diff options
-rw-r--r-- | src/core/capsicum.c | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c index c554fcf7..e87704dd 100644 --- a/src/core/capsicum.c +++ b/src/core/capsicum.c @@ -40,6 +40,8 @@ static char *irclogs_path; static size_t irclogs_path_len; static int irclogs_fd; static int symbiontfds[2]; +static int port_min; +static int port_max; gboolean capsicum_enabled(void) { @@ -90,6 +92,13 @@ int capsicum_net_connect_ip(IPADDR *ip, int port, IPADDR *my_ip) } saved_errno = nvlist_get_number(nvl, "errno"); nvlist_destroy(nvl); + + if (sock == -1 && (port < port_min || port > port_max)) { + g_warning("Access restricted to ports between %d and %d " + "due to capability mode", + port_min, port_max); + } + errno = saved_errno; return sock; @@ -205,9 +214,19 @@ nvlist_t *symbiont_connect(const nvlist_t *request) else my_ip = NULL; - /* Connect. */ - sock = net_connect_ip_handle(ip, port, my_ip); - saved_errno = errno; + /* + * Check if the port is in allowed range. This is to minimize + * the chance of the attacker rooting another system in case of + * compromise. + */ + if (port < port_min || port > port_max) { + sock = -1; + saved_errno = EPERM; + } else { + /* Connect. */ + sock = net_connect_ip_handle(ip, port, my_ip); + saved_errno = errno; + } /* Send back the socket fd. */ response = nvlist_create(0); @@ -326,6 +345,9 @@ static void cmd_capsicum_enter(void) return; } + port_min = settings_get_int("capsicum_port_min"); + port_max = settings_get_int("capsicum_port_max"); + irclogs_path = convert_home(settings_get_str("capsicum_irclogs_path")); g_mkdir_with_parents(irclogs_path, log_dir_create_mode); irclogs_path_len = strlen(irclogs_path); @@ -375,6 +397,8 @@ void capsicum_init(void) { settings_add_bool("misc", "capsicum", FALSE); settings_add_str("misc", "capsicum_irclogs_path", "~/irclogs"); + settings_add_int("misc", "capsicum_port_min", 6667); + settings_add_int("misc", "capsicum_port_max", 6697); signal_add("irssi init finished", (SIGNAL_FUNC) sig_init_finished); |