Log a warning if we cannot sandbox using capsicum, but only under debug level 1.

It would be too noisy to log it as a proper warning as CAPABILITIES are not compiled into GENERIC by default. MFC after: 3 days
svn path=/head/; revision=223584
2024-11-22 03:04:34 +01:00 · 2011-06-27 09:10:48 +00:00 · 2011-06-27 09:10:48 +00:00 · 133d75ed18 · 2020-12-20 02:59:44 +00:00
commit 133d75ed18
parent e1ab183c5e
1 changed files with 6 additions and 2 deletions
--- a/sbin/hastd/subr.c
+++ b/sbin/hastd/subr.c
@ -230,9 +230,13 @@ drop_privs(struct hast_resource *res)
 	 * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH.
 	 * For now capsicum is only used to sandbox hastctl.
 	 */
-	if (res == NULL)
+	if (res == NULL) {
 		capsicum = (cap_enter() == 0);
-	else
+		if (!capsicum) {
+			pjdlog_common(LOG_DEBUG, 1, errno,
+			    "Unable to sandbox using capsicum");
+		}
+	} else
 		capsicum = false;

 	/*