From: Roy Marples <roy@marples.name>
Date: Wed, 10 Jun 2020 04:27:25 +0000 (+0100)
Subject: privsep: Apply what resource limits we can to capsicum
X-Git-Tag: v9.1.2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e529ad867c62275ef60c7148ec0592544f26ce2;p=thirdparty%2Fdhcpcd.git

privsep: Apply what resource limits we can to capsicum
---

diff --git a/src/privsep.c b/src/privsep.c
index d957946d..c18968e8 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -129,9 +129,8 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 		return -1;
 	}
 
-#if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
-	/* These sandbox technologies do not work well with
-	 * resource limits. */
+#if defined(HAVE_PLEDGE)
+	/* Pledge does not seem to work well with resource limits. */
 #else
 	struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
 
@@ -167,11 +166,13 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 #endif
 	}
 
+#ifndef HAVE_CAPSICUM
 	/* Prohibit large files */
 	if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) {
 		logerr("setrlimit RLIMIT_FSIZE");
 		return -1;
 	}
+#endif
 
 #ifdef RLIMIT_NPROC
 	/* Prohibit forks */