privsep: Enable capsicum for network facing processes

All fd's in network facing processes are fully limited. Capability mode is only enabled for BPF processes because it's too restrictive otherwise - the reasons are noted in the commit.
author: Roy Marples <roy@marples.name> 2020-05-07 20:57:22 +0100
committer: Roy Marples <roy@marples.name> 2020-05-07 20:57:22 +0100
commit: 727b7e9bf8b2fe810913c76c5fd36767869944bb (patch)
tree: 6658f3e35253c3e454db835643e0bdaaf860a885 /src/privsep.h
parent: 47fd1621cbe22b4e085d2bb36d01b610bb125980 (diff)
download: dhcpcd-727b7e9bf8b2fe810913c76c5fd36767869944bb.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/privsep.h b/src/privsep.h
index 9cdbb265..cb16ac1f 100644
--- a/src/privsep.h
+++ b/src/privsep.h
@@ -33,6 +33,7 @@
 
 /* Start flags */
 #define	PSF_DROPPRIVS		0x01
+#define	PSF_CAP_ENTER		0x02
 
 /* Commands */
 #define	PS_BOOTP		0x01
@@ -139,7 +140,7 @@ TAILQ_HEAD(ps_process_head, ps_process);
 
 int ps_mkdir(char *);
 int ps_init(struct dhcpcd_ctx *);
-int ps_dropprivs(struct dhcpcd_ctx *);
+int ps_dropprivs(struct dhcpcd_ctx *, unsigned int);
 int ps_start(struct dhcpcd_ctx *);
 int ps_stop(struct dhcpcd_ctx *);
author	Roy Marples <roy@marples.name>	2020-05-07 20:57:22 +0100
committer	Roy Marples <roy@marples.name>	2020-05-07 20:57:22 +0100
commit	727b7e9bf8b2fe810913c76c5fd36767869944bb (patch)
tree	6658f3e35253c3e454db835643e0bdaaf860a885 /src/privsep.h
parent	47fd1621cbe22b4e085d2bb36d01b610bb125980 (diff)
download	dhcpcd-727b7e9bf8b2fe810913c76c5fd36767869944bb.tar.xz