From 727b7e9bf8b2fe810913c76c5fd36767869944bb Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Thu, 7 May 2020 20:57:22 +0100
Subject: privsep: Enable capsicum for network facing processes

All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
---
 configure | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'configure')

diff --git a/configure b/configure
index ebf104c4..b38fe6c1 100755
--- a/configure
+++ b/configure
@@ -648,6 +648,23 @@ else
 	echo "EMBEDDEDINSTALL=	_embeddedinstall" >>$CONFIG_MK
 fi
 
+if [ "$PRIVSEP" = yes ]; then
+	printf "Testing for capsicum ... "
+	cat <<EOF >_capsicum.c
+#include <sys/capsicum.h>
+int main(void) {
+	return cap_enter();
+}
+EOF
+	if $XCC _capsicum.c -o _capsicum 2>&3; then
+		echo "yes"
+		echo "#define	HAVE_CAPSICUM" >>$CONFIG_H
+	else
+		echo "no"
+	fi
+	rm -f _capsicum.c _capsicum
+fi
+
 if [ "$OS" = linux ]; then
 	printf "Testing for nl80211 ... "
 	cat <<EOF >_nl80211.c
-- 
cgit v1.2.3