privsep: Apply what resource limits we can to capsicum

author Roy Marples <roy@marples.name>

Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)

committer Roy Marples <roy@marples.name>

Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)
author Roy Marples <roy@marples.name>
Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)
committer Roy Marples <roy@marples.name>
Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)
diff --git a/src/privsep.c b/src/privsep.c

index d957946dd66595c356a97b1bea0c497e5fec2e92..c18968e88226a614bb958d9402a6257d5d169767 100644 (file)
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -129,9 +129,8 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
                 return -1;
         }
  
-#if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
-       /* These sandbox technologies do not work well with
-        * resource limits. */
+#if defined(HAVE_PLEDGE)
+       /* Pledge does not seem to work well with resource limits. */
  #else
         struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
  
@@ -167,11 +166,13 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
  #endif
         }
  
+#ifndef HAVE_CAPSICUM
         /* Prohibit large files */
         if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) {
                 logerr("setrlimit RLIMIT_FSIZE");
                 return -1;
         }
+#endif
  
  #ifdef RLIMIT_NPROC
         /* Prohibit forks */
author	Roy Marples <roy@marples.name>
	Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)
committer	Roy Marples <roy@marples.name>
	Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)