privsep: Implement pledge(2) support as found on OpenBSD

author: Roy Marples <roy@marples.name> 2020-05-10 16:09:54 +0100
committer: Roy Marples <roy@marples.name> 2020-05-10 16:09:54 +0100
commit: 2f9d9eae5fb8fb1922b0e096e157987ac0df110e (patch)
tree: c90effa39a8875fdf93f703bd9174a3d7e59dc77 /src/privsep.c
parent: 82d7c0bc10c09e0fb5ae4df1eeaede78377d1c8b (diff)
download: dhcpcd-2f9d9eae5fb8fb1922b0e096e157987ac0df110e.tar.xz
1 files changed, 18 insertions, 0 deletions
diff --git a/src/privsep.c b/src/privsep.c
index 51fdf7b7..ac503a53 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -176,6 +176,24 @@ ps_dropprivs(struct dhcpcd_ctx *ctx, unsigned int flags)
 #else
 	UNUSED(flags);
 #endif
+
+#ifdef HAVE_PLEDGE
+	if (flags & PSF_PLEDGE) {
+		const char *promises;
+
+		if (ctx->options & DHCPCD_UNPRIV)
+			promises = "stdio dns bpf";
+		else
+			/* SIOCGIFGROUP requries inet
+			 * lease files and foo require rpath, wpath and cpath */
+			promises = "stdio dns inet route rpath wpath cpath";
+                if (pledge(promises, NULL) == -1) {
+                        logerr("%s: pledge", __func__);
+                        return -1;
+                }
+	}
+#endif
+
 	return 0;
 }
author	Roy Marples <roy@marples.name>	2020-05-10 16:09:54 +0100
committer	Roy Marples <roy@marples.name>	2020-05-10 16:09:54 +0100
commit	2f9d9eae5fb8fb1922b0e096e157987ac0df110e (patch)
tree	c90effa39a8875fdf93f703bd9174a3d7e59dc77 /src/privsep.c
parent	82d7c0bc10c09e0fb5ae4df1eeaede78377d1c8b (diff)
download	dhcpcd-2f9d9eae5fb8fb1922b0e096e157987ac0df110e.tar.xz