diff options
| author | Bryan Steele <brynet@cvs.openbsd.org> | 2018-11-09 18:39:35 +0000 |
|---|---|---|
| committer | Bryan Steele <brynet@cvs.openbsd.org> | 2018-11-09 18:39:35 +0000 |
| commit | 3a20d287ce938018b0b670069bc499dc06b7f699 (patch) | |
| tree | f6231608bc6ab76541c00c3c3f061f5ef3794fb7 /usr.sbin | |
| parent | 78b2f2688f2cc6ffafabb2a4a04ac8cedec54fdc (diff) | |
The 'recvfd' and 'inet' promises are no longer required by tcpdump(8)
This reduces the remaining runtime pledge(2) in the privsep monitor
process to "stdio rpath dns bpf":
- 'rpath' for /etc/{ethers,rpc}, also unveil(2)'d thanks to mestre@!
- 'dns' for DNS lookups
- 'bpf' BIOCGSTATS on ^C
The unprivileged packet parser process remains pledged just "stdio"
This depends on the previous commit that removed YP support from
ethers(5).
ok mestre@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/tcpdump/privsep.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index a9329fb6dc4..790a67d6947 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.50 2018/11/08 14:06:09 brynet Exp $ */ +/* $OpenBSD: privsep.c,v 1.51 2018/11/09 18:39:34 brynet Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -309,7 +309,7 @@ priv_exec(int argc, char *argv[]) err(1, "unveil"); if (unveil("/etc/rpc", "r") == -1) err(1, "unveil"); - if (pledge("stdio rpath inet dns recvfd bpf", NULL) == -1) + if (pledge("stdio rpath dns bpf", NULL) == -1) err(1, "pledge"); break; |