d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bhyve: add cap limits for ipc socket

Browse Source 
Reviewed by:		corvink, markj
MFC after:		1 week
Sponsored by:		vStack
Differential Revision:	https://reviews.freebsd.org/D38856
This commit is contained in:
Vitaliy Gusev 2023-03-06 12:36:40 +01:00 committed by Corvin Köhne
parent 5c0a031259
commit 577ddca908
No known key found for this signature in database
GPG Key ID: D854DA56315E026A
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
usr.sbin/bhyve/snapshot.c
View File

@ -1517,6 +1517,9 @@ init_checkpoint_thread(struct vmctx *ctx)
int socket_fd;
pthread_t checkpoint_pthread;
int err;
#ifndef WITHOUT_CAPSICUM
cap_rights_t rights;
#endif
memset(&addr, 0, sizeof(addr));
@ -1547,6 +1550,13 @@ init_checkpoint_thread(struct vmctx *ctx)
goto fail;
}
#ifndef WITHOUT_CAPSICUM
cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE,
CAP_SEND, CAP_GETSOCKOPT);
if (caph_rights_limit(socket_fd, &rights) == -1)
errx(EX_OSERR, "Unable to apply rights for sandbox");
#endif
checkpoint_info = calloc(1, sizeof(*checkpoint_info));
checkpoint_info->ctx = ctx;
checkpoint_info->socket_fd = socket_fd;