xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.

diff --git a/src/xz/file_io.c b/src/xz/file_io.c
index 28280293ef3970033e8bb66b01377987f9c32dfb..78fbdf724eea1d4e19fdf744fe0d1b14c8979827 100644 (file)
--- a/src/xz/file_io.c
+++ b/src/xz/file_io.c
@@ -199,6 +199,7 @@ io_sandbox_enter(int src_fd)
                        CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
                goto error;
 
+       // If not reading from stdin, remove all capabilities from it.
        if (src_fd != STDIN_FILENO && cap_rights_limit(
                        STDIN_FILENO, cap_rights_clear(&rights)))
                goto error;