diff options
| author | Roy Marples <roy@marples.name> | 2020-05-07 20:57:22 +0100 |
|---|---|---|
| committer | Roy Marples <roy@marples.name> | 2020-05-07 20:57:22 +0100 |
| commit | 727b7e9bf8b2fe810913c76c5fd36767869944bb (patch) | |
| tree | 6658f3e35253c3e454db835643e0bdaaf860a885 /configure | |
| parent | 47fd1621cbe22b4e085d2bb36d01b610bb125980 (diff) | |
| download | dhcpcd-727b7e9bf8b2fe810913c76c5fd36767869944bb.tar.xz | |
privsep: Enable capsicum for network facing processes
All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
Diffstat (limited to 'configure')
| -rwxr-xr-x | configure | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -648,6 +648,23 @@ else echo "EMBEDDEDINSTALL= _embeddedinstall" >>$CONFIG_MK fi +if [ "$PRIVSEP" = yes ]; then + printf "Testing for capsicum ... " + cat <<EOF >_capsicum.c +#include <sys/capsicum.h> +int main(void) { + return cap_enter(); +} +EOF + if $XCC _capsicum.c -o _capsicum 2>&3; then + echo "yes" + echo "#define HAVE_CAPSICUM" >>$CONFIG_H + else + echo "no" + fi + rm -f _capsicum.c _capsicum +fi + if [ "$OS" = linux ]; then printf "Testing for nl80211 ... " cat <<EOF >_nl80211.c |