xz: Add a comment to Capsicum sandbox setup.

This comment is repeated in xzdec.c to help remind us why all the capabilities are removed from stdin in certain situations.
tukaani-project · Dec 21, 2023 · 710cbc1 · 710cbc1
1 parent 4e1c695
commit 710cbc1
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/xz/file_io.c b/src/xz/file_io.c
@@ -226,6 +226,7 @@ io_sandbox_enter(int src_fd)
 			CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK)))
 		goto error;
 
+	// If not reading from stdin, remove all capabilities from it.
 	if (src_fd != STDIN_FILENO && cap_rights_limit(
 			STDIN_FILENO, cap_rights_clear(&rights)))
 		goto error;