Hi,
tcpdrop(8) needs to access only two files, in this case /etc/hosts and
/etc/resolv.conf both with read permissions for the purpose of name resolution.
ethers(5) is not needed since we are not using any of the ether_*(3) family.
Since unistd.h needs to be included I also shuffled netdb.h into the right
place.
Comments? OK?
Index: tcpdrop.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 tcpdrop.c
--- tcpdrop.c 16 Jan 2015 06:40:21 -0000 1.17
+++ tcpdrop.c 6 Nov 2018 10:48:10 -0000
@@ -27,10 +27,11 @@
#include <netinet/tcp_var.h>
#include <err.h>
+#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
-#include <netdb.h>
+#include <unistd.h>
__dead void usage(void);
@@ -61,6 +62,13 @@ main(int argc, char **argv)
char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2;
struct tcp_ident_mapping tir;
int gaierr, rval = 0;
+
+ if (unveil("/etc/hosts", "r") == -1)
+ err(1, "unveil");
+ if (unveil("/etc/resolv.conf", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
