ping6 is a setuid root priv-drop which holds a sockraw. we can tame it

substantially with "stdio inet", plus "dns" if the -n option is missing.
a successful exploit against it then cannot create files, or perform a
variety of other operations, as described in the tame(2) man page.

ping6 is a bit trickier than ping, because it uses recvmsg() with CMSG
types of IPV6_HOPOPTS, IPV6_DSTOPTS, IPV6_RTHDRDSTOPTS, IPV6_RTHDR.
there is further work to do in the kernel, with claudio!

work with florian a while back, which involved hoisting lots of initization
code upwards.
ok doug

1 files changed, 9 insertions, 1 deletions

diff --git a/sbin/ping6/ping6.c b/sbin/ping6/ping6.c
index 39d6b2ba164..efd1a5050eb 100644
--- a/sbin/ping6/ping6.c
+++ b/sbin/ping6/ping6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ping6.c,v 1.117 2015/09/30 12:21:46 deraadt Exp $	*/
+/*	$OpenBSD: ping6.c,v 1.118 2015/10/03 00:53:13 deraadt Exp $	*/
 /*	$KAME: ping6.c,v 1.163 2002/10/25 02:19:06 itojun Exp $	*/
 
 /*
@@ -746,6 +746,14 @@ main(int argc, char *argv[])
 	    (socklen_t)sizeof(optval)) < 0)
 		warn("setsockopt(IPV6_RECVHOPLIMIT)"); /* XXX err? */
 
+	if (options & F_HOSTNAME) {
+		if (tame("stdio inet dns", NULL) == -1)
+			err(1, "tame");
+	} else {
+		if (tame("stdio inet", NULL) != 0)
+			err(1, "tame");
+	}
+
 	arc4random_buf(&tv64_offset, sizeof(tv64_offset));
 	arc4random_buf(&mac_key, sizeof(mac_key));