From 44f2c8e3e96dfc6c076f9503a89967a502b5bad7 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 1 Nov 2021 13:02:18 +0300
Subject: [PATCH] Use Capsicum if available

---
 cmd/zstd/capsicum.c.in | 20 ++++++++++++++++++++
 cmd/zstd/enzstd.c      |  7 +++++++
 cmd/zstd/unzstd.c      | 16 +++++++++++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 cmd/zstd/capsicum.c.in

diff --git a/cmd/zstd/capsicum.c.in b/cmd/zstd/capsicum.c.in
new file mode 100644
index 0000000..a1ef0c7
--- /dev/null
+++ b/cmd/zstd/capsicum.c.in
@@ -0,0 +1,20 @@
+#include <err.h>
+#include <errno.h>
+#include <sysexits.h>
+
+#include <capsicum_helpers.h>
+#include <sys/capsicum.h>
+
+static void
+capsicum_start(void)
+{
+    if (caph_limit_stdio() != 0) {
+        errx(EX_OSERR, "can not caph_limit_stdio()");
+    }
+    if (cap_enter() != 0) {
+        perror("Not using Capsicum");
+        if (errno != ENOSYS) {
+            exit(EXIT_FAILURE);
+        }
+    }
+}
diff --git a/cmd/zstd/enzstd.c b/cmd/zstd/enzstd.c
index 3655d79..c393f77 100644
--- a/cmd/zstd/enzstd.c
+++ b/cmd/zstd/enzstd.c
@@ -22,9 +22,16 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 #include <zstd.h>
 
+#ifdef __FreeBSD__
+#include "capsicum.c.in"
+#endif // __FreeBSD__
+
 int
 main(int argc, char **argv)
 {
+#ifdef __FreeBSD__
+    capsicum_start();
+#endif // __FreeBSD__
     ZSTD_CCtx *ctx = ZSTD_createCCtx();
     if (ctx == NULL) {
         fputs("can not initialize ZSTD_createCCtx\n", stderr);
diff --git a/cmd/zstd/unzstd.c b/cmd/zstd/unzstd.c
index ada11ea..caddee5 100644
--- a/cmd/zstd/unzstd.c
+++ b/cmd/zstd/unzstd.c
@@ -27,15 +27,29 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 #include <zstd.h>
 
+#ifdef __FreeBSD__
+#include "capsicum.c.in"
+#include <capsicum_helpers.h>
+#include <err.h>
+#include <sysexits.h>
+#endif // __FreeBSD__
+
 int
 main(int argc, char **argv)
 {
+    FILE *fdOff = fdopen(3, "wb");
+#ifdef __FreeBSD__
+    if ((fdOff != NULL) && (caph_limit_stream(3, CAPH_WRITE)) != 0) {
+        errx(EX_OSERR, "can not caph_limit_stream(3)");
+    };
+    capsicum_start();
+#endif // __FreeBSD__
+
     ZSTD_DCtx *ctx = ZSTD_createDCtx();
     if (ctx == NULL) {
         fputs("can not initialize ZSTD_DCtx\n", stderr);
         return 1;
     };
-    FILE *fdOff            = fdopen(3, "wb");
     int rc                 = EXIT_FAILURE;
     uint8_t *bufIn         = NULL;
     uint8_t *bufOut        = NULL;
-- 
2.44.0