Commit Graph

59 Commits

Author SHA1 Message Date
Mariusz Zaborski
42668853c0 tcpdump: disable Capsicum if -E option is provided.
The -E is used to provide a secret for decrypting IPsec.
The secret may be provided through command line or as the file.
The problem is that tcpdump doesn't support yet opening files in capability mode
and the file may contain a list of the files to open.

As a workaround, for now, let's just disable capsicum if the -E
the option is provided.

PR:		236819
MFC after:	2 weeks
2019-04-16 04:12:41 +00:00
Hans Petter Selasky
46caeeca78 Don't register IOCTLs with capsicum when there is no valid file descriptor.
This fixes tcpdump when using mlx5_X devices.

Differential Revision:	https://reviews.freebsd.org/D18499
Reviewed by:		kib@, slavash@, oshogbo@
MFC after:		1 week
Sponsored by:		Mellanox Technologies
2018-12-12 09:51:10 +00:00
Mariusz Zaborski
752d135e0d libcasper: ange the name of limits in cap_dns so the intentions are obvious.
Reported by:	pjd
MFC after:	3 weeks
2018-11-12 15:52:45 +00:00
Hans Petter Selasky
e6895e8049 Fix for backends which doesn't support capsicum.
Not all libpcap backends use the BPF compatible set
of IOCTLs. For example the mlx5 backend uses libibverbs
which is currently not capsicum compatible.

Disable sandboxing for such backends.

MFC after:		3 days
Discussed with:		emaste@
Approved by:		re (kib)
Sponsored by:		Mellanox Technologies
2018-09-12 10:09:59 +00:00
Slava Shwartsman
ddeb4e8aa6 MFV r333668:
Vendor import two upstream commits:
c1bb8784abd3ca978e376b0d10e324db0491237b
9c4af7213cc2543a1f5586d8f2c19f86aa0cbe72

When using tcpdump -I -i wlanN and wlanN is not a monitor mode VAP,
tcpdump will print an error message saying rfmon is not supported.

Give a concise explanation as to how one might solve this problem by
creating a monitor mode VAP.

MFC after:      1 month
Approved by:    hselasky (mentor), kib (mentor)
Sponsored by:   Mellanox Technologies
2018-05-29 10:29:04 +00:00
Ed Maste
0bff6a5af8 Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.

One other notable change:
  Do not use getprotobynumber() for protocol name resolution.
  Do not do any protocol name resolution if -n is specified.

Submitted by:	gordon
Reviewed by:	delphij, emaste, glebius
MFC after:	1 week
Relnotes:	Yes
Security:	CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security:	CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security:	CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security:	CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security:	CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security:	CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security:	CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security:	CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security:	CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security:	CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security:	CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security:	CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security:	CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security:	CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security:	CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security:	CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security:	CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security:	CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security:	CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security:	CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security:	CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security:	CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security:	CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security:	CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security:	CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security:	CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security:	CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security:	CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security:	CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security:	CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision:	https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00
Mariusz Zaborski
b01988a5f5 Partially revert r323866.
Using HAVE_* is a internal tcpdump style standard.
We want to be consistent with the standard to upstream those changes in
the future.

Requested by: glebius@
2017-10-04 21:05:44 +00:00
Mariusz Zaborski
2560d18180 We use a few different ifdef's names to check if we are using Casper or not,
let's standardize this. Now we are always use WITH_CASPER name.

Discussed with:	emaste@
MFC after:	1 month
2017-09-21 14:41:41 +00:00
Gleb Smirnoff
f97074045b Cherry-pick 5d3c5151c2b885aab36627bafb8539238da27b2d, it fixes use after free
if tcpdump(1) is run on non-existent interface.

Suggested by:	zeising
2017-04-25 15:56:46 +00:00
Gleb Smirnoff
3057e051be Reduce diff to upstream using HAVE_CAPSICUM instead of __FreeBSD__. It'll also
make it easier to upstream HAVE_CASPER patch.
2017-02-02 19:56:41 +00:00
Gleb Smirnoff
3340d77368 Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.

Security:	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security:	CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security:	CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security:	CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security:	CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security:	CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security:	CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security:	CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security:	CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security:	CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security:	CVE-2017-5486
2017-02-01 20:26:42 +00:00
Mariusz Zaborski
b02f20f47e tcpdump: allow to use BIOCROTZBUF in capability mode
The libpcap library can use a BIOCROTZBUF ioctl when net.bpf.zerocopy_enable
sysctl is set.

Reported by:	olivier@
Tested by:	olivier@
2016-12-06 18:58:42 +00:00
Ed Maste
568415f29d tcpdump: remove sys/capability.h #include
sys/capability.h is just a backwards compatibility wrapper around
sys/capsicum.h, which is already #included.
2016-09-19 17:51:56 +00:00
Mariusz Zaborski
9f51f38916 The code responsible for opening and rotating pcap files is independent
of Capser and should use openat(2) unconditionally on FreeBSD.
openat(2) is mandatory when sandboxed with Capsicum, but still works
in the absence of Capsicum.

