1 files changed, 22 insertions, 0 deletions

diff --git a/usr.sbin/bhyve/mevent.c b/usr.sbin/bhyve/mevent.c
index 07d3baf..adc047d 100644
--- a/usr.sbin/bhyve/mevent.c
+++ b/usr.sbin/bhyve/mevent.c
@@ -35,13 +35,18 @@
 __FBSDID("$FreeBSD$");
 
 #include <assert.h>
+#include <err.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <sysexits.h>
 #include <unistd.h>
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/event.h>
 #include <sys/time.h>
 
@@ -401,6 +406,9 @@ mevent_dispatch(void)
 	int mfd;
 	int numev;
 	int ret;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	mevent_tid = pthread_self();
 	mevent_set_name();
@@ -408,6 +416,12 @@ mevent_dispatch(void)
 	mfd = kqueue();
 	assert(mfd > 0);
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_KQUEUE);
+	if (cap_rights_limit(mfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	/*
 	 * Open the pipe that will be used for other threads to force
 	 * the blocking kqueue call to exit by writing to it. Set the
@@ -419,6 +433,14 @@ mevent_dispatch(void)
 		exit(0);
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(mevent_pipefd[0], &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_rights_limit(mevent_pipefd[1], &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	/*
 	 * Add internal event handler for the pipe write fd
 	 */