tcpdump(8) manual page documents command line option -E that may involve reading keys from a file: In addition to the above syntax, the syntax ``file name'' may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up. This is currently broken in stable/11: # tcpdump -E 'file /tmp/keys.txt' -s0 -np -i em0 host 1.1.1.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes tcpdump: print_esp: can't open /tmp/keys.txt: Not permitted in capability mode
Does it work in stable/12?
(In reply to Ed Maste from comment #1) I do not have any stable/12 system to verify. But it should be easy to run mentioned "tcpdump ..." command there as it does not need any real IPSEC configuration or traffic other than simple outgoing ESP packet generated with something like "traceroute -nP ESP 1.1.1.1". This triggers the bug for 11.2-RELEASE without any IPSEC configuration and Should trigger for stable/12, too.
(In reply to Eugene Grosbein from comment #2) Reproduced here: % tcpdump --version tcpdump version 4.9.2 libpcap version 1.9.0 OpenSSL 1.0.2o-freebsd 27 Mar 2018 # ktrace -i tcpdump -E 'file foo' -s0 -np -i wlan0 host 1.1.1.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes tcpdump: print_esp: can't open foo: Not permitted in capability mode
(In reply to Ed Maste from comment #3) From the man page: > The file is opened upon receiving the first ESP packet, so > any special permissions that tcpdump may have been given > should already have been given up. Most expedient way to restore -E 'file foo' functionality is to add to the cansandbox test in tcpdump.c and avoid sandboxing when -E file is used. Proper fix will require a bit more consideration.
A commit references this bug: Author: oshogbo Date: Tue Apr 16 04:12:42 UTC 2019 New revision: 346263 URL: https://svnweb.freebsd.org/changeset/base/346263 Log: tcpdump: disable Capsicum if -E option is provided. The -E is used to provide a secret for decrypting IPsec. The secret may be provided through command line or as the file. The problem is that tcpdump doesn't support yet opening files in capability mode and the file may contain a list of the files to open. As a workaround, for now, let's just disable capsicum if the -E the option is provided. PR: 236819 MFC after: 2 weeks Changes: head/contrib/tcpdump/tcpdump.c
A commit references this bug: Author: oshogbo Date: Wed May 1 06:59:04 UTC 2019 New revision: 346985 URL: https://svnweb.freebsd.org/changeset/base/346985 Log: MFC r346263: tcpdump: disable Capsicum if -E option is provided. The -E is used to provide a secret for decrypting IPsec. The secret may be provided through command line or as the file. The problem is that tcpdump doesn't support yet opening files in capability mode and the file may contain a list of the files to open. As a workaround, for now, let's just disable capsicum if the -E the option is provided. PR: 236819 MFC after: 2 weeks Changes: _U stable/11/ stable/11/contrib/tcpdump/tcpdump.c
A commit references this bug: Author: oshogbo Date: Wed May 1 07:00:57 UTC 2019 New revision: 346986 URL: https://svnweb.freebsd.org/changeset/base/346986 Log: MFC r346263: tcpdump: disable Capsicum if -E option is provided. The -E is used to provide a secret for decrypting IPsec. The secret may be provided through command line or as the file. The problem is that tcpdump doesn't support yet opening files in capability mode and the file may contain a list of the files to open. As a workaround, for now, let's just disable capsicum if the -E the option is provided. PR: 236819 Changes: _U stable/12/ stable/12/contrib/tcpdump/tcpdump.c
To be clear the committed change is somewhat of a workaround not the full fix, we should still modify tcpdump to open the file(s) prior to entering capability mode.