Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Sep 2019 14:07:02 -0000
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Mariusz Zaborski <oshogbo@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r346263 - head/contrib/tcpdump
Message-ID:  <20190416131915.2ocot4nonnf3sl4a@mutt-hbsd>
In-Reply-To: <201904160412.x3G4CgN2015092@repo.freebsd.org>
References:  <201904160412.x3G4CgN2015092@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--epj5rmk7yofcyaoj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 16, 2019 at 04:12:42AM +0000, Mariusz Zaborski wrote:
> Author: oshogbo
> Date: Tue Apr 16 04:12:41 2019
> New Revision: 346263
> URL: https://svnweb.freebsd.org/changeset/base/346263
>=20
> Log:
>   tcpdump: disable Capsicum if -E option is provided.
>  =20
>   The -E is used to provide a secret for decrypting IPsec.
>   The secret may be provided through command line or as the file.
>   The problem is that tcpdump doesn't support yet opening files in capabi=
lity mode
>   and the file may contain a list of the files to open.
>  =20
>   As a workaround, for now, let's just disable capsicum if the -E
>   the option is provided.
>  =20
>   PR:		236819
>   MFC after:	2 weeks
>=20
> Modified:
>   head/contrib/tcpdump/tcpdump.c
>=20
> Modified: head/contrib/tcpdump/tcpdump.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- head/contrib/tcpdump/tcpdump.c	Tue Apr 16 02:48:04 2019	(r346262)
> +++ head/contrib/tcpdump/tcpdump.c	Tue Apr 16 04:12:41 2019	(r346263)
> @@ -2063,7 +2063,8 @@ main(int argc, char **argv)
>  	}
> =20
>  #ifdef HAVE_CAPSICUM
> -	cansandbox =3D (VFileName =3D=3D NULL && zflag =3D=3D NULL);
> +	cansandbox =3D (VFileName =3D=3D NULL && zflag =3D=3D NULL &&
> +	    ndo->ndo_espsecret =3D=3D NULL);
>  #ifdef HAVE_CASPER
>  	cansandbox =3D (cansandbox && (ndo->ndo_nflag || capdns !=3D NULL));
>  #else

Is there any documentation anywhere telling users that Capsicum
support will be disabled under certain circumstances?

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2

--epj5rmk7yofcyaoj
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAly11k0ACgkQ/y5nonf4
4fowyBAAosXBRr/wadcuilGpEb9c6ytfp+mBiubhDc2s3cNgth5yEIY9RxZBU1SS
cshIWcTPdmyb063/0HLroBaqJZmnw3Rro+esu+Oirh+0rj3W1GSxqHE4yohr2iux
Q1i8/C4wUVI7hvUHvs44/NqOxPhnOr34KL+YgQ6T8R7H1HVD+Jfh9Zo/apkUKBVC
5WorHPu9u9sxAyIQ16PZvS9TzbD/u4LzYSGABa78whk9IUU/MG9LBIC+kjwV9nBv
ZpWrdfqIJsOzeY3BM8XYWqBXQdXCR0xQVrQm2h5Kx+9qB+93ptxx8TI2bi3CCZUd
qtbjjvk0bHH6rIJWBNG+3qzt1ouGF9utHIHYkmb8RyUPKRx6UB8MBbV+a5C1Txry
MSG7wwtcYz/73c4RAY5whI7DfHi/2sd1nbOfJcVcH3TObZQRMvr9PGE320RFMmK8
SpfBp7PkTjiSlwli6Ci6nqjg6mFcvFM24UvoJ/4aDjp0HNfAyWFEqr5kEtALBC4V
WZFCLpNwwlhO0XTZBhJXqpDPRDO94z01cQVkv5OAPZNLm9SUSZnAHmHLyUs68yhI
LzbRV1swUi80sI/7hC+YVT09tmbcFm3TVOqVvhXxBVcqUrY3J3+fufVRctTXFYWf
HlCSfoG/l6RXmo1OYanEIW3DSSVYXcBgmjV6eZk0FL2cwyrdErA=
=edr2
-----END PGP SIGNATURE-----

--epj5rmk7yofcyaoj--





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190416131915.2ocot4nonnf3sl4a>