https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222632
--- Comment #18 from Jan Kokemüller <jan.kokemuel...@gmail.com> --- Created attachment 187942 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=187942&action=edit Disallow connectat/bindat AT_FDCWD in capabilities mode Here is a patch that disables connectat/bindat in capabilities mode when called with the AT_FDCWD parameter. It also: - adds documentation that connect and connectat(AT_FDCWD,...) are equivalent and therefore connectat is not restricted to AF_UNIX sockets. Same for bindat. - adds documentation that CAP_BIND and CAP_CONNECT are useless in cap mode - adds some tests Maybe there is still a use case for CAP_CONNECT/CAP_BIND: I think those rights can be used to lock down a raw, privileged socket created by a helper process. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
