add unveil(2) to tcpdump(8)

The following files are opened in the privsep proc, with read permissions, and
therefore need to be unveiled:

- /etc/pf.os - for OS fingerprinting, but only unveiled if -o flag is used
- /etc/ethers - ether_ntohost(3)
- /etc/rpc - getrpcbynumber(3)

Additional files are also opened, but they are either opened before reaching
this code path, or are covered by pledge(2)'s dns promise.

shown and tested by a few people
OK brynet@ deraadt@

1 files changed, 14 insertions, 2 deletions

diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c
index 25de10c1d15..c087773d685 100644
--- a/usr.sbin/tcpdump/privsep.c
+++ b/usr.sbin/tcpdump/privsep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: privsep.c,v 1.48 2018/08/08 22:57:12 deraadt Exp $	*/
+/*	$OpenBSD: privsep.c,v 1.49 2018/09/28 06:48:59 mestre Exp $	*/
 
 /*
  * Copyright (c) 2003 Can Erkin Acar
@@ -207,7 +207,7 @@ __dead void
 priv_exec(int argc, char *argv[])
 {
 	int bpfd = -1;
-	int i, sock, cmd, nflag = 0, Pflag = 0;
+	int i, sock, cmd, nflag = 0, oflag = 0, Pflag = 0;
 	char *cmdbuf, *infile = NULL;
 	char *RFileName = NULL;
 	char *WFileName = NULL;
@@ -229,6 +229,10 @@ priv_exec(int argc, char *argv[])
 			nflag++;
 			break;
 
+		case 'o':
+			oflag = 1;
+			break;
+
 		case 'r':
 			RFileName = optarg;
 			break;
@@ -305,6 +309,14 @@ priv_exec(int argc, char *argv[])
 			test_state(cmd, STATE_RUN);
 			impl_init_done(sock, &bpfd);
 
+			if (oflag) {
+				if (unveil("/etc/pf.os", "r") == -1)
+					err(1, "unveil");
+			}
+			if (unveil("/etc/ethers", "r") == -1)
+				err(1, "unveil");
+			if (unveil("/etc/rpc", "r") == -1)
+				err(1, "unveil");
 			if (pledge("stdio rpath inet dns recvfd bpf", NULL) == -1)
 				err(1, "pledge");