MFp4 @229484:

Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT
and CAP_READ). This prevents unprivileged process from adding, removing or
modifying system routes.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Pawel Jakub Dawidek 2013-07-03 22:18:40 +00:00
parent de2c882f5c
commit f73ac8b9de

View File

@ -492,6 +492,10 @@ main(int argc, char *argv[])
add_protocol("AF_ROUTE", routefd, routehandler, ifi);
if (shutdown(routefd, SHUT_WR) < 0)
error("can't shutdown route socket: %m");
if (cap_rights_limit(routefd, CAP_POLL_EVENT | CAP_READ) < 0 &&
errno != ENOSYS) {
error("can't limit route socket: %m");
}
if (chroot(_PATH_VAREMPTY) == -1)
error("chroot");