diff options
| author |   mestre <mestre@openbsd.org> | 2018-11-08 07:14:37 +0000 |
|---|---|---|
| committer | mestre <mestre@openbsd.org> | 2018-11-08 07:14:37 +0000 |
| commit | 0b97bee61635b9c23cbc6ed727ac3b782403e990 (patch) | |
| tree | 69ef5487b748e31d9884348734d4b276b663d2f4 /usr.sbin/tcpdrop | |
| parent | regen (diff) | |
| download | wireguard-openbsd-0b97bee61635b9c23cbc6ed727ac3b782403e990.tar.xz wireguard-openbsd-0b97bee61635b9c23cbc6ed727ac3b782403e990.zip | |
tcpdrop(8) needs to access only two files, in this case /etc/hosts and
/etc/resolv.conf both with read permissions for the purpose of name resolution,
so unveil(2) both files with "r" perms and disable further filesystem access.
While here sort the headers alphabetically.
OK bluhm@
Diffstat (limited to 'usr.sbin/tcpdrop')
| -rw-r--r-- | usr.sbin/tcpdrop/tcpdrop.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/usr.sbin/tcpdrop/tcpdrop.c b/usr.sbin/tcpdrop/tcpdrop.c index 4f41dd9a61b..2156076d477 100644 --- a/usr.sbin/tcpdrop/tcpdrop.c +++ b/usr.sbin/tcpdrop/tcpdrop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdrop.c,v 1.17 2015/01/16 06:40:21 deraadt Exp $ */ +/* $OpenBSD: tcpdrop.c,v 1.18 2018/11/08 07:14:37 mestre Exp $ */ /* * Copyright (c) 2004 Markus Friedl <markus@openbsd.org> @@ -27,10 +27,11 @@ #include <netinet/tcp_var.h> #include <err.h> +#include <netdb.h> #include <stdio.h> #include <string.h> #include <stdlib.h> -#include <netdb.h> +#include <unistd.h> __dead void usage(void); @@ -62,6 +63,13 @@ main(int argc, char **argv) struct tcp_ident_mapping tir; int gaierr, rval = 0; + if (unveil("/etc/hosts", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/resolv.conf", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; |