From 8e529ad867c62275ef60c7148ec0592544f26ce2 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Wed, 10 Jun 2020 05:27:25 +0100
Subject: [PATCH] privsep: Apply what resource limits we can to capsicum

---
 src/privsep.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/privsep.c b/src/privsep.c
index d957946d..c18968e8 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -129,9 +129,8 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 		return -1;
 	}
 
-#if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
-	/* These sandbox technologies do not work well with
-	 * resource limits. */
+#if defined(HAVE_PLEDGE)
+	/* Pledge does not seem to work well with resource limits. */
 #else
 	struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
 
@@ -167,11 +166,13 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 #endif
 	}
 
+#ifndef HAVE_CAPSICUM
 	/* Prohibit large files */
 	if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) {
 		logerr("setrlimit RLIMIT_FSIZE");
 		return -1;
 	}
+#endif
 
 #ifdef RLIMIT_NPROC
 	/* Prohibit forks */
-- 
2.47.2