Add CAP_FCNTL and use cap_fcntls_limit().

Without these changes pcap_dump_ftell() will return -1 and set errno to
ENOTCAPABLE.

This allows you to do:

tcpdump -C 1 -W 5 -w foo.pcap

Without these changes it will never rotate to foo.pcap1 and continue writing
to foo.pcap0 forever.

Discussed at: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/current/2014-09/msg00142.html

diff --git a/tcpdump.c b/tcpdump.c
index 8e07d8f2e1572dc307aafe86e7c40c200f4d3e99..59994fb4d33fae4c10afad22b5203a58df70275b 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -1814,11 +1814,15 @@ main(int argc, char **argv)
                if (p == NULL)
                        error("%s", pcap_geterr(pd));
 #ifdef HAVE_CAPSICUM
-               cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+               cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
                if (cap_rights_limit(fileno(pcap_dump_file(p)), &rights) < 0 &&
                    errno != ENOSYS) {
                        error("unable to limit dump descriptor");
                }
+               if (cap_fcntls_limit(fileno(pcap_dump_file(p)), CAP_FCNTL_GETFL) < 0 &&
+                   errno != ENOSYS) {
+                       error("unable to limit dump descriptor fcntls");
+               }
 #endif
                if (Cflag != 0 || Gflag != 0) {
 #ifdef HAVE_CAPSICUM
@@ -1835,6 +1839,10 @@ main(int argc, char **argv)
                            errno != ENOSYS) {
                                error("unable to limit directory rights");
                        }
+                       if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 &&
+                           errno != ENOSYS) {
+                               error("unable to limit dump descriptor fcntls");
+                       }
 #else  /* !HAVE_CAPSICUM */
                        dumpinfo.WFileName = WFileName;
 #endif
@@ -2327,11 +2335,15 @@ dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *s
                        if (dump_info->p == NULL)
                                error("%s", pcap_geterr(pd));
 #ifdef HAVE_CAPSICUM
-                       cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+                       cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
                        if (cap_rights_limit(fileno(pcap_dump_file(dump_info->p)),
                            &rights) < 0 && errno != ENOSYS) {
                                error("unable to limit dump descriptor");
                        }
+               if (cap_fcntls_limit(fileno(pcap_dump_file(dump_info->p)),
+                   CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
+                       error("unable to limit dump descriptor fcntls");
+               }
 #endif
                }
        }