privsep: allow CAP_SETSOCKOPT for route(4) fd.

If FreeBSD ever implements RO_MISSFILTER it will need special rights to work over Capsium.
author: Roy Marples <roy@marples.name> 2020-10-02 15:57:01 +0100
committer: Roy Marples <roy@marples.name> 2020-10-02 15:57:01 +0100
commit: d13d954be2a7e366e2c5090bf95d762074c278ff (patch)
tree: e6ae83f03cd63796aaa505e9015bd0864ba6f142 /src/privsep.c
parent: c4c15d9a6423827ea80cc537e6f7fcf7d6fc172d (diff)
download: dhcpcd-d13d954be2a7e366e2c5090bf95d762074c278ff.tar.xz
1 files changed, 11 insertions, 1 deletions
diff --git a/src/privsep.c b/src/privsep.c
index a7a17e92..693a87f5 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -260,6 +260,17 @@ ps_rights_limit_fd(int fd)
 }
 
 int
+ps_rights_limit_fd_setsockopt(int fd)
+{
+	cap_rights_t rights;
+
+	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SETSOCKOPT);
+	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+		return -1;
+	return 0;
+}
+
+int
 ps_rights_limit_fd_rdonly(int fd)
 {
 	cap_rights_t rights;
@@ -537,7 +548,6 @@ ps_mastersandbox(struct dhcpcd_ctx *ctx, const char *_pledge)
 #ifdef PRIVSEP_RIGHTS
 	if ((ctx->pf_inet_fd != -1 &&
 	    ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) ||
-	    (ctx->link_fd != -1 && ps_rights_limit_fd(ctx->link_fd) == -1) ||
 	     ps_rights_limit_stdio(ctx) == -1)
 	{
 		logerr("%s: cap_rights_limit", __func__);
author	Roy Marples <roy@marples.name>	2020-10-02 15:57:01 +0100
committer	Roy Marples <roy@marples.name>	2020-10-02 15:57:01 +0100
commit	d13d954be2a7e366e2c5090bf95d762074c278ff (patch)
tree	e6ae83f03cd63796aaa505e9015bd0864ba6f142 /src/privsep.c
parent	c4c15d9a6423827ea80cc537e6f7fcf7d6fc172d (diff)
download	dhcpcd-d13d954be2a7e366e2c5090bf95d762074c278ff.tar.xz