Date: Wed, 3 Jul 2013 22:17:30 +0000 (UTC) From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r252629 - head/sbin/dhclient Message-ID: <201307032217.r63MHU6O038693@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pjd Date: Wed Jul 3 22:17:29 2013 New Revision: 252629 URL: http://svnweb.freebsd.org/changeset/base/252629 Log: MFp4 @229483: Limit communication pipe with privileged process to CAP_READ and CAP_WRITE. Reviewed by: brooks Sponsored by: The FreeBSD Foundation Modified: head/sbin/dhclient/dhclient.c Modified: head/sbin/dhclient/dhclient.c ============================================================================== --- head/sbin/dhclient/dhclient.c Wed Jul 3 22:16:02 2013 (r252628) +++ head/sbin/dhclient/dhclient.c Wed Jul 3 22:17:29 2013 (r252629) @@ -59,6 +59,8 @@ __FBSDID("$FreeBSD$"); #include "dhcpd.h" #include "privsep.h" +#include <sys/capability.h> + #include <net80211/ieee80211_freebsd.h> #ifndef _PATH_VAREMPTY @@ -470,6 +472,10 @@ main(int argc, char *argv[]) close(pipe_fd[0]); privfd = pipe_fd[1]; + if (cap_rights_limit(privfd, CAP_READ | CAP_WRITE) < 0 && + errno != ENOSYS) { + error("can't limit private descriptor: %m"); + } if ((fd = open(path_dhclient_db, O_RDONLY|O_EXLOCK|O_CREAT, 0)) == -1) error("can't open and lock %s: %m", path_dhclient_db);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307032217.r63MHU6O038693>