From 9e96ca8c48b0916a2bb592841df016755572cf6a Mon Sep 17 00:00:00 2001
From: Jia Tan <jiat0218@gmail.com>
Date: Thu, 21 Dec 2023 16:39:53 +0800
Subject: xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.
---
 src/xz/file_io.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/xz/file_io.c')

diff --git a/src/xz/file_io.c b/src/xz/file_io.c
index 28280293..78fbdf72 100644
--- a/src/xz/file_io.c
+++ b/src/xz/file_io.c
@@ -199,6 +199,7 @@ io_sandbox_enter(int src_fd)
 			CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
 		goto error;
 
+	// If not reading from stdin, remove all capabilities from it.
 	if (src_fd != STDIN_FILENO && cap_rights_limit(
 			STDIN_FILENO, cap_rights_clear(&rights)))
 		goto error;
-- 
cgit v1.2.3