From 569aaa3b9707ba1e520c2063653946b58cd5cb7c Mon Sep 17 00:00:00 2001 From: Bartek Rutkowski Date: Sat, 11 Nov 2017 22:50:14 +0000 Subject: [PATCH] bhyve: avoid applying capsicum capabilities to file that was not opened When using -l option targeting file that can't be opened (ie. nmdm module is not loaded and /dev/nmdm* is specified) bhyve tries to apply capsicum capabilities to a file that was not opened. Enclose that code in an if statement and only run it on correctly opened descriptor also providing meaningful message in case of an error. Submitted by: Pawel Biernacki Reviewed by: grehan, emaste Sponsoied by: Mysterious Code Ltd. Differential Revision: D12985 --- usr.sbin/bhyve/uart_emul.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/usr.sbin/bhyve/uart_emul.c b/usr.sbin/bhyve/uart_emul.c index 94ac89daca9..2c95523f417 100644 --- a/usr.sbin/bhyve/uart_emul.c +++ b/usr.sbin/bhyve/uart_emul.c @@ -678,20 +678,24 @@ uart_set_backend(struct uart_softc *sc, const char *opts) if (retval == 0) retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK); + if (retval == 0) { #ifndef WITHOUT_CAPSICUM - cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE); - if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS) - errx(EX_OSERR, "Unable to apply rights for sandbox"); - if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS) - errx(EX_OSERR, "Unable to apply rights for sandbox"); - if (!uart_stdio) { - if (caph_limit_stdin() == -1 && errno != ENOSYS) + cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, + CAP_WRITE); + if (cap_rights_limit(sc->tty.fd, &rights) == -1 && + errno != ENOSYS) errx(EX_OSERR, "Unable to apply rights for sandbox"); - } + if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && + errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (!uart_stdio) { + if (caph_limit_stdin() == -1 && errno != ENOSYS) + errx(EX_OSERR, + "Unable to apply rights for sandbox"); + } #endif - - if (retval == 0) uart_opentty(sc); + } return (retval); }