| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Sadly actioneer is not a real word.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Just have the one callback, but return an abstracted event mask
to work out if we can read/write have something else.
Log diagnostics if the event mask is unexpected.
While here add more logging if we fail to register an event to
monitor.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
kqueue allows for O(1) processing of active fd's an a more
robust signal handling method without the need to use global
variables to avoid calling functions during signal delivery.
The problems with the prior implemenation have now been fixed.
|
| |
|
|
|
|
|
|
|
| |
logclose is meant to free resources.
On Linux this means that _log_prog is also free'd and once in the
chroot we cannot work it out again.
As such allow logopen to close what it needs to so that reopening
works.
|
| |
|
|
|
|
| |
Now that only the privileged actioneer does the actual logging
we can safely reopen the file we are logging to.
This also closes and re-opens the syslog connection.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If dhcpcd starts and no syslogd implementation is running then
various syscall filters could be triggered when dhcpcd wants to syslog
and it's already in a chroot.
Not all libc openlog implementations support LOG_NDELAY and
openlog does not return an error code and can also mask errno back to 0.
So we have no way of knowing if we have a syslog connection or not.
This means we cannot cache the connection at startup because syslog itself
will try and open if no connection.
As such, all logging is now directed to the dhcpcd privileged actioneer
process which will handle all the syslog and log file writing actions.
The only downside of this approach (other than an extra fd per process)
is that we no longer know which PID raised the message. While we could
put the correct PID in the logfile as we control the API, we cannot
put it into syslog as we cannot control that API.
As all privsep errors should log which function they came from this
will hopefully not be an issue as on the happy path only the master
process will log stuff.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
udev says whether an interface name is stable or not.
In a network namespace, udev claims the interface does not exist.
This makes sense because udev only operates in the root namespace.
As such disable udev in a network namespace.
While here correctly spell initialise.
|
| |
|
|
|
| |
The master process dictates when processes should stop, which
allows for a clean shutdown when the admin issues `pkill dhcpcd`.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We cannot use shutdown(2) because they are not connected.
Constantly draining would be a waste of CPU time, so just let
the buffer overflow. To ease the kernel as much as we can, set
a zero length buffer.
The kernel may still allocate a small buffer, but this is kernel
dependant and we're just trying to be helpful.
|
| |
|
|
|
|
| |
Fails noisly on Linux.
This reverts commit 5fc20ae1aa368e36f9cabcbc047cd7d8e468c5b7.
|
| |
|
|
|
| |
Clearly shows our intent and hopefully is an optimisation
within the kernel.
|
| |
|
|
|
| |
All privsep processes only need to act on SIGTERM.
The privileged actioneer also needs to act on SIGCHLD.
|
| | |
|
| |
|
|
| |
Just incase someone issues a killall -HUP dhcpcd
|
| |
|
|
|
|
|
| |
Only test a successful stop IPC command.
By the time we shutdown the socket to be extra nice, the
process we sent stop to could have already exited, therefore
we can discard any error.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
You never know when another sandbox tech comes around.
While here, add limits for every socket in the unpriviledged
processes. Some were absent before.
Also, note that RLIMIT_NOFILE breaks our control socket so
temporary disable that.
|
| | |
|
| | |
|
| |
|
|
| |
Now that we've improved the robustness of the IPC this is important.
|
| |
|
|
| |
Instead, wait on receipt of SIGCHLD so we're not blocked.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
epoll and kqueue are really too heavy weight.
With privsep, we now favour more processes for BPF and per address sockets.
As such, the number of fds to monitor will always be quite small.
All modern OS now have ppoll(2) (NetBSD has pollts, which is the same)
which works perfectly for us.
If neither are present, the a wrapper around pselect(2) is provided,
which can be found on all POSIX systems.
This makes the code a lot smaller and easier to follow.
The reduced binary size and memory usage is a nice win here.
|
| |
|
|
|
| |
As we can't get at it in the chroot.
While here, harden the file.
|
| |
|
|
|
|
|
| |
If eloop is exited, only allow explicit re-entry.
Only exit on read/write error if a forked process and not root.
If the root process fails to read/write to a sub-process,
stop the sub-process.
|
| |
|
|
|
| |
Just warn about any errors rather than forcing an early exit as well.
While here, fix startup if DHCPv6 disabled globally but enabled per if.
|
| |
|
|
| |
While harmless, it's also meaningless.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
For udev at least, it requires a /var/run to be available in the chroot
which is poor. As such, give it a full IPC.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This *should* affect no-one, but you never know.
The primary motivation for this is to ensure that nothing arbitary
can be executed by the root process if anyone breaks into the
chrooted unprivileged master process.
It also makes for smaller code.
|
| |
|
|
| |
Just like we filter the ioctls.
|
| |
|
|
| |
In the same vein as filtering ioctls.
|
| |
|
|
| |
In-case the master process is broken into.
|
| |
|
|
|
|
| |
Well, it's not garbage, it's a privsep IPC message telling us to
start BPF which the BPF process should not have recieved!
Add code to ensure this cannot happen.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Except for the priviledged process.
This is quite an in-depth change:
* ARP is now one process per address
* BPF flags are now returned via privsep
* BPF write filters are locked when supported
* The root process sends to the network
The last step is done by opening RAW sockets and then sending a UDP
header (where applicable) to avoid binding to an address
which is already in use by the reader sockets.
This is slightly wasteful for OS's without sandboxing but does
have the very nice side effect of not needing a source address
to unicast DHCPs replies from which makes the code smaller.
|
| |
|
|
|
|
|
|
|
|
| |
While ps_root_getifaddrs is only for capsicum, it's highly portable
and thus in the privsep-root rather than privsep-bsd.
As such, store the sockaddr len as socklen_t because that's what
POSIX demands.
It's only a few more bytes and I'd rather make this change now
than it potentially bite me later.
|
| | |
|
