From f73ac8b9deb031a5f6a2a762910fe0f627d5dfe5 Mon Sep 17 00:00:00 2001 From: Pawel Jakub Dawidek Date: Wed, 3 Jul 2013 22:18:40 +0000 Subject: [PATCH] MFp4 @229484: Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT and CAP_READ). This prevents unprivileged process from adding, removing or modifying system routes. Reviewed by: brooks Sponsored by: The FreeBSD Foundation --- sbin/dhclient/dhclient.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index ad0d02ee9472..34ff85300a7e 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -492,6 +492,10 @@ main(int argc, char *argv[]) add_protocol("AF_ROUTE", routefd, routehandler, ifi); if (shutdown(routefd, SHUT_WR) < 0) error("can't shutdown route socket: %m"); + if (cap_rights_limit(routefd, CAP_POLL_EVENT | CAP_READ) < 0 && + errno != ENOSYS) { + error("can't limit route socket: %m"); + } if (chroot(_PATH_VAREMPTY) == -1) error("chroot");