]> The Tcpdump Group git mirrors - tcpdump/blobdiff - tcpdump.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add CAP_FCNTL and use cap_fcntls_limit().
[tcpdump] / tcpdump.c
diff --git a/tcpdump.c b/tcpdump.c
index 8e07d8f2e1572dc307aafe86e7c40c200f4d3e99..59994fb4d33fae4c10afad22b5203a58df70275b 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -1814,11 +1814,15 @@ main(int argc, char **argv)
                if (p == NULL)
                        error("%s", pcap_geterr(pd));
 #ifdef HAVE_CAPSICUM
-               cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+               cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
                if (cap_rights_limit(fileno(pcap_dump_file(p)), &rights) < 0 &&
                    errno != ENOSYS) {
                        error("unable to limit dump descriptor");
                }
+               if (cap_fcntls_limit(fileno(pcap_dump_file(p)), CAP_FCNTL_GETFL) < 0 &&
+                   errno != ENOSYS) {
+                       error("unable to limit dump descriptor fcntls");
+               }
 #endif
                if (Cflag != 0 || Gflag != 0) {
 #ifdef HAVE_CAPSICUM
@@ -1835,6 +1839,10 @@ main(int argc, char **argv)
                            errno != ENOSYS) {
                                error("unable to limit directory rights");
                        }
+                       if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 &&
+                           errno != ENOSYS) {
+                               error("unable to limit dump descriptor fcntls");
+                       }
 #else  /* !HAVE_CAPSICUM */
                        dumpinfo.WFileName = WFileName;
 #endif
@@ -2327,11 +2335,15 @@ dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *s
                        if (dump_info->p == NULL)
                                error("%s", pcap_geterr(pd));
 #ifdef HAVE_CAPSICUM
-                       cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+                       cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
                        if (cap_rights_limit(fileno(pcap_dump_file(dump_info->p)),
                            &rights) < 0 && errno != ENOSYS) {
                                error("unable to limit dump descriptor");
                        }
+               if (cap_fcntls_limit(fileno(pcap_dump_file(dump_info->p)),
+                   CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
+                       error("unable to limit dump descriptor fcntls");
+               }
 #endif
                }
        }
[mirror] the TCPdump network dissector