Re: tcpdump: revisiting some old diffs, remove unused pledges

Thu, 08 Nov 2018 10:45:58 -0800 

On Wed, Nov 07, 2018 at 07:32:25PM -0500, Bryan Steele wrote:
> On Wed, Nov 07, 2018 at 07:06:09PM -0500, Bryan Steele wrote:
> > I'm revisiting some old tcpdump diffs, now that mestre@ has added proper
> > unveil(2) support! :-)
> > 
> > Refresher: https://marc.info/?l=openbsd-tech&m=150535073209723&w=2
> > 
> > This hoists opening pf.os(5) fingerprints '-o' from the 'RUN' state to
> > the 'FILTER' state, this will allow for a reduced pledge(2) at runtime
> > in the (currently root) monitor process.
> 
> This was a bit of copy & paste, sorry. This moves the opening of pf.os
> earlier and avoids the unveil later on. Of course, reducing the runtime
> pledge(2) promises will come later! :-)
> 
> > 
> > This still works as well as it already has. :-)
> > 
> >     ( ... ) [tcp sum ok] (src OS: OpenBSD 6.1) 3311509932:3311509932(0) win 
> > 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3905153931 0> 
> > (DF) (ttl 64, id 41239, len 64)
> > 
> > The only potential difference is that if /etc/pf.os is replaced at
> > runtime, tcpdump won't reopen it.
> > 
> > I don't think that's a problem..
> > 
> > ok?
> > 
> > -Bryan.
>

The first two diffs are in now. Thanks!

The "recvfd" promise doesn't appear to be used by the privileged
monitor process, which currently only handles resolving domain names,
and displaying BIOCGSTATS on ^C. It never sends or receives any file
descriptors while in the 'RUN' state. We can drop it. :-)

Unfortunately the "inet" promise appears to be necessary for some yp(8)
environments, as documented in ether_ntohost(3). I'm not familiar enough
with YP to know if this special /etc/ethers '+' line is typical, or if
DNS should be used instead? In that case it would be covered by the
existing "dns" promise and we could drop "inet" here.

I'd like to try this, and hopefully there's a better solution for YP &
pledge(2) later?

comments or ok?

-Bryan.

Index: privsep.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
retrieving revision 1.50
diff -u -p -u -r1.50 privsep.c
--- usr.sbin/tcpdump/privsep.c  8 Nov 2018 14:06:09 -0000       1.50
+++ usr.sbin/tcpdump/privsep.c  8 Nov 2018 18:43:06 -0000
@@ -309,7 +309,7 @@ priv_exec(int argc, char *argv[])
                                err(1, "unveil");
                        if (unveil("/etc/rpc", "r") == -1)
                                err(1, "unveil");
-                       if (pledge("stdio rpath inet dns recvfd bpf", NULL) == 
-1)
+                       if (pledge("stdio rpath dns bpf", NULL) == -1)
                                err(1, "pledge");
 
                        break;

Reply via email to