capsicum_helpers: Squash errors from closed fds

Squash EBADF from closed stdin, stdout, or stderr in caph_limit_stdio(). Any program used during special shell scripts may commonly be forked from a parent process with closed standard stream. Do the common sense thing for this common use. Reported by: Iblis Lin <iblis AT hs.ntnu.edu.tw> Reviewed by: oshogbo@ (earlier version) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D8657
2016-12-01 17:28:45 +00:00 · 2016-12-01 17:28:45 +00:00 · db70589489
commit db70589489
parent 93bd5b27d2
1 changed files with 4 additions and 4 deletions
--- a/lib/libcapsicum/capsicum_helpers.h
+++ b/lib/libcapsicum/capsicum_helpers.h
@ -94,12 +94,12 @@ caph_limit_stdout(void)
 static __inline int
 caph_limit_stdio(void)
 {
+	const int iebadf = CAPH_IGNORE_EBADF;

-	if (caph_limit_stdin() == -1 || caph_limit_stdout() == -1 ||
-	    caph_limit_stderr() == -1) {
+	if (caph_limit_stream(STDIN_FILENO, CAPH_READ | iebadf) == -1 ||
+	    caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | iebadf) == -1 ||
+	    caph_limit_stream(STDERR_FILENO, CAPH_WRITE | iebadf) == -1)
 		return (-1);
-	}
-
 	return (0);
 }