diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-03 00:51:09 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-03 00:51:09 +0000 |
commit | ffcc7fb71f9c6c1a003eadb219b3270cb827bc34 (patch) | |
tree | 4e3ef4d4a3817a2f7fa9b5f588a7e32d43ce4b0a | |
parent | 11ab55de402fc0d6ed463efefe48c175b806d706 (diff) |
tcpdump is two-process privsep.
the packet processor pid is initialized on a socketpair, and then only
does byte analysis. it can be protected using a "stdio" tame request.
an successfull attack against it will find it cannot open files nor
sockets, and faces various other limitations described in the tame(2)
manual page.
the monitor process can be restricted to "malloc cmsg inet ioctl dns rpath".
that sounds like a large subset, but notice it cannot create or write files.
maybe this set can be wittled down by hoisting more initialization code
upwards?
with help from canacar a while back.
-rw-r--r-- | usr.sbin/tcpdump/privsep.c | 4 | ||||
-rw-r--r-- | usr.sbin/tcpdump/tcpdump.c | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index 354b384a1f3..dc1ab16392b 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.35 2015/08/21 02:07:32 deraadt Exp $ */ +/* $OpenBSD: privsep.c,v 1.36 2015/10/03 00:51:08 deraadt Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -281,6 +281,8 @@ priv_init(int argc, char **argv) case PRIV_INIT_DONE: test_state(cmd, STATE_RUN); impl_init_done(socks[0], &bpfd); + if (tame("malloc cmsg inet ioctl dns rpath", NULL) == -1) + err(1, "tame"); break; case PRIV_GETHOSTBYADDR: test_state(cmd, STATE_RUN); diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c index f9bcac98f4d..d32f0a25e1c 100644 --- a/usr.sbin/tcpdump/tcpdump.c +++ b/usr.sbin/tcpdump/tcpdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdump.c,v 1.72 2015/07/14 20:23:40 deraadt Exp $ */ +/* $OpenBSD: tcpdump.c,v 1.73 2015/10/03 00:51:08 deraadt Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -490,6 +490,8 @@ main(int argc, char **argv) if (tflag > 0) thiszone = gmt2local(0); + if (tame("stdio", NULL) == -1) + err(1, "tame"); if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) { (void)fprintf(stderr, "%s: pcap_loop: %s\n", |