From a25896ca1270e25b657ceaa8d47d5699515f5c25 Mon Sep 17 00:00:00 2001
From: Mariusz Zaborski <oshogbo@FreeBSD.org>
Date: Wed, 7 Nov 2018 21:01:14 +0000
Subject: [PATCH] bspatch: simplify capsicumization

Assume that user wants to run with capsicum support if he builds the software
with HAVE_CAPSICUM. Treat running application without capsicum in the kernel as
an error.

MFC after:	3 weeks
---
 usr.bin/bsdiff/bspatch/bspatch.c | 34 ++++++++++++++------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/usr.bin/bsdiff/bspatch/bspatch.c b/usr.bin/bsdiff/bspatch/bspatch.c
index c66f28ebf8d..1056eaa8f27 100644
--- a/usr.bin/bsdiff/bspatch/bspatch.c
+++ b/usr.bin/bsdiff/bspatch/bspatch.c
@@ -144,26 +144,22 @@ int main(int argc, char *argv[])
 	atexit(exit_cleanup);
 
 #ifdef HAVE_CAPSICUM
-	if (cap_enter() < 0) {
-		/* Failed to sandbox, fatal if CAPABILITY_MODE enabled */
-		if (errno != ENOSYS)
-			err(1, "failed to enter security sandbox");
-	} else {
-		/* Capsicum Available */
-		cap_rights_init(&rights_ro, CAP_READ, CAP_FSTAT, CAP_SEEK);
-		cap_rights_init(&rights_wr, CAP_WRITE);
-		cap_rights_init(&rights_dir, CAP_UNLINKAT);
+	if (cap_enter() < 0)
+		err(1, "failed to enter security sandbox");
 
-		if (cap_rights_limit(fileno(f), &rights_ro) < 0 ||
-		    cap_rights_limit(fileno(cpf), &rights_ro) < 0 ||
-		    cap_rights_limit(fileno(dpf), &rights_ro) < 0 ||
-		    cap_rights_limit(fileno(epf), &rights_ro) < 0 ||
-		    cap_rights_limit(oldfd, &rights_ro) < 0 ||
-		    cap_rights_limit(newfd, &rights_wr) < 0 ||
-		    cap_rights_limit(dirfd, &rights_dir) < 0)
-			err(1, "cap_rights_limit() failed, could not restrict"
-			    " capabilities");
-	}
+	cap_rights_init(&rights_ro, CAP_READ, CAP_FSTAT, CAP_SEEK);
+	cap_rights_init(&rights_wr, CAP_WRITE);
+	cap_rights_init(&rights_dir, CAP_UNLINKAT);
+
+	if (cap_rights_limit(fileno(f), &rights_ro) < 0 ||
+	    cap_rights_limit(fileno(cpf), &rights_ro) < 0 ||
+	    cap_rights_limit(fileno(dpf), &rights_ro) < 0 ||
+	    cap_rights_limit(fileno(epf), &rights_ro) < 0 ||
+	    cap_rights_limit(oldfd, &rights_ro) < 0 ||
+	    cap_rights_limit(newfd, &rights_wr) < 0 ||
+	    cap_rights_limit(dirfd, &rights_dir) < 0)
+		err(1, "cap_rights_limit() failed, could not restrict"
+		    " capabilities");
 #endif
 
 	/*