diff -urp /usr/home/pjd/source/head/contrib/tcpdump/addrtoname.c contrib/tcpdump/addrtoname.c --- /usr/home/pjd/source/head/contrib/tcpdump/addrtoname.c 2013-09-05 00:31:56.918135813 +0200 +++ contrib/tcpdump/addrtoname.c 2013-06-23 15:22:07.362704626 +0200 @@ -32,6 +32,10 @@ static const char rcsid[] _U_ = #include "config.h" #endif +#ifdef __FreeBSD__ +#include +#include +#endif #include #ifdef USE_ETHER_NTOHOST @@ -203,6 +207,9 @@ intoa(u_int32_t addr) static u_int32_t f_netmask; static u_int32_t f_localnet; +#ifdef HAVE_LIBCAPSICUM +extern cap_channel_t *capdns; +#endif /* * Return a name for the IP address pointed to by ap. This address @@ -248,7 +255,11 @@ getname(const u_char *ap) */ if (!nflag && (addr & f_netmask) == f_localnet) { +#ifdef HAVE_LIBCAPSICUM + hp = cap_gethostbyaddr(capdns, (char *)&addr, 4, AF_INET); +#else hp = gethostbyaddr((char *)&addr, 4, AF_INET); +#endif if (hp) { char *dotp; @@ -293,7 +304,12 @@ getname6(const u_char *ap) * Do not print names if -n was given. */ if (!nflag) { +#ifdef HAVE_LIBCAPSICUM + hp = cap_gethostbyaddr(capdns, (char *)&addr, sizeof(addr), + AF_INET6); +#else hp = gethostbyaddr((char *)&addr, sizeof(addr), AF_INET6); +#endif if (hp) { char *dotp; diff -urp /usr/home/pjd/source/head/contrib/tcpdump/tcpdump.c contrib/tcpdump/tcpdump.c --- /usr/home/pjd/source/head/contrib/tcpdump/tcpdump.c 2013-09-05 02:10:11.389729394 +0200 +++ contrib/tcpdump/tcpdump.c 2013-09-18 23:23:39.046930108 +0200 @@ -76,6 +76,12 @@ extern int SIZE_BUF; #include #include #include +#ifdef HAVE_LIBCAPSICUM +#include +#include +#include +#include +#endif /* HAVE_LIBCAPSICUM */ #endif /* __FreeBSD__ */ #ifndef WIN32 #include @@ -123,6 +129,10 @@ static int infoprint; char *program_name; +#ifdef HAVE_LIBCAPSICUM +cap_channel_t *capdns; +#endif + int32_t thiszone; /* seconds offset from gmt to local time */ /* Forwards */ @@ -717,6 +727,10 @@ main(int argc, char **argv) #ifdef __FreeBSD__ cap_rights_t rights; int cansandbox; +#ifdef HAVE_LIBCAPSICUM + cap_channel_t *capcas; + nvlist_t *limits; +#endif #endif /* __FreeBSD__ */ #ifdef WIN32 @@ -1417,6 +1431,30 @@ main(int argc, char **argv) free(cmdbuf); exit(0); } + +#ifdef HAVE_LIBCAPSICUM + if (nflag) { + capcas = NULL; + capdns = NULL; + } else { + capcas = cap_init(); + if (capcas == NULL) + error("unable to contact Casper"); + capdns = cap_service_open(capcas, "system.dns"); + if (capdns == NULL) + error("unable to open system.dns service"); + /* Limit system.dns to reverse DNS lookups. */ + limits = nvlist_create(0); + nvlist_add_string(limits, "type", "ADDR"); + nvlist_add_number(limits, "family", (uint64_t)AF_INET); + nvlist_add_number(limits, "family", (uint64_t)AF_INET6); + if (cap_limit_set(capdns, limits) < 0) + error("unable to limit access to system.dns service"); + /* Casper capability no longer needed. */ + cap_close(capcas); + } +#endif /* HAVE_LIBCAPSICUM */ + init_addrtoname(localnet, netmask); init_checksum(); @@ -1615,7 +1653,10 @@ main(int argc, char **argv) #endif /* WIN32 */ #ifdef __FreeBSD__ - cansandbox = (nflag && VFileName == NULL && zflag == NULL); + cansandbox = (VFileName == NULL && zflag == NULL); +#ifndef HAVE_LIBCAPSICUM + cansandbox = (cansandbox && nflag); +#endif if (cansandbox && cap_enter() < 0 && errno != ENOSYS) error("unable to enter the capability mode"); if (cap_sandboxed()) @@ -1884,6 +1925,7 @@ dump_packet_and_trunc(u_char *user, cons /* * Compress the file we just closed, if the user asked for it */ + /* TODOPJD: Compression not supported. */ if (zflag != NULL) compress_savefile(dump_info->CurrentFileName); @@ -1970,6 +2012,7 @@ dump_packet_and_trunc(u_char *user, cons /* * Compress the file we just closed, if the user asked for it */ + /* TODOPJD: Compression not supported. */ if (zflag != NULL) compress_savefile(dump_info->CurrentFileName);