aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVitaliy Gusev <gusev.vitaliy@gmail.com>2023-03-06 11:36:40 +0000
committerCorvin Köhne <corvink@FreeBSD.org>2023-03-17 10:26:35 +0000
commit2193f12bf8db21ed1c99dbe02573bb0705a1466e (patch)
treefbbd23be908c77bab28dd08b97a32c78d5be346b
parentc8b5f347317d1d0dca53acf2f40682314ad0b64e (diff)
downloadsrc-2193f12bf8db21ed1c99dbe02573bb0705a1466e.tar.gz
src-2193f12bf8db21ed1c99dbe02573bb0705a1466e.zip
bhyve: add cap limits for ipc socket
Reviewed by: corvink, markj MFC after: 1 week Sponsored by: vStack Differential Revision: https://reviews.freebsd.org/D38856 (cherry picked from commit 577ddca90877e377e5b40c8baa15fa5b7a3c9965)
Diffstat
-rw-r--r--usr.sbin/bhyve/snapshot.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/usr.sbin/bhyve/snapshot.c b/usr.sbin/bhyve/snapshot.c
index 6143f6f3a489..37aba32a1929 100644
--- a/usr.sbin/bhyve/snapshot.c
+++ b/usr.sbin/bhyve/snapshot.c
@@ -1517,6 +1517,9 @@ init_checkpoint_thread(struct vmctx *ctx)
int socket_fd;
pthread_t checkpoint_pthread;
int err;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
memset(&addr, 0, sizeof(addr));
@@ -1547,6 +1550,13 @@ init_checkpoint_thread(struct vmctx *ctx)
goto fail;
}
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE,
+ CAP_SEND, CAP_GETSOCKOPT);
+
+ if (caph_rights_limit(socket_fd, &rights) == -1)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
checkpoint_info = calloc(1, sizeof(*checkpoint_info));
checkpoint_info->ctx = ctx;
checkpoint_info->socket_fd = socket_fd;
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-13 10:37:28 +0000