privsep: Limit rights generically rather than Capsicum specifc

You never know when another sandbox tech comes around. While here, add limits for every socket in the unpriviledged processes. Some were absent before. Also, note that RLIMIT_NOFILE breaks our control socket so temporary disable that.
author: Roy Marples <roy@marples.name> 2020-06-05 20:24:21 +0100
committer: Roy Marples <roy@marples.name> 2020-06-05 20:24:21 +0100
commit: 7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9 (patch)
tree: 096d27b660b63c09ff2d66c183ab3a21b1fbea6f /src/if-bsd.c
parent: ff6831723b04b617f73e88cf84387f46eea1faf5 (diff)
download: dhcpcd-7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/if-bsd.c b/src/if-bsd.c
index 6f2746d0..e87c787d 100644
--- a/src/if-bsd.c
+++ b/src/if-bsd.c
@@ -163,6 +163,10 @@ if_opensockets_os(struct dhcpcd_ctx *ctx)
 
 #ifdef INET6
 	priv->pf_inet6_fd = xsocket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+#ifdef PRIVSEP_RIGHTS
+	if (IN_PRIVSEP(ctx))
+		ps_rights_limit_ioctl(priv->pf_inet6_fd);
+#endif
 	/* Don't return an error so we at least work on kernels witout INET6
 	 * even though we expect INET6 support.
 	 * We will fail noisily elsewhere anyway. */
author	Roy Marples <roy@marples.name>	2020-06-05 20:24:21 +0100
committer	Roy Marples <roy@marples.name>	2020-06-05 20:24:21 +0100
commit	7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9 (patch)
tree	096d27b660b63c09ff2d66c183ab3a21b1fbea6f /src/if-bsd.c
parent	ff6831723b04b617f73e88cf84387f46eea1faf5 (diff)
download	dhcpcd-7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9.tar.xz