On Tue, Apr 30, 2019 at 06:23:57PM +0100, Ricardo Mestre wrote:
> Went through my old sent emails and saw this one still pending on my tree.
>
> Is this OK?
>
> On 13:02 Wed 07 Nov , Ricardo Mestre wrote:
> > Hi,
> >
> > tcpdrop(8) needs to access only two files, in this case /etc/hosts and
> > /etc/resolv.conf both with read permissions for the purpose of name
> > resolution.
> > ethers(5) is not needed since we are not using any of the ether_*(3) family.
> >
> > Since unistd.h needs to be included I also shuffled netdb.h into the right
> > place.
> >
> > Comments? OK?
> >
> > Index: tcpdrop.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/tcpdrop/tcpdrop.c,v
> > retrieving revision 1.17
> > diff -u -p -u -r1.17 tcpdrop.c
> > --- tcpdrop.c 16 Jan 2015 06:40:21 -0000 1.17
> > +++ tcpdrop.c 6 Nov 2018 10:48:10 -0000
> > @@ -27,10 +27,11 @@
> > #include <netinet/tcp_var.h>
> >
> > #include <err.h>
> > +#include <netdb.h>
> > #include <stdio.h>
> > #include <string.h>
> > #include <stdlib.h>
> > -#include <netdb.h>
> > +#include <unistd.h>
> >
> > __dead void usage(void);
> >
> > @@ -61,6 +62,13 @@ main(int argc, char **argv)
> > char *laddr1, *addr1, *port1, *faddr2, *addr2, *port2;
> > struct tcp_ident_mapping tir;
> > int gaierr, rval = 0;
> > +
> > + if (unveil("/etc/hosts", "r") == -1)
> > + err(1, "unveil");
> > + if (unveil("/etc/resolv.conf", "r") == -1)
> > + err(1, "unveil");
> > + if (unveil(NULL, NULL) == -1)
> > + err(1, "unveil");
> >
> > memset(&hints, 0, sizeof(hints));
> > hints.ai_family = AF_UNSPEC;
This seems low risk, and looks good to me also.
ok brynet@
