1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
--- ngrep.c.orig 2006-11-28 17:38:43.000000000 +0400
+++ ngrep.c 2014-12-12 11:14:13.000000000 +0400
@@ -97,6 +97,10 @@
#include "regex-0.12/regex.h"
#endif
+#ifdef HAVE_CAPSICUM
+#include <sys/capability.h>
+#endif /* HAVE CAPSICUM */
+
#include "ngrep.h"
@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
int main(int argc, char **argv) {
int32_t c;
+#ifdef HAVE_CAPSICUM
+ cap_rights_t rights;
+#endif /* HAVE_CAPSICUM */
+
signal(SIGINT, clean_exit);
signal(SIGABRT, clean_exit);
@@ -416,6 +424,23 @@ int main(int argc, char **argv) {
clean_exit(-1);
}
+#ifdef HAVE_CAPSICUM
+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+ if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
+ errno != ENOSYS) {
+ fprintf(stderr, "unable to limit pcap descriptor");
+ clean_exit(-1);
+ }
+
+ static const unsigned long cmds[] = { BIOCGSTATS };
+ if (cap_ioctls_limit(pcap_fileno(pd), cmds,
+ sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
+ fprintf(stderr, "unable to limit ioctls on pcap descriptor");
+ clean_exit(-1);
+ }
+
+#endif /* HAVE CAPSICUM */
+
if (match_data) {
if (bin_match) {
uint32_t i = 0, n;
@@ -603,6 +628,20 @@ int main(int argc, char **argv) {
drop_privs();
#endif
+#ifdef HAVE_CAPSICUM
+ cap_rights_init(&rights);
+
+ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
+ fprintf(stderr, "can't limit stdin");
+ clean_exit(-1);
+ }
+
+ if (cap_enter() < 0 && errno != ENOSYS) {
+ fprintf(stderr, "can't enter capability mode");
+ clean_exit(-1);
+ }
+#endif /* HAVE_CAPSICUM */
+
while (pcap_loop(pd, 0, (pcap_handler)process, 0));
clean_exit(0);
|
