exit_tcpdump(1);
}
#ifdef HAVE_LIBCAP_NG
- /* We don't need CAP_SETUID and CAP_SETGID any more. */
+ /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */
capng_updatev(
CAPNG_DROP,
CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_SETUID,
CAP_SETGID,
+ CAP_SYS_CHROOT,
-1);
capng_apply(CAPNG_SELECT_BOTH);
#endif /* HAVE_LIBCAP_NG */
CAP_SETGID,
-1);
}
+ if (chroot_dir) {
+ capng_update(
+ CAPNG_ADD,
+ CAPNG_PERMITTED | CAPNG_EFFECTIVE,
+ CAP_SYS_CHROOT
+ );
+ }
if (WFileName) {
capng_update(
if (RFileName == NULL && VFileName == NULL) {
static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF };
- cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+ /*
+ * The various libpcap devices use a combination of
+ * read (bpf), ioctl (bpf, netmap), poll (netmap)
+ * so we add the relevant access rights.
+ */
+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT);
if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
errno != ENOSYS) {
error("unable to limit pcap descriptor");
if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) {
(void)fprintf(stderr, "Maximum file limit reached: %d\n",
Wflag);
+ info(1);
exit_tcpdump(0);
/* NOTREACHED */
}
projects / tcpdump / blobdiff