diff options
| author |   deraadt <deraadt@openbsd.org> | 2015-10-03 00:51:08 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2015-10-03 00:51:08 +0000 |
| commit | f01a670324e45829123dd2773b311d32d1ea74b4 (patch) | |
| tree | 6af63624cfd5620bf6a33f78a24eb94b6dfd1a35 /usr.sbin/tcpdump/tcpdump.c | |
| parent | ping is a setuid root priv-drop which holds a sockraw. we can tame it (diff) | |
| download | wireguard-openbsd-f01a670324e45829123dd2773b311d32d1ea74b4.tar.xz wireguard-openbsd-f01a670324e45829123dd2773b311d32d1ea74b4.zip | |
tcpdump is two-process privsep.
the packet processor pid is initialized on a socketpair, and then only
does byte analysis. it can be protected using a "stdio" tame request.
an successfull attack against it will find it cannot open files nor
sockets, and faces various other limitations described in the tame(2)
manual page.
the monitor process can be restricted to "malloc cmsg inet ioctl dns rpath".
that sounds like a large subset, but notice it cannot create or write files.
maybe this set can be wittled down by hoisting more initialization code
upwards?
with help from canacar a while back.
Diffstat (limited to 'usr.sbin/tcpdump/tcpdump.c')
| -rw-r--r-- | usr.sbin/tcpdump/tcpdump.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c index f9bcac98f4d..d32f0a25e1c 100644 --- a/usr.sbin/tcpdump/tcpdump.c +++ b/usr.sbin/tcpdump/tcpdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdump.c,v 1.72 2015/07/14 20:23:40 deraadt Exp $ */ +/* $OpenBSD: tcpdump.c,v 1.73 2015/10/03 00:51:08 deraadt Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -490,6 +490,8 @@ main(int argc, char **argv) if (tflag > 0) thiszone = gmt2local(0); + if (tame("stdio", NULL) == -1) + err(1, "tame"); if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) { (void)fprintf(stderr, "%s: pcap_loop: %s\n", |