tcpdump is two-process privsep.

the packet processor pid is initialized on a socketpair, and then only
does byte analysis. it can be protected using a "stdio" tame request.
an successfull attack against it will find it cannot open files nor
sockets, and faces various other limitations described in the tame(2)
manual page.

the monitor process can be restricted to "malloc cmsg inet ioctl dns rpath".
that sounds like a large subset, but notice it cannot create or write files.
maybe this set can be wittled down by hoisting more initialization code
upwards?

with help from canacar a while back.

0 files changed, 0 insertions, 0 deletions