Warn if the OS lacks support to lock down BPF or equivalent

author Roy Marples <roy@marples.name>

Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)

committer Roy Marples <roy@marples.name>

Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)
author Roy Marples <roy@marples.name>
Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)
committer Roy Marples <roy@marples.name>
Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)
diff --git a/src/bpf.c b/src/bpf.c

index f450a043f89ee652df7b9294cfc867858aaa717c..d3736a1b8ae6d3d3b74066e812c90518cde9dd30 100644 (file)
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -703,6 +703,14 @@ bpf_bootp(const struct bpf *bpf, __unused const struct in_addr *ia)
                 return -1;
         return 0;
  #else
+#ifdef PRIVSEP
+#if defined(__sun) /* Solaris cannot send via BPF. */
+#elif defined(BIOCSETF)
+#warning No BIOCSETWF support - a compromised BPF can be used as a raw socket
+#else
+#warning A compromised PF_PACKET socket can be used as a raw socket
+#endif
+#endif
         return bpf_bootp_rw(bpf, true);
  #endif
  }
author	Roy Marples <roy@marples.name>
	Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)
committer	Roy Marples <roy@marples.name>
	Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)