MFp4 @229484:
Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT and CAP_READ). This prevents unprivileged process from adding, removing or modifying system routes. Reviewed by: brooks Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
de2c882f5c
commit
f73ac8b9de
@ -492,6 +492,10 @@ main(int argc, char *argv[])
|
||||
add_protocol("AF_ROUTE", routefd, routehandler, ifi);
|
||||
if (shutdown(routefd, SHUT_WR) < 0)
|
||||
error("can't shutdown route socket: %m");
|
||||
if (cap_rights_limit(routefd, CAP_POLL_EVENT | CAP_READ) < 0 &&
|
||||
errno != ENOSYS) {
|
||||
error("can't limit route socket: %m");
|
||||
}
|
||||
|
||||
if (chroot(_PATH_VAREMPTY) == -1)
|
||||
error("chroot");
|
||||
|
Loading…
Reference in New Issue
Block a user