diff options
author | Jia Tan <jiat0218@gmail.com> | 2023-12-21 16:39:53 +0800 |
---|---|---|
committer | Jia Tan <jiat0218@gmail.com> | 2023-12-21 20:53:27 +0800 |
commit | 710cbc186cad0ac601c38bd6bf31167648a5581e (patch) | |
tree | c3980fc8dfe9ac516f1667f3a37d751109af4f6f | |
parent | Docs: Update --enable-sandbox option in INSTALL. (diff) | |
download | xz-710cbc186cad0ac601c38bd6bf31167648a5581e.tar.xz |
xz: Add a comment to Capsicum sandbox setup.
This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.
-rw-r--r-- | src/xz/file_io.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/xz/file_io.c b/src/xz/file_io.c index 4a2c8392..9b89434f 100644 --- a/src/xz/file_io.c +++ b/src/xz/file_io.c @@ -226,6 +226,7 @@ io_sandbox_enter(int src_fd) CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK))) goto error; + // If not reading from stdin, remove all capabilities from it. if (src_fd != STDIN_FILENO && cap_rights_limit( STDIN_FILENO, cap_rights_clear(&rights))) goto error; |