The branch stable/13 has been updated by corvink: URL: https://cgit.FreeBSD.org/src/commit/?id=2193f12bf8db21ed1c99dbe02573bb0705a1466e
commit 2193f12bf8db21ed1c99dbe02573bb0705a1466e Author: Vitaliy Gusev <[email protected]> AuthorDate: 2023-03-06 11:36:40 +0000 Commit: Corvin Köhne <[email protected]> CommitDate: 2023-03-17 10:26:35 +0000 bhyve: add cap limits for ipc socket Reviewed by: corvink, markj MFC after: 1 week Sponsored by: vStack Differential Revision: https://reviews.freebsd.org/D38856 (cherry picked from commit 577ddca90877e377e5b40c8baa15fa5b7a3c9965) --- usr.sbin/bhyve/snapshot.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr.sbin/bhyve/snapshot.c b/usr.sbin/bhyve/snapshot.c index 6143f6f3a489..37aba32a1929 100644 --- a/usr.sbin/bhyve/snapshot.c +++ b/usr.sbin/bhyve/snapshot.c @@ -1517,6 +1517,9 @@ init_checkpoint_thread(struct vmctx *ctx) int socket_fd; pthread_t checkpoint_pthread; int err; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif memset(&addr, 0, sizeof(addr)); @@ -1547,6 +1550,13 @@ init_checkpoint_thread(struct vmctx *ctx) goto fail; } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE, + CAP_SEND, CAP_GETSOCKOPT); + + if (caph_rights_limit(socket_fd, &rights) == -1) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif checkpoint_info = calloc(1, sizeof(*checkpoint_info)); checkpoint_info->ctx = ctx; checkpoint_info->socket_fd = socket_fd;
