K 10
svn:author
V 3
pjd
K 8
svn:date
V 27
2013-07-07T21:19:53.295375Z
K 7
svn:log
V 1232
Sandbox tcpdump(8) using Capsicum's capability mode and capabilities.
For now, sandboxing is done only if -n option was specified and neither -z nor
-V options were given. Because it is very common to run tcpdump(8) with the -n
option for speed, I decided to commit sandboxing now. To also support
sandboxing when -n option wasn't specified, we need Casper daemon and its
services that are not available in FreeBSD yet.

- Limit file descriptors of a file specified by -r option or files specified
  via -V option to CAP_READ only.

- If neither -r nor -V options were specified, we operate on /dev/bpf.
  Limit its descriptor to CAP_READ and CAP_IOCTL plus limit allowed ioctls to
  BIOCGSTATS only.

- Limit file descriptor of a file specified by -w option to CAP_SEEK and
  CAP_WRITE.

- If either -C or -G options were specified, we open directory containing
  destination file and we limit directory descriptor to CAP_CREATE, CAP_FCNTL,
  CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK and CAP_WRITE. Newly opened/created
  files are limited to CAP_SEEK and CAP_WRITE only.

- Enter capability mode if -n option was specified and neither -z nor -V
  options were specified.

Approved by:	delphij, wxs
Sponsored by:	The FreeBSD Foundation

END