privsep: Apply what resource limits we can to capsicum

author: Roy Marples <roy@marples.name> 2020-06-10 05:27:25 +0100
committer: Roy Marples <roy@marples.name> 2020-06-10 05:27:25 +0100
commit: 8e529ad867c62275ef60c7148ec0592544f26ce2 (patch)
tree: 14bfec88589fc96a66cf3816b0db47e962cd6ebe /src/privsep.c
parent: 1f6b3514e61a0073fe827e7ce0ff84e458361dea (diff)
download: dhcpcd-8e529ad867c62275ef60c7148ec0592544f26ce2.tar.xz
1 files changed, 4 insertions, 3 deletions
diff --git a/src/privsep.c b/src/privsep.c
index d957946d..c18968e8 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -129,9 +129,8 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 		return -1;
 	}
 
-#if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
-	/* These sandbox technologies do not work well with
-	 * resource limits. */
+#if defined(HAVE_PLEDGE)
+	/* Pledge does not seem to work well with resource limits. */
 #else
 	struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
 
@@ -167,11 +166,13 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 #endif
 	}
 
+#ifndef HAVE_CAPSICUM
 	/* Prohibit large files */
 	if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) {
 		logerr("setrlimit RLIMIT_FSIZE");
 		return -1;
 	}
+#endif
 
 #ifdef RLIMIT_NPROC
 	/* Prohibit forks */
author	Roy Marples <roy@marples.name>	2020-06-10 05:27:25 +0100
committer	Roy Marples <roy@marples.name>	2020-06-10 05:27:25 +0100
commit	8e529ad867c62275ef60c7148ec0592544f26ce2 (patch)
tree	14bfec88589fc96a66cf3816b0db47e962cd6ebe /src/privsep.c
parent	1f6b3514e61a0073fe827e7ce0ff84e458361dea (diff)
download	dhcpcd-8e529ad867c62275ef60c7148ec0592544f26ce2.tar.xz