svn commit: r346263 - head/contrib/tcpdump

[Shawn Webb]

On Tue, Apr 16, 2019 at 04:12:42AM +0000, Mariusz Zaborski wrote:
> Author: oshogbo
> Date: Tue Apr 16 04:12:41 2019
> New Revision: 346263
> URL: https://svnweb.freebsd.org/changeset/base/346263
> 
> Log:
>   tcpdump: disable Capsicum if -E option is provided.
>   
>   The -E is used to provide a secret for decrypting IPsec.
>   The secret may be provided through command line or as the file.
>   The problem is that tcpdump doesn't support yet opening files in capability mode
>   and the file may contain a list of the files to open.
>   
>   As a workaround, for now, let's just disable capsicum if the -E
>   the option is provided.
>   
>   PR:		236819
>   MFC after:	2 weeks
> 
> Modified:
>   head/contrib/tcpdump/tcpdump.c
> 
> Modified: head/contrib/tcpdump/tcpdump.c
> ==============================================================================
> --- head/contrib/tcpdump/tcpdump.c	Tue Apr 16 02:48:04 2019	(r346262)
> +++ head/contrib/tcpdump/tcpdump.c	Tue Apr 16 04:12:41 2019	(r346263)
> @@ -2063,7 +2063,8 @@ main(int argc, char **argv)
>  	}
>  
>  #ifdef HAVE_CAPSICUM
> -	cansandbox = (VFileName == NULL && zflag == NULL);
> +	cansandbox = (VFileName == NULL && zflag == NULL &&
> +	    ndo->ndo_espsecret == NULL);
>  #ifdef HAVE_CASPER
>  	cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL));
>  #else

Is there any documentation anywhere telling users that Capsicum
support will be disabled under certain circumstances?

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20190903/83f1b09d/attachment.sig>