diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-04-01 13:58:32 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-04-05 13:51:56 +0000 |
| commit | d3f2c31b43b726ffbb180a42cee4b9f00c5ad5ed (patch) | |
| tree | 78586666928416b870f067a1744398d9a99988d6 | |
| parent | 95a466b20d92e8016058ec8bad46b63ca06dc60d (diff) | |
| download | src-d3f2c31b43b726ffbb180a42cee4b9f00c5ad5ed.tar.gz src-d3f2c31b43b726ffbb180a42cee4b9f00c5ad5ed.zip | |
traceroute6: Fix Capsicum rights for rcvsock
- Always use distinct sockets for send and recv
- Limit rights on the recv socket
For ICMP6 we were using the same socket for both send and receive, and
we limited rights on the socket such that it's impossible to receive
anything.
PR: 254623
Diagnosed by: Zhenlei Huang <zlei.huang@gmail.com>
Reviewed by: oshogbo
Differential Revision: https://reviews.freebsd.org/D29523
(cherry picked from commit b8ae450f05e62a851f444edaf7db2506ff99aa37)
| -rw-r--r-- | usr.sbin/traceroute6/traceroute6.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.sbin/traceroute6/traceroute6.c b/usr.sbin/traceroute6/traceroute6.c index 7663283a6c44..8449a9861302 100644 --- a/usr.sbin/traceroute6/traceroute6.c +++ b/usr.sbin/traceroute6/traceroute6.c @@ -578,8 +578,6 @@ main(int argc, char *argv[]) */ switch (useproto) { case IPPROTO_ICMPV6: - sndsock = rcvsock; - break; case IPPROTO_NONE: case IPPROTO_SCTP: case IPPROTO_TCP: @@ -928,7 +926,6 @@ main(int argc, char *argv[]) * namespaces (e.g filesystem) is restricted (see capsicum(4)). * We must connect(2) our socket before this point. */ - if (caph_enter_casper() < 0) { fprintf(stderr, "caph_enter_casper: %s\n", strerror(errno)); exit(1); @@ -940,6 +937,12 @@ main(int argc, char *argv[]) strerror(errno)); exit(1); } + cap_rights_init(&rights, CAP_RECV); + if (caph_rights_limit(rcvsock, &rights) < 0) { + fprintf(stderr, "caph_rights_limit rcvsock: %s\n", + strerror(errno)); + exit(1); + } /* * Main loop |