Reviewed by:	AllanJude
2016-06-08 23:22:59 +00:00
Mariusz Zaborski
e29a5e1bb9 Fix spelling of the casper introduced in the r296047.
PR:		210031
Reported by:	AllanJude, jmallett
2016-06-08 22:30:21 +00:00
Mariusz Zaborski
c501d73c7e Convert casperd(8) daemon to the libcasper.
After calling the cap_init(3) function Casper will fork from it's original
process, using pdfork(2). Forking from a process has a lot of advantages:
1. We have the same cwd as the original process.
2. The same uid, gid and groups.
3. The same MAC labels.
4. The same descriptor table.
5. The same routing table.
6. The same umask.
7. The same cpuset(1).
From now services are also in form of libraries.
We also removed libcapsicum at all and converts existing program using Casper
to new architecture.

Discussed with:		pjd, jonathan, ed, drysdale@google.com, emaste
Partially reviewed by:	drysdale@google.com, bdrewery
Approved by:		pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4277
2016-02-25 18:23:40 +00:00
Patrick Kelsey
8bdc5a6251 MFV r285191: tcpdump 4.7.4.
Also, the changes made in r272451 and r272653 that were lost in the
merge of 4.6.2 (r276788) have been restored.

PR: 199568
Differential Revision: https://reviews.freebsd.org/D3007
Reviewed by: brooks, hiren
Approved by: jmallett (mentor)
MFC after: 1 month
2015-07-08 16:19:32 +00:00
Mariusz Zaborski
c36e54bb32 Let the nv.h and dnv.h includes be only in sys directory.
Change consumers to include those files from sys.
Add duplicated files to ObsoleteFiles.

Approved by:	pjd (mentor)
2015-07-02 21:58:10 +00:00
Brooks Davis
5743dcb3c2 Remove "capability mode sandbox enabled" messages.
These messages serve little purpose and break some consumers.

PR:		199855
Differential Revision:	https://reviews.freebsd.org/D2440
Reviewed by:	rwatson
Approved by:	pjd
MFC after:	1 week
Sponsored by:	DARPA, AFRL
2015-05-04 21:44:51 +00:00
Xin LI
2fae2ab4c7 Don't include libcapsicum headers when requested.
Reported by:	luigi
MFC after:	14 days
X-MFC-with:	r276788
2015-01-24 06:06:46 +00:00
Xin LI
3c602fabf9 MFV r276761: tcpdump 4.6.2.
MFC after:	1 month
2015-01-07 19:55:18 +00:00
Luigi Rizzo
2d4dfaf58b Fix comment and sort rights by name
MFC after:	3 days
2014-10-06 15:03:08 +00:00
Luigi Rizzo
884c0e1112 add CAP_EVENT for the libpcap device so we will be able to use
pcap--netmap which does poll() on the file descriptor

MFC after:	2 weeks
2014-10-02 21:34:52 +00:00
Robert Watson
b881b8be1d Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.

MFC after:	3 weeks
2014-03-16 11:04:44 +00:00
Pawel Jakub Dawidek
8ff3952b72 If we cannot connect to casperd we don't enter sandbox, but if we can connect
to casperd, but we cannot access the service we need we exit with an error.
This should not happen and just indicates some configuration error which
should be fixed, so we force the user to do it by failing.

Discussed with:	emaste
2013-12-19 00:51:48 +00:00
Pawel Jakub Dawidek
197731f68f Make use of casperd's system.dns service when running without the -n option.
Now tcpdump(8) is sandboxed even if DNS resolution is required.

Sponsored by:	The FreeBSD Foundation
2013-12-15 23:02:36 +00:00
Pawel Jakub Dawidek
7008be5bd7 Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.

The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.

The structure definition looks like this:

	struct cap_rights {
		uint64_t	cr_rights[CAP_RIGHTS_VERSION + 2];
	};

The initial CAP_RIGHTS_VERSION is 0.

The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.

The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.

To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.

	#define	CAP_PDKILL	CAPRIGHT(1, 0x0000000000000800ULL)

We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:

	#define	CAP_LOOKUP	CAPRIGHT(0, 0x0000000000000400ULL)
	#define	CAP_FCHMOD	CAPRIGHT(0, 0x0000000000002000ULL)

	#define	CAP_FCHMODAT	(CAP_FCHMOD | CAP_LOOKUP)

There is new API to manage the new cap_rights_t structure:

	cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
	void cap_rights_set(cap_rights_t *rights, ...);
	void cap_rights_clear(cap_rights_t *rights, ...);
	bool cap_rights_is_set(const cap_rights_t *rights, ...);

	bool cap_rights_is_valid(const cap_rights_t *rights);
	void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
	void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
	bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);

Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:

	cap_rights_t rights;

	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);

There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:

	#define	cap_rights_set(rights, ...)				\
		__cap_rights_set((rights), __VA_ARGS__, 0ULL)
	void __cap_rights_set(cap_rights_t *rights, ...);

Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:

	cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);

Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.

This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.

