From 2ea65afbd11d40df9ada460d6503cf5fc5fbbf9d Mon Sep 17 00:00:00 2001
From: Mariusz Zaborski <oshogbo@FreeBSD.org>
Date: Mon, 7 Aug 2023 14:16:03 +0200
Subject: [PATCH] md5: extend capabilites

In 4849767cb16a4, we did a large refactor of the md5(1) source code.
One of them is that instead of reading data using read(2) syscall, we
are using binary stream input (fread(3)).

fread(3) requires additional Capsicum capabilities:
sha256 CAP operation requires CAP_FSTAT, descriptor holds CAP_READ
sha256 RET fstat -1 errno 93 Capabilities insufficient

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D41348
---
 sbin/md5/md5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sbin/md5/md5.c b/sbin/md5/md5.c
index 459d364f8ca..abc542ced82 100644
--- a/sbin/md5/md5.c
+++ b/sbin/md5/md5.c
@@ -621,7 +621,7 @@ main(int argc, char *argv[])
 			 */
 			if (*(argv + 1) == NULL) {
 #ifdef HAVE_CAPSICUM
-				cap_rights_init(&rights, CAP_READ);
+				cap_rights_init(&rights, CAP_READ, CAP_FSTAT);
 				if (caph_rights_limit(fileno(f), &rights) < 0 ||
 				    caph_enter() < 0)
 					err(1, "capsicum");