netstat: strip the binary of sgid

Everything in the live path seems to use sysctls these days, with kvm only being used for pulling information from core dumps. Strip the binary of /dev/{k,}mem access to reduce the surface area with access to kmem. Reviewed by: glebius, markj Differential Revision: https://reviews.freebsd.org/D47210
2026-06-09 08:43:19 -04:00 · 2025-04-20 13:18:40 -05:00 · 2025-04-20 13:18:40 -05:00 · 49f31b5e0c
commit 49f31b5e0c
parent d8fd551438
2 changed files with 2 additions and 14 deletions
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@ -50,8 +50,6 @@ CFLAGS+=-DSDP
 CFLAGS+=-DPF
 .endif

-BINGRP=	kmem
-BINMODE=2555
 LIBADD=	kvm memstat xo util

 .if ${MK_NETGRAPH_SUPPORT} != "no"
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@ -455,17 +455,10 @@ main(int argc, char *argv[])
 	}
 #endif

-	/*
-	 * Discard setgid privileges if not the running kernel so that bad
-	 * guys can't print interesting stuff from kernel memory.
-	 */
 	live = (nlistf == NULL && memf == NULL);
-	if (!live) {
-		if (setgid(getgid()) != 0)
-			xo_err(EX_OSERR, "setgid");
-		/* Load all necessary kvm symbols */
+	/* Load all necessary kvm symbols */
+	if (!live)
 		kresolve_list(nl);
-	}

 	if (xflag && Tflag)
 		xo_errx(EX_USAGE, "-x and -T are incompatible, pick one.");
@ -739,9 +732,6 @@ kvmd_init(void)
 		return (0);

 	kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf);
-	if (setgid(getgid()) != 0)
-		xo_err(EX_OSERR, "setgid");
-
 	if (kvmd == NULL) {
 		xo_warnx("kvm not available: %s", errbuf);
 		return (-1);