Re: unveil tcpdrop
On Tue, Apr 30, 2019 at 06:23:57PM +0100, Ricardo Mestre wrote: > Went through my old sent emails and saw this one still pending on my tree. > > Is this OK? > > On 13:02 Wed 07 Nov , Ricardo Mestre wrote: > > Hi, > > > > tcpdrop(8) needs to access only two files, in this case /etc/hosts and > > /etc/resolv.conf both with read permissions for the purpose of name > > resolution. > > ethers(5) is not needed since we are not using any of the ether_*(3) family. > > > > Since unistd.h needs to be included I also shuffled netdb.h into the right > > place. > > > > Comments? OK? > > > > Index: tcpdrop.c > > === > > RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v > > retrieving revision 1.17 > > diff -u -p -u -r1.17 tcpdrop.c > > --- tcpdrop.c 16 Jan 2015 06:40:21 - 1.17 > > +++ tcpdrop.c 6 Nov 2018 10:48:10 - > > @@ -27,10 +27,11 @@ > > #include > > > > #include > > +#include > > #include > > #include > > #include > > -#include > > +#include > > > > __dead void usage(void); > > > > @@ -61,6 +62,13 @@ main(int argc, char **argv) > > char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; > > struct tcp_ident_mapping tir; > > int gaierr, rval = 0; > > + > > + if (unveil("/etc/hosts", "r") == -1) > > + err(1, "unveil"); > > + if (unveil("/etc/resolv.conf", "r") == -1) > > + err(1, "unveil"); > > + if (unveil(NULL, NULL) == -1) > > + err(1, "unveil"); > > > > memset(&hints, 0, sizeof(hints)); > > hints.ai_family = AF_UNSPEC; This seems low risk, and looks good to me also. ok brynet@
Re: unveil tcpdrop
Ricardo Mestre(ser...@helheim.mooo.com) on 2019.04.30 18:23:57 +0100: > Went through my old sent emails and saw this one still pending on my tree. > > Is this OK? you got an OK bluhm@ on Nov 7th. and since i cant see a problem with it, ok benno@ too ;) > On 13:02 Wed 07 Nov , Ricardo Mestre wrote: > > Hi, > > > > tcpdrop(8) needs to access only two files, in this case /etc/hosts and > > /etc/resolv.conf both with read permissions for the purpose of name > > resolution. > > ethers(5) is not needed since we are not using any of the ether_*(3) family. > > > > Since unistd.h needs to be included I also shuffled netdb.h into the right > > place. > > > > Comments? OK? > > > > Index: tcpdrop.c > > === > > RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v > > retrieving revision 1.17 > > diff -u -p -u -r1.17 tcpdrop.c > > --- tcpdrop.c 16 Jan 2015 06:40:21 - 1.17 > > +++ tcpdrop.c 6 Nov 2018 10:48:10 - > > @@ -27,10 +27,11 @@ > > #include > > > > #include > > +#include > > #include > > #include > > #include > > -#include > > +#include > > > > __dead void usage(void); > > > > @@ -61,6 +62,13 @@ main(int argc, char **argv) > > char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; > > struct tcp_ident_mapping tir; > > int gaierr, rval = 0; > > + > > + if (unveil("/etc/hosts", "r") == -1) > > + err(1, "unveil"); > > + if (unveil("/etc/resolv.conf", "r") == -1) > > + err(1, "unveil"); > > + if (unveil(NULL, NULL) == -1) > > + err(1, "unveil"); > > > > memset(&hints, 0, sizeof(hints)); > > hints.ai_family = AF_UNSPEC; >
Re: unveil tcpdrop
Went through my old sent emails and saw this one still pending on my tree. Is this OK? On 13:02 Wed 07 Nov , Ricardo Mestre wrote: > Hi, > > tcpdrop(8) needs to access only two files, in this case /etc/hosts and > /etc/resolv.conf both with read permissions for the purpose of name > resolution. > ethers(5) is not needed since we are not using any of the ether_*(3) family. > > Since unistd.h needs to be included I also shuffled netdb.h into the right > place. > > Comments? OK? > > Index: tcpdrop.c > === > RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 tcpdrop.c > --- tcpdrop.c 16 Jan 2015 06:40:21 - 1.17 > +++ tcpdrop.c 6 Nov 2018 10:48:10 - > @@ -27,10 +27,11 @@ > #include > > #include > +#include > #include > #include > #include > -#include > +#include > > __dead void usage(void); > > @@ -61,6 +62,13 @@ main(int argc, char **argv) > char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; > struct tcp_ident_mapping tir; > int gaierr, rval = 0; > + > + if (unveil("/etc/hosts", "r") == -1) > + err(1, "unveil"); > + if (unveil("/etc/resolv.conf", "r") == -1) > + err(1, "unveil"); > + if (unveil(NULL, NULL) == -1) > + err(1, "unveil"); > > memset(&hints, 0, sizeof(hints)); > hints.ai_family = AF_UNSPEC;
Re: unveil tcpdrop
On Wed, Nov 07, 2018 at 01:02:28PM +, Ricardo Mestre wrote: > Hi, > > tcpdrop(8) needs to access only two files, in this case /etc/hosts and > /etc/resolv.conf both with read permissions for the purpose of name > resolution. > ethers(5) is not needed since we are not using any of the ether_*(3) family. > > Since unistd.h needs to be included I also shuffled netdb.h into the right > place. > > Comments? OK? OK bluhm@ > Index: tcpdrop.c > === > RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 tcpdrop.c > --- tcpdrop.c 16 Jan 2015 06:40:21 - 1.17 > +++ tcpdrop.c 6 Nov 2018 10:48:10 - > @@ -27,10 +27,11 @@ > #include > > #include > +#include > #include > #include > #include > -#include > +#include > > __dead void usage(void); > > @@ -61,6 +62,13 @@ main(int argc, char **argv) > char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; > struct tcp_ident_mapping tir; > int gaierr, rval = 0; > + > + if (unveil("/etc/hosts", "r") == -1) > + err(1, "unveil"); > + if (unveil("/etc/resolv.conf", "r") == -1) > + err(1, "unveil"); > + if (unveil(NULL, NULL) == -1) > + err(1, "unveil"); > > memset(&hints, 0, sizeof(hints)); > hints.ai_family = AF_UNSPEC;
unveil tcpdrop
Hi, tcpdrop(8) needs to access only two files, in this case /etc/hosts and /etc/resolv.conf both with read permissions for the purpose of name resolution. ethers(5) is not needed since we are not using any of the ether_*(3) family. Since unistd.h needs to be included I also shuffled netdb.h into the right place. Comments? OK? Index: tcpdrop.c === RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v retrieving revision 1.17 diff -u -p -u -r1.17 tcpdrop.c --- tcpdrop.c 16 Jan 2015 06:40:21 - 1.17 +++ tcpdrop.c 6 Nov 2018 10:48:10 - @@ -27,10 +27,11 @@ #include #include +#include #include #include #include -#include +#include __dead void usage(void); @@ -61,6 +62,13 @@ main(int argc, char **argv) char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2; struct tcp_ident_mapping tir; int gaierr, rval = 0; + + if (unveil("/etc/hosts", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/resolv.conf", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC;