Index: usr.sbin/bhyve/audio.c =================================================================== --- usr.sbin/bhyve/audio.c +++ usr.sbin/bhyve/audio.c @@ -28,10 +28,8 @@ */ #include -#ifndef WITHOUT_CAPSICUM #include #include -#endif #include #include @@ -70,7 +68,6 @@ audio_init(const char *dev_name, uint8_t dir) { struct audio *aud = NULL; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; cap_ioctl_t cmds[] = { SNDCTL_DSP_RESET, SNDCTL_DSP_SETFMT, SNDCTL_DSP_CHANNELS, @@ -79,7 +76,6 @@ SNDCTL_DSP_GETOSPACE, SNDCTL_DSP_GETISPACE, #endif }; -#endif assert(dev_name); @@ -105,13 +101,11 @@ return (NULL); } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_WRITE); if (caph_rights_limit(aud->fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); if (caph_ioctls_limit(aud->fd, cmds, nitems(cmds)) == -1) errx(EX_OSERR, "Unable to limit ioctl rights for sandbox"); -#endif return aud; } Index: usr.sbin/bhyve/bhyverun.c =================================================================== --- usr.sbin/bhyve/bhyverun.c +++ usr.sbin/bhyve/bhyverun.c @@ -28,9 +28,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #ifdef BHYVE_SNAPSHOT #include @@ -43,9 +41,7 @@ #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -601,10 +597,8 @@ exit(4); } -#ifndef WITHOUT_CAPSICUM if (vm_limit_rights(ctx) != 0) err(EX_OSERR, "vm_limit_rights"); -#endif if (reinit) { error = vm_reinit(ctx); @@ -1030,7 +1024,6 @@ errx(EX_OSERR, "Failed to start checkpoint thread"); #endif -#ifndef WITHOUT_CAPSICUM caph_cache_catpages(); if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1) @@ -1038,7 +1031,6 @@ if (caph_enter() == -1) errx(EX_OSERR, "cap_enter() failed"); -#endif #ifdef BHYVE_SNAPSHOT if (restore_file != NULL) { Index: usr.sbin/bhyve/block_if.c =================================================================== --- usr.sbin/bhyve/block_if.c +++ usr.sbin/bhyve/block_if.c @@ -29,9 +29,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -39,9 +37,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -489,10 +485,8 @@ int nodelete; int bootindex; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; cap_ioctl_t cmds[] = { DIOCGFLUSH, DIOCGDELETE, DIOCGMEDIASIZE }; -#endif pthread_once(&blockif_once, blockif_init); @@ -562,7 +556,6 @@ goto err; } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_FSYNC, CAP_IOCTL, CAP_READ, CAP_SEEK, CAP_WRITE, CAP_FSTAT, CAP_EVENT, CAP_FPATHCONF); if (ro) @@ -570,7 +563,6 @@ if (caph_rights_limit(fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif /* * Deal with raw devices @@ -601,10 +593,8 @@ candelete = fpathconf(fd, _PC_DEALLOC_PRESENT) == 1; } -#ifndef WITHOUT_CAPSICUM if (caph_ioctls_limit(fd, cmds, nitems(cmds)) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif if (ssopt != 0) { if (!powerof2(ssopt) || !powerof2(pssopt) || ssopt < 512 || Index: usr.sbin/bhyve/gdb.c =================================================================== --- usr.sbin/bhyve/gdb.c +++ usr.sbin/bhyve/gdb.c @@ -27,9 +27,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -40,9 +38,7 @@ #include #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -202,13 +198,11 @@ logfile = fopen("/tmp/bhyve_gdb.log", "w"); if (logfile == NULL) return; -#ifndef WITHOUT_CAPSICUM if (caph_limit_stream(fileno(logfile), CAPH_WRITE) == -1) { fclose(logfile); logfile = NULL; return; } -#endif setlinebuf(logfile); } va_start(ap, fmt); @@ -1818,7 +1812,6 @@ pthread_mutex_unlock(&gdb_lock); } -#ifndef WITHOUT_CAPSICUM static void limit_gdb_socket(int s) { @@ -1832,7 +1825,6 @@ if (caph_ioctls_limit(s, ioctls, nitems(ioctls)) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); } -#endif void init_gdb(struct vmctx *_ctx) @@ -1910,9 +1902,7 @@ if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1) err(1, "Failed to mark gdb socket non-blocking"); -#ifndef WITHOUT_CAPSICUM limit_gdb_socket(s); -#endif mevent_add(s, EVF_READ, new_connection, NULL); gdb_active = true; freeaddrinfo(gdbaddr); Index: usr.sbin/bhyve/mevent.c =================================================================== --- usr.sbin/bhyve/mevent.c +++ usr.sbin/bhyve/mevent.c @@ -33,9 +33,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -46,9 +44,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include @@ -126,18 +122,14 @@ static void mevent_init(void) { -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif mfd = kqueue(); assert(mfd > 0); -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_KQUEUE); if (caph_rights_limit(mfd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif LIST_INIT(&change_head); LIST_INIT(&global_head); @@ -486,9 +478,7 @@ struct mevent *pipev; int numev; int ret; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif mevent_tid = pthread_self(); mevent_set_name(); @@ -506,13 +496,11 @@ exit(0); } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); if (caph_rights_limit(mevent_pipefd[0], &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); if (caph_rights_limit(mevent_pipefd[1], &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif /* * Add internal event handler for the pipe write fd Index: usr.sbin/bhyve/net_backends.c =================================================================== --- usr.sbin/bhyve/net_backends.c +++ usr.sbin/bhyve/net_backends.c @@ -34,9 +34,7 @@ #include #include /* u_short etc */ -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -50,9 +48,7 @@ #define NETMAP_WITH_LIBS #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -227,9 +223,7 @@ struct ifreq ifrq; int s; #endif -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif if (cb == NULL) { WPRINTF(("TAP backend requires non-NULL callback")); @@ -287,11 +281,9 @@ (void)close(s); #endif -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); if (caph_rights_limit(be->fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif memset(priv->bbuf, 0, sizeof(priv->bbuf)); priv->bbuflen = 0; @@ -459,9 +451,7 @@ int flags; unsigned long maxsbsz; size_t msbsz; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif if (cb == NULL) { WPRINTF(("Netgraph backend requires non-NULL callback")); @@ -552,11 +542,9 @@ goto error; } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); if (caph_rights_limit(be->fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif memset(p->bbuf, 0, sizeof(p->bbuf)); p->bbuflen = 0; Index: usr.sbin/bhyve/pci_e82545.c =================================================================== --- usr.sbin/bhyve/pci_e82545.c +++ usr.sbin/bhyve/pci_e82545.c @@ -31,9 +31,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -41,9 +39,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include Index: usr.sbin/bhyve/pci_passthru.c =================================================================== --- usr.sbin/bhyve/pci_passthru.c +++ usr.sbin/bhyve/pci_passthru.c @@ -28,9 +28,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -45,9 +43,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -129,7 +125,6 @@ return (1); } -#ifndef WITHOUT_CAPSICUM cap_rights_t pcifd_rights; cap_rights_init(&pcifd_rights, CAP_IOCTL, CAP_READ, CAP_WRITE); if (caph_rights_limit(pcifd, &pcifd_rights) == -1) @@ -139,7 +134,6 @@ PCIOCBARIO, PCIOCBARMMAP, PCIOCGETCONF }; if (caph_ioctls_limit(pcifd, pcifd_ioctls, nitems(pcifd_ioctls)) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif return (0); } Index: usr.sbin/bhyve/pci_virtio_console.c =================================================================== --- usr.sbin/bhyve/pci_virtio_console.c +++ usr.sbin/bhyve/pci_virtio_console.c @@ -32,18 +32,14 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -277,9 +273,7 @@ char *cp, *pathcopy; long port; int s = -1, fd = -1, error = 0; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif port = strtol(port_name, &cp, 0); if (*cp != '\0' || port < 0 || port >= VTCON_MAXPORTS) { @@ -341,11 +335,9 @@ goto out; } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE); if (caph_rights_limit(s, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif name = get_config_value_node(nvl, "name"); if (name == NULL) { Index: usr.sbin/bhyve/pci_virtio_input.c =================================================================== --- usr.sbin/bhyve/pci_virtio_input.c +++ usr.sbin/bhyve/pci_virtio_input.c @@ -33,11 +33,9 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include #include -#endif #include #include #include @@ -708,13 +706,11 @@ goto failed; } -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE); if (caph_rights_limit(sc->vsc_fd, &rights) == -1) { errx(EX_OSERR, "Unable to apply rights for sandbox"); } -#endif /* link virtio to softc */ vi_softc_linkup( Index: usr.sbin/bhyve/pci_virtio_rnd.c =================================================================== --- usr.sbin/bhyve/pci_virtio_rnd.c +++ usr.sbin/bhyve/pci_virtio_rnd.c @@ -35,15 +35,11 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -144,9 +140,7 @@ int fd; int len; uint8_t v; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif /* * Should always be able to open /dev/random. @@ -155,11 +149,9 @@ assert(fd >= 0); -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_READ); if (caph_rights_limit(fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif /* * Check that device is seeded and non-blocking. Index: usr.sbin/bhyve/rfb.c =================================================================== --- usr.sbin/bhyve/rfb.c +++ usr.sbin/bhyve/rfb.c @@ -29,9 +29,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -44,9 +42,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -1142,9 +1138,7 @@ struct addrinfo hints; int on = 1; int cnt; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif rc = calloc(1, sizeof(struct rfb_softc)); @@ -1195,11 +1189,9 @@ goto error; } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE); if (caph_rights_limit(rc->sfd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif rc->hw_crc = sse42_supported(); Index: usr.sbin/bhyve/snapshot.c =================================================================== --- usr.sbin/bhyve/snapshot.c +++ usr.sbin/bhyve/snapshot.c @@ -35,18 +35,14 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include #include @@ -65,9 +61,7 @@ #include #include -#ifndef WITHOUT_CAPSICUM #include -#endif #include #include @@ -1422,9 +1416,7 @@ int socket_fd; pthread_t checkpoint_pthread; int err; -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; -#endif memset(&addr, 0, sizeof(addr)); @@ -1455,13 +1447,11 @@ goto fail; } -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE, CAP_SEND, CAP_GETSOCKOPT); if (caph_rights_limit(socket_fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif checkpoint_info = calloc(1, sizeof(*checkpoint_info)); checkpoint_info->ctx = ctx; checkpoint_info->socket_fd = socket_fd; Index: usr.sbin/bhyve/uart_emul.c =================================================================== --- usr.sbin/bhyve/uart_emul.c +++ usr.sbin/bhyve/uart_emul.c @@ -30,10 +30,8 @@ #include #include #include -#ifndef WITHOUT_CAPSICUM #include #include -#endif #include @@ -644,10 +642,8 @@ static int uart_stdio_backend(struct uart_softc *sc) { -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ }; -#endif if (uart_stdio) return (-1); @@ -661,13 +657,11 @@ if (fcntl(sc->tty.wfd, F_SETFL, O_NONBLOCK) != 0) return (-1); -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ); if (caph_rights_limit(sc->tty.rfd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); if (caph_ioctls_limit(sc->tty.rfd, cmds, nitems(cmds)) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif uart_stdio = true; @@ -677,10 +671,8 @@ static int uart_tty_backend(struct uart_softc *sc, const char *path) { -#ifndef WITHOUT_CAPSICUM cap_rights_t rights; cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ }; -#endif int fd; fd = open(path, O_RDWR | O_NONBLOCK); @@ -695,13 +687,11 @@ sc->tty.rfd = sc->tty.wfd = fd; sc->tty.opened = true; -#ifndef WITHOUT_CAPSICUM cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE); if (caph_rights_limit(fd, &rights) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); if (caph_ioctls_limit(fd, cmds, nitems(cmds)) == -1) errx(EX_OSERR, "Unable to apply rights for sandbox"); -#endif return (0); }