From: Damien Miller <djm@mindrot.org>
Date: Tue, 4 Feb 2014 23:33:45 +0000 (+1100)
Subject:  - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
X-Git-Tag: V_6_6_P1~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0959da3680b4ce8cf911caf3293a6d90f88eeb7;p=thirdparty%2Fopenssh-portable.git

 - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
   headers/libc but not supported by the kernel. Patch from Loganaden
   Velvindron @ AfriNIC
---

diff --git a/ChangeLog b/ChangeLog
index cccbfc7a4..df7312df8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20140205
+ - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
+   headers/libc but not supported by the kernel. Patch from Loganaden
+   Velvindron @ AfriNIC
+
 20140204
  - OpenBSD CVS Sync
    - markus@cvs.openbsd.org 2014/01/27 18:58:14
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index ee2a7e79e..655f0d217 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 		fatal("can't limit stderr: %m");
 
 	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
+	if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
+	    errno != ENOSYS)
 		fatal("%s: failed to limit the network socket", __func__);
 	cap_rights_init(&rights, CAP_WRITE);
-	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
+	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
+	    errno != ENOSYS)
 		fatal("%s: failed to limit the logging socket", __func__);
 	if (cap_enter() < 0 && errno != ENOSYS)
 		fatal("%s: failed to enter capability mode", __func__);