diff options
author | pjd <pjd@FreeBSD.org> | 2011-06-27 09:10:48 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2011-06-27 09:10:48 +0000 |
commit | 6a3c287a8944f41a733f12cb13fcab4f087b96dd (patch) | |
tree | 13350109a270bb5fc87e9b06f275f02526da86bd /sbin | |
parent | aeac662df6e1c2cc1c8a92db283958eaa305f6a6 (diff) | |
download | FreeBSD-src-6a3c287a8944f41a733f12cb13fcab4f087b96dd.zip FreeBSD-src-6a3c287a8944f41a733f12cb13fcab4f087b96dd.tar.gz |
Log a warning if we cannot sandbox using capsicum, but only under debug level 1.
It would be too noisy to log it as a proper warning as CAPABILITIES are not
compiled into GENERIC by default.
MFC after: 3 days
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/hastd/subr.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sbin/hastd/subr.c b/sbin/hastd/subr.c index 806338b..4e9dee0 100644 --- a/sbin/hastd/subr.c +++ b/sbin/hastd/subr.c @@ -230,9 +230,13 @@ drop_privs(struct hast_resource *res) * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH. * For now capsicum is only used to sandbox hastctl. */ - if (res == NULL) + if (res == NULL) { capsicum = (cap_enter() == 0); - else + if (!capsicum) { + pjdlog_common(LOG_DEBUG, 1, errno, + "Unable to sandbox using capsicum"); + } + } else capsicum = false; /* |