MFp4 @229484:

Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT and CAP_READ). This prevents unprivileged process from adding, removing or modifying system routes. Reviewed by: brooks Sponsored by: The FreeBSD Foundation
author: pjd <pjd@FreeBSD.org> 2013-07-03 22:18:40 +0000
committer: pjd <pjd@FreeBSD.org> 2013-07-03 22:18:40 +0000
commit: 157b58cb300b2659ec65eee45aef27bfdcda91b6 (patch)
tree: b68b389a76cb402157745bd9a2589f2f2099d661 /sbin/dhclient
parent: 6526d2e66afdac969c9cf66a338ca6aba259bc9f (diff)
download: FreeBSD-src-157b58cb300b2659ec65eee45aef27bfdcda91b6.zip
FreeBSD-src-157b58cb300b2659ec65eee45aef27bfdcda91b6.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index ad0d02e..34ff853 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -492,6 +492,10 @@ main(int argc, char *argv[])
 		add_protocol("AF_ROUTE", routefd, routehandler, ifi);
 	if (shutdown(routefd, SHUT_WR) < 0)
 		error("can't shutdown route socket: %m");
+	if (cap_rights_limit(routefd, CAP_POLL_EVENT | CAP_READ) < 0 &&
+	    errno != ENOSYS) {
+		error("can't limit route socket: %m");
+	}
 
 	if (chroot(_PATH_VAREMPTY) == -1)
 		error("chroot");
author	pjd <pjd@FreeBSD.org>	2013-07-03 22:18:40 +0000
committer	pjd <pjd@FreeBSD.org>	2013-07-03 22:18:40 +0000
commit	157b58cb300b2659ec65eee45aef27bfdcda91b6 (patch)
tree	b68b389a76cb402157745bd9a2589f2f2099d661 /sbin/dhclient
parent	6526d2e66afdac969c9cf66a338ca6aba259bc9f (diff)
download	FreeBSD-src-157b58cb300b2659ec65eee45aef27bfdcda91b6.zip FreeBSD-src-157b58cb300b2659ec65eee45aef27bfdcda91b6.tar.gz