unveil tcpdrop

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

unveil tcpdrop

Ricardo Mestre-2
Hi,

tcpdrop(8) needs to access only two files, in this case /etc/hosts and
/etc/resolv.conf both with read permissions for the purpose of name resolution.
ethers(5) is not needed since we are not using any of the ether_*(3) family.

Since unistd.h needs to be included I also shuffled netdb.h into the right
place.

Comments? OK?

Index: tcpdrop.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 tcpdrop.c
--- tcpdrop.c 16 Jan 2015 06:40:21 -0000 1.17
+++ tcpdrop.c 6 Nov 2018 10:48:10 -0000
@@ -27,10 +27,11 @@
 #include <netinet/tcp_var.h>
 
 #include <err.h>
+#include <netdb.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-#include <netdb.h>
+#include <unistd.h>
 
 __dead void usage(void);
 
@@ -61,6 +62,13 @@ main(int argc, char **argv)
  char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2;
  struct tcp_ident_mapping tir;
  int gaierr, rval = 0;
+
+ if (unveil("/etc/hosts", "r") == -1)
+ err(1, "unveil");
+ if (unveil("/etc/resolv.conf", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
 
  memset(&hints, 0, sizeof(hints));
  hints.ai_family = AF_UNSPEC;

Reply | Threaded
Open this post in threaded view
|

Re: unveil tcpdrop

Alexander Bluhm
On Wed, Nov 07, 2018 at 01:02:28PM +0000, Ricardo Mestre wrote:

> Hi,
>
> tcpdrop(8) needs to access only two files, in this case /etc/hosts and
> /etc/resolv.conf both with read permissions for the purpose of name resolution.
> ethers(5) is not needed since we are not using any of the ether_*(3) family.
>
> Since unistd.h needs to be included I also shuffled netdb.h into the right
> place.
>
> Comments? OK?

OK bluhm@

> Index: tcpdrop.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 tcpdrop.c
> --- tcpdrop.c 16 Jan 2015 06:40:21 -0000 1.17
> +++ tcpdrop.c 6 Nov 2018 10:48:10 -0000
> @@ -27,10 +27,11 @@
>  #include <netinet/tcp_var.h>
>  
>  #include <err.h>
> +#include <netdb.h>
>  #include <stdio.h>
>  #include <string.h>
>  #include <stdlib.h>
> -#include <netdb.h>
> +#include <unistd.h>
>  
>  __dead void usage(void);
>  
> @@ -61,6 +62,13 @@ main(int argc, char **argv)
>   char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2;
>   struct tcp_ident_mapping tir;
>   int gaierr, rval = 0;
> +
> + if (unveil("/etc/hosts", "r") == -1)
> + err(1, "unveil");
> + if (unveil("/etc/resolv.conf", "r") == -1)
> + err(1, "unveil");
> + if (unveil(NULL, NULL) == -1)
> + err(1, "unveil");
>  
>   memset(&hints, 0, sizeof(hints));
>   hints.ai_family = AF_UNSPEC;