.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/usr.sbin/bhyve/snapshot.c b/usr.sbin/bhyve/snapshot.c index 6143f6f3a489..37aba32a1929 100644 --- a/usr.sbin/bhyve/snapshot.c +++ b/usr.sbin/bhyve/snapshot.c @@ -1517,6 +1517,9 @@ init_checkpoint_thread(struct vmctx *ctx) int socket_fd; pthread_t checkpoint_pthread; int err; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif memset(&addr, 0, sizeof(addr)); @@ -1547,6 +1550,13 @@ init_checkpoint_thread(struct vmctx *ctx) goto fail; } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE, + CAP_SEND, CAP_GETSOCKOPT); + + if (caph_rights_limit(socket_fd, &rights) == -1) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif checkpoint_info = calloc(1, sizeof(*checkpoint_info)); checkpoint_info->ctx = ctx; checkpoint_info->socket_fd = socket_fd; |