| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Just have the one callback, but return an abstracted event mask
to work out if we can read/write have something else.
Log diagnostics if the event mask is unexpected.
While here add more logging if we fail to register an event to
monitor.
|
| | |
|
| |
|
|
| |
This mirrors the inet listener.
|
| |
|
|
| |
The master process will catch this clean remove the BPF process.
|
| |
|
|
|
| |
This stops log spam if RTM_IFANNOUNCE is delayed for the departing
interface.
|
| |
|
|
| |
Otherwise we won't call inet_dispatch on a message meant for it.
|
| |
|
|
| |
We no longer change the filter as it's locked if the OS supports.
|
| | |
|
| | |
|
| |
|
|
| |
This is kinda important.
|
| | |
|
| |
|
|
|
| |
The master process dictates when processes should stop, which
allows for a clean shutdown when the admin issues `pkill dhcpcd`.
|
| |
|
|
|
| |
All privsep processes only need to act on SIGTERM.
The privileged actioneer also needs to act on SIGCHLD.
|
| |
|
|
| |
Just incase someone issues a killall -HUP dhcpcd
|
| |
|
|
| |
Now that we've improved the robustness of the IPC this is important.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Well, it's not garbage, it's a privsep IPC message telling us to
start BPF which the BPF process should not have recieved!
Add code to ensure this cannot happen.
|
| |
|
|
| |
Looks like an OpenBSD bug.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Except for the priviledged process.
This is quite an in-depth change:
* ARP is now one process per address
* BPF flags are now returned via privsep
* BPF write filters are locked when supported
* The root process sends to the network
The last step is done by opening RAW sockets and then sending a UDP
header (where applicable) to avoid binding to an address
which is already in use by the reader sockets.
This is slightly wasteful for OS's without sandboxing but does
have the very nice side effect of not needing a source address
to unicast DHCPs replies from which makes the code smaller.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is only really needed for long lasting ARP, which is only
used for IPv4 address defence.
Modern NetBSD does not need this and it fails to work with
OpenBSD Pledge. FreeBSD Capsicum is more secure without this
as the BPF fd can then be locked for other changes [1].
That just leaves Linux and Solaris.
If anyone feels dhcpcd is processing to much ARP then please
implement RFC 5227 in the kernel like NetBSD.
[1] Locking the BPF fd is questionable because the inet proxy
using sendmsg can send any packet to any destination.
|
| |
|
|
|
| |
While here make Capsicum and Pledge more granular so we can
easily Pledge the BPF BOOTP process but not the ARP one.
|
| |
|
|
|
|
|
|
|
|
| |
This allows us to move the database directory back into the
root of the filesystem.
While here, harden the files by denying any user read access to them.
As part of this change, init the DUID from any machine data and
cache the default DHCP vendor field before dropping priviledges as we
may lose access to this later.
|
| | |
|
| |
|
|
|
|
|
| |
All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
|
| | |
|
| |
|
|
| |
Found by Arfrever.
|
| |
|
|
|
| |
Also important as we now need to store the frame header in the
initial buffer.
|
| |
|
|
|
|
|
|
|
|
| |
BSD and glibc have the signature for request as unsigned long.
musl and Solaris have a signed int.
As such, we need to detect this at compile time and adjust the
signature of our internal ioctl functions to match.
To keep the onwire format the same, memcpy the request to the
unsigned long request and back again, thus preserving the signedness.
|
| | |
|
| | |
|
| |
|
|
|
| |
This brings parity with non privsep features.
Aside from the lack of Solaris support, but that's another day.
|
| |
|
|
| |
Found by LGTM bot.
|
| | |
|
| |
|
|
| |
Compiles but lacks support for DLPI and ioctl needs rework.
|
|
|
Not enabled by default - enable with ./configure --enable-privsep
Requires a user added to the system - default _dhcpcd
Several processes will be spawned off the main state engine:
a privileged actioneer and a generic network proxy.
Only the privileged actioneer process will retain root permissions.
When required, the privileged actioneer will also spawn
BPF listeners for BOOTP (DHCP) and ARP.
The BOOTP BPF listener should be a short lived process.
On kernels with RFC 5227 support, the ARP BPF listener will only
be used for ARPing and announcing a preferred address and will
also be a short lived process.
When not running in master mode, an address listener will be
spawned for each address (with the exception of RA dervived addresses)
dhcpcd cares about.
TODO:
* Solaris support.
* ARP BPF address filtering.
|
