md5: extend capabilites

In 4849767, we did a large refactor of the md5(1) source code. One of them is that instead of reading data using read(2) syscall, we are using binary stream input (fread(3)). fread(3) requires additional Capsicum capabilities: sha256 CAP operation requires CAP_FSTAT, descriptor holds CAP_READ sha256 RET fstat -1 errno 93 Capabilities insufficient Reviewed by: des Differential Revision: https://reviews.freebsd.org/D41348
nhuff · Aug 7, 2023 · 2ea65af · 2ea65af
1 parent d7302ca
commit 2ea65af
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/sbin/md5/md5.c b/sbin/md5/md5.c
@@ -621,7 +621,7 @@ main(int argc, char *argv[])
 			 */
 			if (*(argv + 1) == NULL) {
 #ifdef HAVE_CAPSICUM
-				cap_rights_init(&rights, CAP_READ);
+				cap_rights_init(&rights, CAP_READ, CAP_FSTAT);
 				if (caph_rights_limit(fileno(f), &rights) < 0 ||
 				    caph_enter() < 0)
 					err(1, "capsicum");