From eee07d30a0b3ff6448ce3441b8808c5529a9505d Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Fri, 6 Dec 2019 23:39:38 +0000
Subject: [PATCH] Fix tail -f in capability mode.

We were not adding CAP_EVENT to input file capabilities, so kevent()
always failed with ENOTCAPABLE.  tail implements a fallback mode to
poll the file in this case, so the failure was not apparent.

Reviewed by:	emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D22709
---
 usr.bin/tail/tail.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/usr.bin/tail/tail.c b/usr.bin/tail/tail.c
index 42bf547538f6..b52043c5e580 100644
--- a/usr.bin/tail/tail.c
+++ b/usr.bin/tail/tail.c
@@ -93,11 +93,6 @@ main(int argc, char *argv[])
 	char *p;
 	cap_rights_t rights;
 
-	cap_rights_init(&rights, CAP_FSTAT, CAP_FSTATFS, CAP_FCNTL, CAP_MMAP_RW);
-	if (caph_rights_limit(STDIN_FILENO, &rights) < 0 ||
-	    caph_limit_stderr() < 0 || caph_limit_stdout() < 0)
-		err(1, "can't limit stdio rights");
-
 	/*
 	 * Tail's options are weird.  First, -n10 is the same as -n-10, not
 	 * -n+10.  Second, the number options are 1 based and not offsets,
@@ -167,6 +162,14 @@ main(int argc, char *argv[])
 
 	no_files = argc ? argc : 1;
 
+	cap_rights_init(&rights, CAP_FSTAT, CAP_FSTATFS, CAP_FCNTL,
+	    CAP_MMAP_R);
+	if (fflag)
+		cap_rights_set(&rights, CAP_EVENT);
+	if (caph_rights_limit(STDIN_FILENO, &rights) < 0 ||
+	    caph_limit_stderr() < 0 || caph_limit_stdout() < 0)
+		err(1, "can't limit stdio rights");
+
 	fa = fileargs_init(argc, argv, O_RDONLY, 0, &rights, FA_OPEN);
 	if (fa == NULL)
 		err(1, "unable to init casper");