Sandbox tcpdump(8) using Capsicum's capability mode and capabilities.
For now, sandboxing is done only if -n option was specified and neither -z nor
-V options were given. Because it is very common to run tcpdump(8) with the -n
option for speed, I decided to commit sandboxing now. To also support
sandboxing when -n option wasn't specified, we need Casper daemon and its
services that are not available in FreeBSD yet.

• Limit file descriptors of a file specified by -r option or files specified via -V option to CAP_READ only.

• If neither -r nor -V options were specified, we operate on /dev/bpf. Limit its descriptor to CAP_READ and CAP_IOCTL plus limit allowed ioctls to BIOCGSTATS only.

• Limit file descriptor of a file specified by -w option to CAP_SEEK and CAP_WRITE.

• If either -C or -G options were specified, we open directory containing destination file and we limit directory descriptor to CAP_CREATE, CAP_FCNTL, CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK and CAP_WRITE. Newly opened/created files are limited to CAP_SEEK and CAP_WRITE only.

• Enter capability mode if -n option was specified and neither -z nor -V options were specified.

Approved by: delphij, wxs
Sponsored by: The FreeBSD Foundation