[tcpdump-workers] FreeBSD sandboxing support via capsicum

2014-07-05 Thread Loganaden Velvindron 
Hi All,

FreeBSD has designed capsicum which is a sandboxing mechanism.

Please find below a patch against FreeBSD 10 Release:

(Patch based on FreeBSD's port of tcpdump done by p...@freebsd.org)

diff --git a/tcpdump.c b/tcpdump.c
index 739f9c8..aaac4b8 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -66,6 +66,13 @@ extern int SIZE_BUF;
 #include 
 #include 
 #include 
+#ifdef __FreeBSD__
+#include 
+#include 
+#include 
+#include 
+#include 
+#endif /* __FreeBSD__ */
 #ifndef WIN32
 #include 
 #include 
@@ -388,6 +395,9 @@ struct dump_info {
char*CurrentFileName;
pcap_t  *pd;
pcap_dumper_t *p;
+#ifdef __FreeBSD__
+   int dirfd;
+#endif
 };
 
 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
@@ -712,6 +722,11 @@ main(int argc, char **argv)
 #endif
int status;
FILE *VFile;
+#ifdef __FreeBSD__
+   cap_rights_t rights;
+   int cansandbox;
+#endif /* __FreeBSD__ */
+
 #ifdef WIN32
if(wsockinit() != 0) return 1;
 #endif /* WIN32 */
@@ -1216,6 +1231,13 @@ main(int argc, char **argv)
pd = pcap_open_offline(RFileName, ebuf);
if (pd == NULL)
error("%s", ebuf);
+#ifdef __FreeBSD__
+   cap_rights_init(&rights, CAP_READ);
+   if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 &&
+   errno != ENOSYS) {
+   error("unable to limit pcap descriptor");
+   }
+#endif
dlt = pcap_datalink(pd);
dlt_name = pcap_datalink_val_to_name(dlt);
if (dlt_name == NULL) {
@@ -1472,6 +1494,21 @@ main(int argc, char **argv)
 
if (pcap_setfilter(pd, &fcode) < 0)
error("%s", pcap_geterr(pd));
+#ifdef __FreeBSD__
+   if (RFileName == NULL && VFileName == NULL) {
+   static const unsigned long cmds[] = { BIOCGSTATS };
+
+   cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+   if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
+   errno != ENOSYS) {
+   error("unable to limit pcap descriptor");
+   }
+   if (cap_ioctls_limit(pcap_fileno(pd), cmds,
+   sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
+   error("unable to limit ioctls on pcap descriptor");
+   }
+   }
+#endif
if (WFileName) {
pcap_dumper_t *p;
/* Do not exceed the default PATH_MAX for files. */
@@ -1493,9 +1530,32 @@ main(int argc, char **argv)
 #endif
if (p == NULL)
error("%s", pcap_geterr(pd));
+#ifdef __FreeBSD__
+   cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+   if (cap_rights_limit(fileno(pcap_dump_file(p)), &rights) < 0 &&
+   errno != ENOSYS) {
+   error("unable to limit dump descriptor");
+   }
+#endif
if (Cflag != 0 || Gflag != 0) {
-   callback = dump_packet_and_trunc;
+#ifdef __FreeBSD__
+   dumpinfo.WFileName = strdup(basename(WFileName));
+   dumpinfo.dirfd = open(dirname(WFileName),
+   O_DIRECTORY | O_RDONLY);
+   if (dumpinfo.dirfd < 0) {
+   error("unable to open directory %s",
+   dirname(WFileName));
+   }
+   cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL,
+   CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE);
+   if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 &&
+   errno != ENOSYS) {
+   error("unable to limit directory rights");
+   }
+#else  /* !__FreeBSD__ */
dumpinfo.WFileName = WFileName;
+#endif
+   callback = dump_packet_and_trunc;
dumpinfo.pd = pd;
dumpinfo.p = p;
pcap_userdata = (u_char *)&dumpinfo;
@@ -1565,6 +1625,15 @@ main(int argc, char **argv)
(void)fflush(stderr);
}
 #endif /* WIN32 */
+
+#ifdef __FreeBSD__
+   cansandbox = (nflag && VFileName == NULL && zflag == NULL);
+   if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
+   error("unable to enter the capability mode");
+   if (cap_sandboxed())
+   fprintf(stderr, "capability mode sandbox enabled\n");
+#endif /* __FreeBSD__ */
+
do {
status = pcap_loop(pd, cnt, callback, pcap_userdata);
if (WFileName == NULL) {
@@ -1612,6 +1681,13 @@ main(int argc, char **argv)
pd = pcap_open_offline(RFileName, ebuf);
if (pd == NULL)
error("%s", ebuf);
+#ifdef __FreeBSD__
+

Re: [tcpdump-workers] FreeBSD sandboxing support via capsicum

2014-07-05 Thread Guy Harris 

On Jul 5, 2014, at 1:15 PM, Loganaden Velvindron  wrote:

> FreeBSD has designed capsicum which is a sandboxing mechanism.
> 
> Please find below a patch against FreeBSD 10 Release:

So this will compile on all versions of FreeBSD, correct?

If not, please update the configure script to test for the relevant APIs, and 
enable the new code only on systems with those APIs.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

[tcpdump-workers] building libpcap without usb support

2014-07-05 Thread Michael Richardson 

It appears that on Linux there is no way to build libpcap without USB
support.  There is no --disable-usb that I can see in ./configure, and
it appears that if you don't have the right headers, you just fail.
(Or did I miss something?)

Ubuntu 12.04 (which is what Travis runs), can not install both the amd64
and i386 versions of libusb-dev.  We don't attempt to build both in .travis,
but I have another application that I build for -m32 as well, and it depends
upon libpcap.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[


___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] building libpcap without usb support

2014-07-05 Thread Guy Harris 

On Jul 5, 2014, at 5:02 PM, Michael Richardson  wrote:

> It appears that on Linux there is no way to build libpcap without USB
> support.  There is no --disable-usb that I can see in ./configure, and
> it appears that if you don't have the right headers, you just fail.
> (Or did I miss something?)

The configure script should probably check for the necessary headers, and build 
the USB printer only if they're present.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] building libpcap without usb support

2014-07-05 Thread Guy Harris 

On Jul 5, 2014, at 5:39 PM, Guy Harris  wrote:

> On Jul 5, 2014, at 5:02 PM, Michael Richardson  wrote:
> 
>> It appears that on Linux there is no way to build libpcap without USB
>> support.  There is no --disable-usb that I can see in ./configure, and
>> it appears that if you don't have the right headers, you just fail.
>> (Or did I miss something?)
> 
> The configure script should probably check for the necessary headers, and 
> build the USB printer only if they're present.

s/printer/pcap module/ - I was thinking tcpdump, not libpcap.

pcap-usb-linux.c includes what should be standard Linux headers, plus including 
some headers under #ifdefs set by configure.

However, it assumes that, for example, struct usbdevfs_ctrltransfer will always 
be defined, even if  doesn't exist.  That probably needs 
to be fixed; I'll look at that.

For other structures and #defines, pcap-usb-linux.c has its own versions; this 
makes me a little nervous - I'll have to see whether the authors of the code 
had a reason why 1) they had to do that and 2) it was safe to do that.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers