| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
Just have the one callback, but return an abstracted event mask
to work out if we can read/write have something else.
Log diagnostics if the event mask is unexpected.
While here add more logging if we fail to register an event to
monitor.
|
| | |
|
| |
|
|
| |
Do this before starting it rather than it shutting down.
|
| |
|
|
| |
This is kinda important.
|
| | |
|
| |
|
|
|
| |
The master process dictates when processes should stop, which
allows for a clean shutdown when the admin issues `pkill dhcpcd`.
|
| |
|
|
|
| |
All privsep processes only need to act on SIGTERM.
The privileged actioneer also needs to act on SIGCHLD.
|
| |
|
|
| |
Just incase someone issues a killall -HUP dhcpcd
|
| |
|
|
|
|
|
|
|
| |
You never know when another sandbox tech comes around.
While here, add limits for every socket in the unpriviledged
processes. Some were absent before.
Also, note that RLIMIT_NOFILE breaks our control socket so
temporary disable that.
|
| |
|
|
|
| |
Just warn about any errors rather than forcing an early exit as well.
While here, fix startup if DHCPv6 disabled globally but enabled per if.
|
| | |
|
| |
|
|
| |
Just like we filter the ioctls.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Except for the priviledged process.
This is quite an in-depth change:
* ARP is now one process per address
* BPF flags are now returned via privsep
* BPF write filters are locked when supported
* The root process sends to the network
The last step is done by opening RAW sockets and then sending a UDP
header (where applicable) to avoid binding to an address
which is already in use by the reader sockets.
This is slightly wasteful for OS's without sandboxing but does
have the very nice side effect of not needing a source address
to unicast DHCPs replies from which makes the code smaller.
|
| |
|
|
|
| |
While here make Capsicum and Pledge more granular so we can
easily Pledge the BPF BOOTP process but not the ARP one.
|
| |
|
|
|
|
|
|
|
|
| |
This allows us to move the database directory back into the
root of the filesystem.
While here, harden the files by denying any user read access to them.
As part of this change, init the DUID from any machine data and
cache the default DHCP vendor field before dropping priviledges as we
may lose access to this later.
|
| | |
|
| |
|
|
|
|
|
| |
All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
|
| | |
|
| |
|
|
| |
While here improve privsep proess titles for this.
|
| |
|
|
| |
It's only an error if we cannot init anything.
|
| |
|
|
| |
Found by Arfrever.
|
| |
|
|
|
|
|
|
|
|
| |
BSD and glibc have the signature for request as unsigned long.
musl and Solaris have a signed int.
As such, we need to detect this at compile time and adjust the
signature of our internal ioctl functions to match.
To keep the onwire format the same, memcpy the request to the
unsigned long request and back again, thus preserving the signedness.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Compiles but lacks support for DLPI and ioctl needs rework.
|
|
|
Not enabled by default - enable with ./configure --enable-privsep
Requires a user added to the system - default _dhcpcd
Several processes will be spawned off the main state engine:
a privileged actioneer and a generic network proxy.
Only the privileged actioneer process will retain root permissions.
When required, the privileged actioneer will also spawn
BPF listeners for BOOTP (DHCP) and ARP.
The BOOTP BPF listener should be a short lived process.
On kernels with RFC 5227 support, the ARP BPF listener will only
be used for ARPing and announcing a preferred address and will
also be a short lived process.
When not running in master mode, an address listener will be
spawned for each address (with the exception of RA dervived addresses)
dhcpcd cares about.
TODO:
* Solaris support.
* ARP BPF address filtering.
|
