| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
| |
Now that only the privileged actioneer does the actual logging
we can safely reopen the file we are logging to.
This also closes and re-opens the syslog connection.
|
| |
|
|
|
|
|
|
|
|
| |
udev says whether an interface name is stable or not.
In a network namespace, udev claims the interface does not exist.
This makes sense because udev only operates in the root namespace.
As such disable udev in a network namespace.
While here correctly spell initialise.
|
| |
|
|
|
|
|
| |
Because poll(2) returns EINVAL if nfds is higher.
This really blows chunks, but it is what it is.
An attacker could close a fd and open something else, but it's
the best we can do.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Achieved by adding IPC to ignore interfaces names based on
the interface group.
This means every process just pledges stdio for IPC which the
exception of the master process which also pledges route so it
can access the routing table.
|
| | |
|
| |
|
|
|
| |
As we can't get at it in the chroot.
While here, harden the file.
|
| |
|
|
|
| |
For udev at least, it requires a /var/run to be available in the chroot
which is poor. As such, give it a full IPC.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This *should* affect no-one, but you never know.
The primary motivation for this is to ensure that nothing arbitary
can be executed by the root process if anyone breaks into the
chrooted unprivileged master process.
It also makes for smaller code.
|
| |
|
|
|
|
|
|
| |
Although this is only for Capsicum, the getifaddrs interface is
quite portable although not POSIX.
With this final change, the Master process can now enter Capsicum
Capabilites Mode and this completes the Capsicum integration.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This allows us to move the database directory back into the
root of the filesystem.
While here, harden the files by denying any user read access to them.
As part of this change, init the DUID from any machine data and
cache the default DHCP vendor field before dropping priviledges as we
may lose access to this later.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Found by Arfrever.
|
| |
|
|
|
|
|
|
| |
--logfile may not work that well in a chroot on receipt of SIGUSR2
because the path is of course different.
Might have to drop this option soon as I have no good ideas
on how to resolve it :(
|
| |
|
|
|
|
| |
Only if it has changed.
Saves having to maintian it outside of dhcpcdm in a script or
something.
|
| |
|
|
|
|
|
| |
This means that the privileged actioneer process needs to cleanup
sockets and pidfile.
It also has some reliance on how dhcpcd is started to create
a decent chroot area AND copy the configuration file to it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This works by randomising the hardware address when carrier is down
and using this to construct a DUID LL which is used over any saved
DUID. IAID is defaulted to zero and hostname + FQDN are disabled.
Then every possible option is masked out except for essential ones.
It's possible to request options *after* anonymous option which
will enable it. This is RFC compliant and allows 100% flexability
in letting the user decide what, if any, details leek out.
This is disabled by default.
Only works on NetBSD, other OS coming shortly.
|
| |
|
|
|
|
|
|
|
|
| |
BSD and glibc have the signature for request as unsigned long.
musl and Solaris have a signed int.
As such, we need to detect this at compile time and adjust the
signature of our internal ioctl functions to match.
To keep the onwire format the same, memcpy the request to the
unsigned long request and back again, thus preserving the signedness.
|
| | |
|
| |
|
|
| |
Compiles but lacks support for DLPI and ioctl needs rework.
|
|
|
Not enabled by default - enable with ./configure --enable-privsep
Requires a user added to the system - default _dhcpcd
Several processes will be spawned off the main state engine:
a privileged actioneer and a generic network proxy.
Only the privileged actioneer process will retain root permissions.
When required, the privileged actioneer will also spawn
BPF listeners for BOOTP (DHCP) and ARP.
The BOOTP BPF listener should be a short lived process.
On kernels with RFC 5227 support, the ARP BPF listener will only
be used for ARPing and announcing a preferred address and will
also be a short lived process.
When not running in master mode, an address listener will be
spawned for each address (with the exception of RA dervived addresses)
dhcpcd cares about.
TODO:
* Solaris support.
* ARP BPF address filtering.
|
