| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Sadly actioneer is not a real word.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Just have the one callback, but return an abstracted event mask
to work out if we can read/write have something else.
Log diagnostics if the event mask is unexpected.
While here add more logging if we fail to register an event to
monitor.
|
| | |
|
| |
|
|
|
| |
eloop allows for O(1) processing of active fd's.
The problems with the prior implementation have now been fixed.
|
| |
|
|
| |
It wasn't fixed, it was using kqueue so avoided!
|
| |
|
|
| |
It shoud no longer be needed for OpenBSD, Linux and Solaris.
|
| |
|
|
|
|
|
|
| |
kqueue allows for O(1) processing of active fd's an a more
robust signal handling method without the need to use global
variables to avoid calling functions during signal delivery.
The problems with the prior implemenation have now been fixed.
|
| | |
|
| | |
|
| |
|
|
| |
There is little point.
|
| |
|
|
|
| |
With this set dhcpcd will not configure anything on the host.
The expectation is that a 3rd party script will instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If dhcpcd starts and no syslogd implementation is running then
various syscall filters could be triggered when dhcpcd wants to syslog
and it's already in a chroot.
Not all libc openlog implementations support LOG_NDELAY and
openlog does not return an error code and can also mask errno back to 0.
So we have no way of knowing if we have a syslog connection or not.
This means we cannot cache the connection at startup because syslog itself
will try and open if no connection.
As such, all logging is now directed to the dhcpcd privileged actioneer
process which will handle all the syslog and log file writing actions.
The only downside of this approach (other than an extra fd per process)
is that we no longer know which PID raised the message. While we could
put the correct PID in the logfile as we control the API, we cannot
put it into syslog as we cannot control that API.
As all privsep errors should log which function they came from this
will hopefully not be an issue as on the happy path only the master
process will log stuff.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Do this before starting it rather than it shutting down.
|
| |
|
|
|
|
| |
And the sandbox tech as well.
Rework stop_interface so we can reuse an option for marking
a process as the launcher.
|
| | |
|
| |
|
|
|
| |
So we can report receive buffer size.
Important for route(4) overflow so we can try and set a bigger buffer.
|
| |
|
|
|
| |
If FreeBSD ever implements RO_MISSFILTER it will need special
rights to work over Capsium.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This is kinda important.
|
| |
|
|
|
| |
Now we have capsicum, pledge and the POSIX resource limited sandboxes
this was quite easy really.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
UNIX application expect these to exist even if pointed at /dev/null.
We cannot change which fd they use, it's always 0, 1 and 2.
But if these fd's are not open when dhcpcd is called, they could
be assigned to dhcpcd internals.
In this instance we should not use the streams in anyway or form.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This actually make life really simple!
We no longer need to redirect stdout/stderr to /dev/null for privsep
and any script output is now captured again - and it all goes to stderr
as it should even if a script wants it to go to stdout.
On the happy path, only the master process will actually log anything
to stderr so we turn that off after we "fork".
On the unhappy path, logging to stderr/stdout *may* fail because
the launcher process *may* have exited.
We *could* have the master process as an intermediary but that's
just excess code to avoid errors which *should* not happen.
Regardless, any errror should still hit syslog.
|
| | |
|
| | |
|
| |
|
|
|
| |
The master process dictates when processes should stop, which
allows for a clean shutdown when the admin issues `pkill dhcpcd`.
|
| | |
|
| |
|
|
|
|
|
| |
stderr could be redirected.
While here, there is no longer a need to redirect stderr or stdout
as they already have been in dhcpcd.
|
| |
|
|
| |
So shutup some compilers who complain we don't do anything with it.
|
| |
|
|
|
|
| |
Just log the error.
This allows valgrind to be used still as it uses big fd numbers in
the client.
|
| |
|
|
|
|
|
| |
Only test a successful stop IPC command.
By the time we shutdown the socket to be extra nice, the
process we sent stop to could have already exited, therefore
we can discard any error.
|
| |
|
|
|
| |
If you don't use the dhcpcd logfile option.
Duh.
|
| |
|
|
|
|
| |
We cannot offload it to the root process either because not all
sandboxes have access to that.....
Really need to fix syslog so that it starts before dhcpcd.
|
| |
|
|
| |
After all, pledge or capsicum could have bugs.
|
| | |
|
| |
|
|
|
|
| |
It's required for pledge.
It *could* be optional for capsicum but I'd like to try and
keep the sandboxing the same for now.
|
| |
|
|
|
|
|
| |
Because poll(2) returns EINVAL if nfds is higher.
This really blows chunks, but it is what it is.
An attacker could close a fd and open something else, but it's
the best we can do.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For systems without Capsicum or Pledge we can create a resource
limited sandbox provided that either ppoll(2) or works with
RLIMIT_NOFILES set to zero.
As far as dhcpcd is concerned, that means Linux and Solaris
won't work with this, but NetBSD and DragonFlyBSD will.
To achieve this, a special control proxy process will be spawned
just to accept new connections over the control socket because
this *cannot* be limited by RLIMIT_NOFILES.
|
| |
|
|
|
|
|
|
|
| |
You never know when another sandbox tech comes around.
While here, add limits for every socket in the unpriviledged
processes. Some were absent before.
Also, note that RLIMIT_NOFILE breaks our control socket so
temporary disable that.
|
| | |
|
