On Tue, Apr 16, 2019 at 04:12:42AM +0000, Mariusz Zaborski wrote: > Author: oshogbo > Date: Tue Apr 16 04:12:41 2019 > New Revision: 346263 > URL: https://svnweb.freebsd.org/changeset/base/346263 > > Log: > tcpdump: disable Capsicum if -E option is provided. > > The -E is used to provide a secret for decrypting IPsec. > The secret may be provided through command line or as the file. > The problem is that tcpdump doesn't support yet opening files in capability > mode > and the file may contain a list of the files to open. > > As a workaround, for now, let's just disable capsicum if the -E > the option is provided. > > PR: 236819 > MFC after: 2 weeks > > Modified: > head/contrib/tcpdump/tcpdump.c > > Modified: head/contrib/tcpdump/tcpdump.c > ============================================================================== > --- head/contrib/tcpdump/tcpdump.c Tue Apr 16 02:48:04 2019 > (r346262) > +++ head/contrib/tcpdump/tcpdump.c Tue Apr 16 04:12:41 2019 > (r346263) > @@ -2063,7 +2063,8 @@ main(int argc, char **argv) > } > > #ifdef HAVE_CAPSICUM > - cansandbox = (VFileName == NULL && zflag == NULL); > + cansandbox = (VFileName == NULL && zflag == NULL && > + ndo->ndo_espsecret == NULL); > #ifdef HAVE_CASPER > cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL)); > #else
Is there any documentation anywhere telling users that Capsicum support will be disabled under certain circumstances? Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
signature.asc
Description: PGP signature
