diff options
| author | Roy Marples <roy@marples.name> | 2020-09-20 19:09:08 +0100 |
|---|---|---|
| committer | Roy Marples <roy@marples.name> | 2020-09-20 19:09:08 +0100 |
| commit | 8b204c618386a2d8fe4a44514824da6f6a462985 (patch) | |
| tree | 23403481bf3b3fe6c76f7761928c0d9b22d3b6be /src/privsep.c | |
| parent | 744f8864f72e008957da13f243e2321377bdba64 (diff) | |
| download | dhcpcd-8b204c618386a2d8fe4a44514824da6f6a462985.tar.xz | |
privsep: sandbox the launcher process
Diffstat (limited to 'src/privsep.c')
| -rw-r--r-- | src/privsep.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/privsep.c b/src/privsep.c index ffaa303a..2c161e15 100644 --- a/src/privsep.c +++ b/src/privsep.c @@ -118,7 +118,8 @@ ps_dropprivs(struct dhcpcd_ctx *ctx) if (!(ctx->options & DHCPCD_FORKED)) logdebugx("chrooting to `%s' as %s", pw->pw_dir, pw->pw_name); - if (chroot(pw->pw_dir) == -1) + if (chroot(pw->pw_dir) == -1 && + (errno != EPERM || ctx->options & DHCPCD_FORKED)) logerr("%s: chroot `%s'", __func__, pw->pw_dir); if (chdir("/") == -1) logerr("%s: chdir `/'", __func__); @@ -517,11 +518,18 @@ ps_entersandbox(const char *_pledge, const char **sandbox) } int -ps_mastersandbox(struct dhcpcd_ctx *ctx) +ps_mastersandbox(struct dhcpcd_ctx *ctx, const char *_pledge) { const char *sandbox = NULL; - - if (ps_dropprivs(ctx) == -1) { + bool forked; + int dropped; + + forked = ctx->options & DHCPCD_FORKED; + ctx->options &= ~DHCPCD_FORKED; + dropped = ps_dropprivs(ctx); + if (forked) + ctx->options |= DHCPCD_FORKED; + if (dropped == -1) { logerr("%s: ps_dropprivs", __func__); return -1; } @@ -537,7 +545,9 @@ ps_mastersandbox(struct dhcpcd_ctx *ctx) } #endif - if (ps_entersandbox("stdio route", &sandbox) == -1) { + if (_pledge == NULL) + _pledge = "stdio"; + if (ps_entersandbox(_pledge, &sandbox) == -1) { if (errno == ENOSYS) { if (sandbox != NULL) logwarnx("sandbox unavailable: %s", sandbox); |