Date: Mon, 15 Oct 2018 15:42:45 -0400 From: Mark Johnston <markj@freebsd.org> To: freebsd-hackers@freebsd.org Subject: [CFT] capsicum patches for rtsol(8) and rtsold(8) Message-ID: <20181015194212.GA2751@spy>
next in thread | raw e-mail | index | archive | help
Hi, Last week I spent some time Capsicumizing rtsol(8) and rtsold(8). The code for these programs is relatively straightforward, and seems like an ideal candidate for sandboxing given that it parses ND6 RAs while running with privileges (which has led to one SA in the past). I currently don't run rtsold as my home ISP only gives me an IPv4 address. I did a fair amount of testing on an internal network and used packet captures to verify everything, but I was hoping that some folks who actually rely on rtsol(d) would be willing to test the patch before I try to get it reviewed. The patch is here: https://people.freebsd.org/~markj/patches/rtsold_capsicum.diff and a review and description for the capsicum portions is here, if anyone is interested: https://reviews.freebsd.org/D17572 The patch is a superset of the review contents; it contains some unrelated fixes (for e.g., Coverity bugs) and cleanups. To test the patch, apply it, rebuild sbin/rtsol and usr.sbin/rtsold, and restart rtsold. It would be helpful to restart networking at this point, or simply reboot. If the patch works properly, you shouldn't notice any changes in behaviour. I'd be particularly interested in hearing reports from anyone that uses -m or -O, or who depends upon the processing of the RDNSS and DNSSL RA options.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181015194212.GA2751>