diff options
author | pjd <pjd@FreeBSD.org> | 2013-07-03 22:17:29 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2013-07-03 22:17:29 +0000 |
commit | 6526d2e66afdac969c9cf66a338ca6aba259bc9f (patch) | |
tree | 20899d2a303f494541f8ebefb29398e41d6d8efa /sbin | |
parent | 11d993e6946901df0579895d876a7aa1d4cc9b98 (diff) | |
download | FreeBSD-src-6526d2e66afdac969c9cf66a338ca6aba259bc9f.zip FreeBSD-src-6526d2e66afdac969c9cf66a338ca6aba259bc9f.tar.gz |
MFp4 @229483:
Limit communication pipe with privileged process to CAP_READ and CAP_WRITE.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/dhclient/dhclient.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 8dc9736..ad0d02e 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -59,6 +59,8 @@ __FBSDID("$FreeBSD$"); #include "dhcpd.h" #include "privsep.h" +#include <sys/capability.h> + #include <net80211/ieee80211_freebsd.h> #ifndef _PATH_VAREMPTY @@ -470,6 +472,10 @@ main(int argc, char *argv[]) close(pipe_fd[0]); privfd = pipe_fd[1]; + if (cap_rights_limit(privfd, CAP_READ | CAP_WRITE) < 0 && + errno != ENOSYS) { + error("can't limit private descriptor: %m"); + } if ((fd = open(path_dhclient_db, O_RDONLY|O_EXLOCK|O_CREAT, 0)) == -1) error("can't open and lock %s: %m", path_dhclient_db); |