mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-19 10:53:58 +00:00
Code Issues Releases Activity

MFp4 @229484:

Browse Source 
Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT
and CAP_READ). This prevents unprivileged process from adding, removing or
modifying system routes.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Pawel Jakub Dawidek 2013-07-03 22:18:40 +00:00
parent de2c882f5c
commit f73ac8b9de
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=252630
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sbin/dhclient/dhclient.c
View File

@ -492,6 +492,10 @@ main(int argc, char *argv[])
add_protocol("AF_ROUTE", routefd, routehandler, ifi);
if (shutdown(routefd, SHUT_WR) < 0)
error("can't shutdown route socket: %m");
if (cap_rights_limit(routefd, CAP_POLL_EVENT | CAP_READ) < 0 &&
errno != ENOSYS) {
error("can't limit route socket: %m");
}
if (chroot(_PATH_VAREMPTY) == -1)
error("chroot");