When using capsicum to sanbox, still use other methods first, just in case

one of them have some problems.

1 files changed, 13 insertions, 10 deletions

diff --git a/sbin/hastd/subr.c b/sbin/hastd/subr.c
index 71d1278..ea84e2a 100644
--- a/sbin/hastd/subr.c
+++ b/sbin/hastd/subr.c
@@ -153,15 +153,7 @@ drop_privs(bool usecapsicum)
 	uid_t ruid, euid, suid;
 	gid_t rgid, egid, sgid;
 	gid_t gidset[1];
-
-	if (usecapsicum) {
-		if (cap_enter() == 0) {
-			pjdlog_debug(1,
-			    "Privileges successfully dropped using capsicum.");
-			return (0);
-		}
-		pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum");
-	}
+	bool capsicum;
 
 	/*
 	 * According to getpwnam(3) we have to clear errno before calling the
@@ -205,6 +197,16 @@ drop_privs(bool usecapsicum)
 		return (-1);
 	}
 
+	capsicum = false;
+	if (usecapsicum) {
+		if (cap_enter() == 0) {
+			capsicum = true;
+		} else {
+			pjdlog_errno(LOG_WARNING,
+			    "Unable to sandbox using capsicum");
+		}
+	}
+
 	/*
 	 * Better be sure that everything succeeded.
 	 */
@@ -221,7 +223,8 @@ drop_privs(bool usecapsicum)
 	PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
 
 	pjdlog_debug(1,
-	    "Privileges successfully dropped using chroot+setgid+setuid.");
+	    "Privileges successfully dropped using %schroot+setgid+setuid.",
+	    capsicum ? "capsicum+" : "");
 
 	return (0);
 }