summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-03 00:51:09 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-03 00:51:09 +0000
commitffcc7fb71f9c6c1a003eadb219b3270cb827bc34 (patch)
tree4e3ef4d4a3817a2f7fa9b5f588a7e32d43ce4b0a
parent11ab55de402fc0d6ed463efefe48c175b806d706 (diff)
tcpdump is two-process privsep.
the packet processor pid is initialized on a socketpair, and then only does byte analysis. it can be protected using a "stdio" tame request. an successfull attack against it will find it cannot open files nor sockets, and faces various other limitations described in the tame(2) manual page. the monitor process can be restricted to "malloc cmsg inet ioctl dns rpath". that sounds like a large subset, but notice it cannot create or write files. maybe this set can be wittled down by hoisting more initialization code upwards? with help from canacar a while back.
-rw-r--r--usr.sbin/tcpdump/privsep.c4
-rw-r--r--usr.sbin/tcpdump/tcpdump.c4
2 files changed, 6 insertions, 2 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c
index 354b384a1f3..dc1ab16392b 100644
--- a/usr.sbin/tcpdump/privsep.c
+++ b/usr.sbin/tcpdump/privsep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: privsep.c,v 1.35 2015/08/21 02:07:32 deraadt Exp $ */
+/* $OpenBSD: privsep.c,v 1.36 2015/10/03 00:51:08 deraadt Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar
@@ -281,6 +281,8 @@ priv_init(int argc, char **argv)
case PRIV_INIT_DONE:
test_state(cmd, STATE_RUN);
impl_init_done(socks[0], &bpfd);
+ if (tame("malloc cmsg inet ioctl dns rpath", NULL) == -1)
+ err(1, "tame");
break;
case PRIV_GETHOSTBYADDR:
test_state(cmd, STATE_RUN);
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c
index f9bcac98f4d..d32f0a25e1c 100644
--- a/usr.sbin/tcpdump/tcpdump.c
+++ b/usr.sbin/tcpdump/tcpdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcpdump.c,v 1.72 2015/07/14 20:23:40 deraadt Exp $ */
+/* $OpenBSD: tcpdump.c,v 1.73 2015/10/03 00:51:08 deraadt Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -490,6 +490,8 @@ main(int argc, char **argv)
if (tflag > 0)
thiszone = gmt2local(0);
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) {
(void)fprintf(stderr, "%s: pcap_loop: %s\n",