MFp4 @229487:

Revoke all capability rights from STDIN and allow only for write to STDOUT and STDERR. All those descriptors are redirected to /dev/null. Reviewed by: brooks Sponsored by: The FreeBSD Foundation
author: pjd <pjd@FreeBSD.org> 2013-07-03 22:22:29 +0000
committer: pjd <pjd@FreeBSD.org> 2013-07-03 22:22:29 +0000
commit: b93b6961b07bfcedd1fb84284a72573c66fe8b36 (patch)
tree: 1b8f20f7a04ba8c56e2692b0cb253d04404fc950 /sbin/dhclient
parent: 671bf2da4323dd91bdb6ab81d384220e0af44c3c (diff)
download: FreeBSD-src-b93b6961b07bfcedd1fb84284a72573c66fe8b36.zip
FreeBSD-src-b93b6961b07bfcedd1fb84284a72573c66fe8b36.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index b695f6a..2305d97 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2379,6 +2379,13 @@ go_daemon(void)
 		close(nullfd);
 		nullfd = -1;
 	}
+
+	if (cap_rights_limit(STDIN_FILENO, CAP_NONE) < 0 && errno != ENOSYS)
+		error("can't limit stdin: %m");
+	if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE) < 0 && errno != ENOSYS)
+		error("can't limit stdout: %m");
+	if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0 && errno != ENOSYS)
+		error("can't limit stderr: %m");
 }
 
 int
author	pjd <pjd@FreeBSD.org>	2013-07-03 22:22:29 +0000
committer	pjd <pjd@FreeBSD.org>	2013-07-03 22:22:29 +0000
commit	b93b6961b07bfcedd1fb84284a72573c66fe8b36 (patch)
tree	1b8f20f7a04ba8c56e2692b0cb253d04404fc950 /sbin/dhclient
parent	671bf2da4323dd91bdb6ab81d384220e0af44c3c (diff)
download	FreeBSD-src-b93b6961b07bfcedd1fb84284a72573c66fe8b36.zip FreeBSD-src-b93b6961b07bfcedd1fb84284a72573c66fe8b36.tar.gz