Permalink
Browse files

Sandbox pcap using process limits

Provide some basic process restrictions on the process using pcap. On
Linux, poll() checks the number of allowed file descriptors. If setrlimit
sets the value of RLIMIT_NOFILES to 0, poll() fails with EINVAL.
  • Loading branch information...
msantos committed Jul 1, 2012
1 parent a4ae5bc commit f553a45bf3b5ac44480bf51ac3e9b13181d7576e
Showing with 38 additions and 1 deletion.
  1. +9 −1 c_src/epcap.c
  2. +4 −0 c_src/epcap.h
  3. +25 −0 c_src/epcap_priv.c
View
@@ -115,6 +115,9 @@ main(int argc, char *argv[])
IS_LTZERO(dup2(fd, STDIN_FILENO));
IS_LTZERO(close(fd));
IS_LTZERO(epcap_init(ep));
+ /* poll() (used by pcap) will return EINVAL
+ * if RLIMIT_NOFILES < numfd */
+ IS_LTZERO(epcap_priv_rlimits(1));
epcap_loop(ep);
break;
default:
@@ -123,6 +126,10 @@ main(int argc, char *argv[])
goto CLEANUP;
pcap_close(ep->p);
+
+ if (epcap_priv_rlimits(0) < 0)
+ goto CLEANUP;
+
epcap_watch();
CLEANUP:
@@ -143,6 +150,7 @@ epcap_watch()
FD_ZERO(&rfds);
FD_SET(fd, &rfds);
+ (void)fprintf(stderr, "select\n");
(void)select(fd+1, &rfds, NULL, NULL, NULL);
}
@@ -183,7 +191,7 @@ epcap_init(EPCAP_STATE *ep)
if (pcap_lookupnet(ep->dev, &ipaddr, &ipmask, errbuf) == -1) {
VERBOSE(1, "%s", errbuf);
- ipmask=PCAP_NETMASK_UNKNOWN;
+ ipmask=PCAP_NETMASK_UNKNOWN;
}
VERBOSE(2, "[%s] Using filter: %s\n", __progname, ep->filt);
View
@@ -39,6 +39,9 @@
#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
#include <pcap.h>
#define EPCAP_VERSION "0.03"
@@ -105,3 +108,4 @@ typedef struct {
int epcap_priv_drop(EPCAP_STATE *ep);
void epcap_priv_issetuid(EPCAP_STATE *ep);
+int epcap_priv_rlimits(int nfd);
View
@@ -87,3 +87,28 @@ epcap_priv_issetuid(EPCAP_STATE *ep)
IS_LTZERO(setuid(getuid()));
}
}
+
+ int
+epcap_priv_rlimits(int nfd)
+{
+ struct rlimit rl = {0};
+
+#ifdef RLIMIT_FSIZE
+ if (setrlimit(RLIMIT_FSIZE, &rl) != 0)
+ return -1;
+#endif
+
+#ifdef RLIMIT_NPROC
+ if (setrlimit(RLIMIT_NPROC, &rl) != 0)
+ return -1;
+#endif
+
+#ifdef RLIMIT_NOFILE
+ rl.rlim_cur = nfd;
+ rl.rlim_max = nfd;
+ if (setrlimit(RLIMIT_NOFILE, &rl) != 0)
+ return -1;
+#endif
+
+ return 0;
+}

0 comments on commit f553a45

Please sign in to comment.