- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by

   headers/libc but not supported by the kernel. Patch from Loganaden
   Velvindron @ AfriNIC

diff --git a/ChangeLog b/ChangeLog
index cccbfc7a454ff558981a6ade737090f0b72b3c27..df7312df8dda584452dc06539905be645a0f90d9 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20140205
+ - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
+   headers/libc but not supported by the kernel. Patch from Loganaden
+   Velvindron @ AfriNIC
+
 20140204
  - OpenBSD CVS Sync
    - markus@cvs.openbsd.org 2014/01/27 18:58:14

diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index ee2a7e79eafa5a6db58dfd72070cf4608760f95f..655f0d21788c308207acbf13d6646b6fecf456a5 100644 (file)
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *box)
                fatal("can't limit stderr: %m");
 
        cap_rights_init(&rights, CAP_READ, CAP_WRITE);
-       if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
+       if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
+           errno != ENOSYS)
                fatal("%s: failed to limit the network socket", __func__);
        cap_rights_init(&rights, CAP_WRITE);
-       if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
+       if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
+           errno != ENOSYS)
                fatal("%s: failed to limit the logging socket", __func__);
        if (cap_enter() < 0 && errno != ENOSYS)
                fatal("%s: failed to enter capability mode", __func__);