hexdump(1): First cut capsicumification

For now, only enter the sandbox for the last file processed (including
stdin for zero-argument mode).

Sandboxing all inputs will require a little restructuring of the
program.

Feedback by:	emaste@ (earlier versions)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D7915

usr.bin/hexdump/display.c

@@ -36,10 +36,13 @@ static char sccsid[] = "@(#)display.c	8.1 (Berkeley) 6/6/93";
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/capsicum.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -355,6 +358,19 @@ next(char **argv)
 				return(0);
 			statok = 0;
 		}
+
+		if (caph_limit_stream(fileno(stdin), CAPH_READ) < 0)
+			err(1, "unable to restrict %s",
+			    statok ? _argv[-1] : "stdin");
+
+		/*
+		 * We've opened our last input file; enter capsicum sandbox.
+		 */
+		if (*_argv == NULL) {
+			if (cap_enter() < 0 && errno != ENOSYS)
+				err(1, "unable to enter capability mode");
+		}
+
 		if (skip)
 			doskip(statok ? *_argv : "stdin", statok);
 		if (*_argv)

usr.bin/hexdump/hexdump.c

@@ -42,6 +42,9 @@ static char sccsid[] = "@(#)hexdump.c	8.1 (Berkeley) 6/6/93";
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#include <sys/capsicum.h>
+#include <capsicum_helpers.h>
+#include <err.h>
 #include <locale.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -76,6 +79,14 @@ main(int argc, char *argv[])
 	for (tfs = fshead; tfs; tfs = tfs->nextfs)
 		rewrite(tfs);
 
+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	caph_cache_catpages();
+	if (caph_limit_stdio() < 0)
+		err(1, "capsicum");
+
 	(void)next(argv);
 	display();
 	exit(exitval);