- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by

   headers/libc but not supported by the kernel. Patch from Loganaden
   Velvindron @ AfriNIC

2 files changed, 9 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index cccbfc7a..df7312df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20140205
+ - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
+   headers/libc but not supported by the kernel. Patch from Loganaden
+   Velvindron @ AfriNIC
+
 20140204
  - OpenBSD CVS Sync
    - markus@cvs.openbsd.org 2014/01/27 18:58:14
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index ee2a7e79..655f0d21 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 		fatal("can't limit stderr: %m");
 
 	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
+	if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
+	    errno != ENOSYS)
 		fatal("%s: failed to limit the network socket", __func__);
 	cap_rights_init(&rights, CAP_WRITE);
-	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
+	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
+	    errno != ENOSYS)
 		fatal("%s: failed to limit the logging socket", __func__);
 	if (cap_enter() < 0 && errno != ENOSYS)
 		fatal("%s: failed to enter capability mode", __func__);