privsep: Limit rights generically rather than Capsicum specifc

You never know when another sandbox tech comes around. While here, add limits for every socket in the unpriviledged processes. Some were absent before. Also, note that RLIMIT_NOFILE breaks our control socket so temporary disable that.
author: Roy Marples <roy@marples.name> 2020-06-05 20:24:21 +0100
committer: Roy Marples <roy@marples.name> 2020-06-05 20:24:21 +0100
commit: 7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9 (patch)
tree: 096d27b660b63c09ff2d66c183ab3a21b1fbea6f /src/if.c
parent: ff6831723b04b617f73e88cf84387f46eea1faf5 (diff)
download: dhcpcd-7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/if.c b/src/if.c
index fca65c3f..c9327384 100644
--- a/src/if.c
+++ b/src/if.c
@@ -111,6 +111,10 @@ if_opensockets(struct dhcpcd_ctx *ctx)
 	ctx->pf_link_fd = xsocket(PF_LINK, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (ctx->pf_link_fd == -1)
 		return -1;
+#ifdef HAVE_CAPSICUM
+	if (ps_rights_limit_ioctl(ctx->pf_link_fd) == -1)
+		return -1;
+#endif
 #endif
 
 	/* We use this socket for some operations without INET. */
author	Roy Marples <roy@marples.name>	2020-06-05 20:24:21 +0100
committer	Roy Marples <roy@marples.name>	2020-06-05 20:24:21 +0100
commit	7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9 (patch)
tree	096d27b660b63c09ff2d66c183ab3a21b1fbea6f /src/if.c
parent	ff6831723b04b617f73e88cf84387f46eea1faf5 (diff)
download	dhcpcd-7ef3d6a703f5c3b1fa537ae324f7d79f085f31f9.tar.xz