From cef5e56f3fea33d6c421276af49f2967453ad4ff Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Mon, 8 Jan 2024 21:08:16 -0600 Subject: [PATCH] bhyveload: add CAP_SEEK to our dirfd rights In the case of hostbase_fd, this is infact a bug fix; we have a seek callback that the host: filesystem may use in loader, and we really don't have a good excuse to break it. bootfd-derived fds will only be used with fdlopen(3) and rtld doesn't seem to need pread / lseek at all for it today, but there's no reason to break if it finds a good reason to later. Suggested by: markj --- usr.sbin/bhyveload/bhyveload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyveload/bhyveload.c b/usr.sbin/bhyveload/bhyveload.c index 4d89393424f4..5250e2120938 100644 --- a/usr.sbin/bhyveload/bhyveload.c +++ b/usr.sbin/bhyveload/bhyveload.c @@ -755,7 +755,7 @@ hostbase_open(const char *base) err(EX_OSERR, "open"); if (caph_rights_limit(hostbase_fd, cap_rights_init(&rights, CAP_FSTATAT, - CAP_LOOKUP, CAP_READ)) < 0) + CAP_LOOKUP, CAP_PREAD)) < 0) err(EX_OSERR, "caph_rights_limit"); } @@ -887,7 +887,7 @@ main(int argc, char** argv) * to the more usual lookup rights. */ if (caph_rights_limit(bootfd, cap_rights_init(&rights, - CAP_FSTATAT, CAP_LOOKUP, CAP_MMAP_RX, CAP_READ)) < 0) + CAP_FSTATAT, CAP_LOOKUP, CAP_MMAP_RX, CAP_PREAD)) < 0) err(1, "caph_rights_limit"); }