xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.

diff --git a/src/xz/file_io.c b/src/xz/file_io.c
index 4a2c8392fa68f9387557076909b83a7644659d12..9b89434f9f8831563ca0eacfe74006346443f4e6 100644 (file)
--- a/src/xz/file_io.c
+++ b/src/xz/file_io.c
@@ -226,6 +226,7 @@ io_sandbox_enter(int src_fd)
                        CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
                goto error;
 
+       // If not reading from stdin, remove all capabilities from it.
        if (src_fd != STDIN_FILENO && cap_rights_limit(
                        STDIN_FILENO, cap_rights_clear(&rights)))
                goto error;