From de0b14f2db9371dfd7cf537a402e178f183145b6 Mon Sep 17 00:00:00 2001
From: Mariusz Zaborski <oshogbo@FreeBSD.org>
Date: Mon, 8 Apr 2019 14:23:52 +0000
Subject: [PATCH] In the unlinkat syscall, the operation is performed on the
 directory descriptor, not the file descriptor. The file descriptor is used
 only for verification so do not expect any additional capabilities on it.

Reported by:	antoine
Tested by:	antoine
Discussed with:	kib, emaste, bapt
Sponsored by:	Fudo Security
---
 sys/kern/vfs_syscalls.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 49db5b350cd3..5d9a59145d0e 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1809,13 +1809,11 @@ kern_funlinkat(struct thread *td, int dfd, const char *path, int fd,
 	struct vnode *vp;
 	struct nameidata nd;
 	struct stat sb;
-	cap_rights_t rights;
 	int error;
 
 	fp = NULL;
 	if (fd != FD_NONE) {
-		error = getvnode(td, fd, cap_rights_init(&rights, CAP_LOOKUP),
-		    &fp);
+		error = getvnode(td, fd, &cap_no_rights, &fp);
 		if (error != 0)
 			return (error);
 	}