capsicum: disable fs writes

Use RLIMIT_FSIZE to disable writes to the filesystem when stdout is not
a regular file.

src/restrict_process_capsicum.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2020, Michael Santos <michael.santos@gmail.com>
+/* Copyright (c) 2017-2023, Michael Santos <michael.santos@gmail.com>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,8 +16,10 @@
 #include <sys/capsicum.h>
 #include <sys/param.h>
 #include <sys/resource.h>
+#include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#include <unistd.h>
 
 #include <errno.h>
 
@@ -25,6 +27,15 @@
 
 int restrict_process_init(xmppipe_state_t *state) {
   struct rlimit rl = {0};
+  struct stat sb = {0};
+
+  if (fstat(STDOUT_FILENO, &sb) < 0)
+    return -1;
+
+  if (!S_ISREG(sb.st_mode)) {
+    if (setrlimit(RLIMIT_FSIZE, &rl) < 0)
+      return -1;
+  }
 
   return setrlimit(RLIMIT_NPROC, &rl);
 }

src/xmppipe.h

@@ -27,7 +27,7 @@
 #include "strtonum.h"
 #endif
 
-#define XMPPIPE_VERSION "0.14.7"
+#define XMPPIPE_VERSION "0.14.8"
 #define XMPPIPE_RESOURCE "xmppipe"
 
 #define XMPPIPE_STREQ(a, b) (strcmp((a), (b)) == 0)