https://bugzilla.mindrot.org/show_bug.cgi?id=2140
--- Comment #1 from Damien Miller <[email protected]> --- Comment on attachment 2326 --> https://bugzilla.mindrot.org/attachment.cgi?id=2326 openssh-capsicum Looks good - a couple of small things. >Index: sandbox-capsicum.c >=================================================================== >RCS file: sandbox-capsicum.c >diff -N sandbox-capsicum.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ sandbox-capsicum.c 7 Aug 2013 19:39:21 -0000 >@@ -0,0 +1,90 @@ >+ Please add a license block here. http://www.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=1.3;content-type=text%2Fplain is our preferred one. >+/* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits, >+ * limits file descriptors on monitoring object, >+ * and switches to capability mode >+*/ Minor style nit. The first line of a multiline comment should be "/*" by itself. The last line's '*' should be aligned to the previous line's (i.e. add a space at the start of the line). >+struct ssh_sandbox { >+ struct monitor *monitor; This isn't used and can be removed. >+extern struct monitor *pmonitor; This can go too. >+ box->monitor = pmonitor; and this. >+ if (cap_rights_limit(box->monitor->m_recvfd, CAP_READ | CAP_WRITE) == >-1) >+ fatal("%s: failed to limit the network socket", __func__); >+ if (cap_rights_limit(box->monitor->m_log_sendfd, CAP_WRITE) == -1) >+ fatal("%s: failed to limit the logging socket", __func__); Are there any other fds open at this point? How about 0, 1 and 2 - could they be limited? -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
