summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/core/capsicum.c30
1 files changed, 27 insertions, 3 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c
index c554fcf7..e87704dd 100644
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@@ -40,6 +40,8 @@ static char *irclogs_path;
static size_t irclogs_path_len;
static int irclogs_fd;
static int symbiontfds[2];
+static int port_min;
+static int port_max;
gboolean capsicum_enabled(void)
{
@@ -90,6 +92,13 @@ int capsicum_net_connect_ip(IPADDR *ip, int port, IPADDR *my_ip)
}
saved_errno = nvlist_get_number(nvl, "errno");
nvlist_destroy(nvl);
+
+ if (sock == -1 && (port < port_min || port > port_max)) {
+ g_warning("Access restricted to ports between %d and %d "
+ "due to capability mode",
+ port_min, port_max);
+ }
+
errno = saved_errno;
return sock;
@@ -205,9 +214,19 @@ nvlist_t *symbiont_connect(const nvlist_t *request)
else
my_ip = NULL;
- /* Connect. */
- sock = net_connect_ip_handle(ip, port, my_ip);
- saved_errno = errno;
+ /*
+ * Check if the port is in allowed range. This is to minimize
+ * the chance of the attacker rooting another system in case of
+ * compromise.
+ */
+ if (port < port_min || port > port_max) {
+ sock = -1;
+ saved_errno = EPERM;
+ } else {
+ /* Connect. */
+ sock = net_connect_ip_handle(ip, port, my_ip);
+ saved_errno = errno;
+ }
/* Send back the socket fd. */
response = nvlist_create(0);
@@ -326,6 +345,9 @@ static void cmd_capsicum_enter(void)
return;
}
+ port_min = settings_get_int("capsicum_port_min");
+ port_max = settings_get_int("capsicum_port_max");
+
irclogs_path = convert_home(settings_get_str("capsicum_irclogs_path"));
g_mkdir_with_parents(irclogs_path, log_dir_create_mode);
irclogs_path_len = strlen(irclogs_path);
@@ -375,6 +397,8 @@ void capsicum_init(void)
{
settings_add_bool("misc", "capsicum", FALSE);
settings_add_str("misc", "capsicum_irclogs_path", "~/irclogs");
+ settings_add_int("misc", "capsicum_port_min", 6667);
+ settings_add_int("misc", "capsicum_port_max", 6697);
signal_add("irssi init finished", (SIGNAL_FUNC) sig_init_finished);