Sponsored by:	The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
Rui Paulo
480d5cc8f7 When using tcpdump -I -i wlanN and wlanN is not a monitor mode VAP,
tcpdump will print an error message saying rfmon is not supported.
Give a concise explanation as to how one might solve this problem by
creating a monitor mode VAP.
2013-07-31 02:13:18 +00:00
Pawel Jakub Dawidek
457f64b4ed Sandbox tcpdump(8) using Capsicum's capability mode and capabilities.
For now, sandboxing is done only if -n option was specified and neither -z nor
-V options were given. Because it is very common to run tcpdump(8) with the -n
option for speed, I decided to commit sandboxing now. To also support
sandboxing when -n option wasn't specified, we need Casper daemon and its
services that are not available in FreeBSD yet.

- Limit file descriptors of a file specified by -r option or files specified
  via -V option to CAP_READ only.

- If neither -r nor -V options were specified, we operate on /dev/bpf.
  Limit its descriptor to CAP_READ and CAP_IOCTL plus limit allowed ioctls to
  BIOCGSTATS only.

- Limit file descriptor of a file specified by -w option to CAP_SEEK and
  CAP_WRITE.

- If either -C or -G options were specified, we open directory containing
  destination file and we limit directory descriptor to CAP_CREATE, CAP_FCNTL,
  CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK and CAP_WRITE. Newly opened/created
  files are limited to CAP_SEEK and CAP_WRITE only.

- Enter capability mode if -n option was specified and neither -z nor -V
  options were specified.

Approved by:	delphij, wxs
Sponsored by:	The FreeBSD Foundation
2013-07-07 21:19:53 +00:00
Xin LI
d03c0883ad MFV: tcpdump 4.4.0.
MFC after:	4 weeks
2013-05-30 20:51:22 +00:00
Xin LI
d09a7e67b9 MFV: tcpdump 4.3.0.
MFC after:	4 weeks
2012-10-05 20:19:28 +00:00
Xin LI
cac3dcd5f9 Merge tcpdump 4.2.1.
MFC after:	2 weeks
2012-05-17 05:11:57 +00:00
Rui Paulo
27df3f5ddd Merge tcpdump-4.1.1. 2010-10-28 19:06:17 +00:00
Rui Paulo
a5779b6e02 Merge tcpdump 4.0.0 from the vendor branch. 2009-03-21 18:30:25 +00:00
Rui Paulo
81ceab7147 Flatten vendor/tcpdump and remove keyword expansion. 2009-03-20 13:27:51 +00:00
Max Laier
7b8d9f5cb3 Avoid excessive error message printout.
PR:		bin/118150
Reported by:	keramida
MFC after:	3 days
2007-11-21 12:52:26 +00:00
Max Laier
abf2519367 Resolve merge conflicts
Approved by:	re (kensmith)
Obtained from:	tcpdump.org
2007-10-16 02:31:48 +00:00
Max Laier
b5bfcb5d8a Import of tcpdump v3.9.8 2007-10-16 02:20:42 +00:00
Sam Leffler
17cb103cb1 resolve merge conflicts
MFC after:	1 month
2006-09-04 20:25:04 +00:00
Sam Leffler
2ebc47db5b Import of tcpdump v3.9.4 2006-09-04 20:04:42 +00:00
Sam Leffler
29292c17af resolve merge conflicts
Approved by:	re (scottl)
2005-07-11 04:14:02 +00:00
Sam Leffler
f4d0c64a1d Virgin import of tcpdump v3.9.1 (release) from tcpdump.org
Approved by:	re (scottl)
2005-07-11 03:54:22 +00:00
Sam Leffler
c1ad1296ec resolve merge conflicts and update for proper build; including:
o print-fr.c returned to code on vendor branch
o remove pmap_prot.h include from print-sunrprc.c
o remove gcc/i386-specific ntoh* write-arounds from tcpdump-stdinc.h

Reviewed by:	bms
2005-05-29 19:09:28 +00:00
Sam Leffler
1de50e9f41 Virgin import of tcpdump v3.9.1 (alpha 096) from tcpdump.org 2005-05-29 18:17:16 +00:00
Bruce M Simpson
cc391cce11 Merge of tcpdump 3.8.3 from tcpdump.org, with the following caveats:
print-atm.c no longer performs special handling for FORE headers; these
 can no doubt be re-added at a later date.

 print-fr.c is effectively a no-op.

 print-llc.c has had the default_print_unaligned() call removed as
 tcpdump no longer defines this function, however the prototype is still
 present. Suggest we roll in a diff to use print_unknown_data().
2004-03-31 14:57:24 +00:00
Bruce M Simpson
5b0fe47811 Import tcpdump 3.8.3, from http://www.tcpdump.org/releases/tcpdump-3.8.3.tar.gz 2004-03-31 09:17:26 +00:00
Bill Fenner
aa1a4c1370 Merge Multi-DLT support. 2003-01-26 01:23:26 +00:00
Bill Fenner
0ccd7b511b Commit tcpdump.org's multi-DLT support to vendor branch. 2003-01-26 01:16:33 +00:00
Bill Fenner
a1c2090e60 Merge tcpdump 3.7.1
MFC after:	2 weeks
2002-06-21 00:49:02 +00:00
Bill Fenner
a90e161be3 Import tcpdump 3.7.1, from
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
2002-06-21 00:43:23 +00:00