| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
Just have the one callback, but return an abstracted event mask
to work out if we can read/write have something else.
Log diagnostics if the event mask is unexpected.
While here add more logging if we fail to register an event to
monitor.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Now that only the privileged actioneer does the actual logging
we can safely reopen the file we are logging to.
This also closes and re-opens the syslog connection.
|
| |
|
|
|
| |
So we can report receive buffer size.
Important for route(4) overflow so we can try and set a bigger buffer.
|
| |
|
|
|
| |
If FreeBSD ever implements RO_MISSFILTER it will need special
rights to work over Capsium.
|
| | |
|
| |
|
|
| |
This is kinda important.
|
| |
|
|
|
| |
Now we have capsicum, pledge and the POSIX resource limited sandboxes
this was quite easy really.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
It's required for pledge.
It *could* be optional for capsicum but I'd like to try and
keep the sandboxing the same for now.
|
| |
|
|
|
|
|
| |
Because poll(2) returns EINVAL if nfds is higher.
This really blows chunks, but it is what it is.
An attacker could close a fd and open something else, but it's
the best we can do.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For systems without Capsicum or Pledge we can create a resource
limited sandbox provided that either ppoll(2) or works with
RLIMIT_NOFILES set to zero.
As far as dhcpcd is concerned, that means Linux and Solaris
won't work with this, but NetBSD and DragonFlyBSD will.
To achieve this, a special control proxy process will be spawned
just to accept new connections over the control socket because
this *cannot* be limited by RLIMIT_NOFILES.
|
| |
|
|
|
|
|
|
|
| |
You never know when another sandbox tech comes around.
While here, add limits for every socket in the unpriviledged
processes. Some were absent before.
Also, note that RLIMIT_NOFILE breaks our control socket so
temporary disable that.
|
| |
|
|
|
|
|
|
|
| |
Achieved by adding IPC to ignore interfaces names based on
the interface group.
This means every process just pledges stdio for IPC which the
exception of the master process which also pledges route so it
can access the routing table.
|
| |
|
|
|
| |
As we can't get at it in the chroot.
While here, harden the file.
|
| |
|
|
|
| |
For udev at least, it requires a /var/run to be available in the chroot
which is poor. As such, give it a full IPC.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Except for the priviledged process.
This is quite an in-depth change:
* ARP is now one process per address
* BPF flags are now returned via privsep
* BPF write filters are locked when supported
* The root process sends to the network
The last step is done by opening RAW sockets and then sending a UDP
header (where applicable) to avoid binding to an address
which is already in use by the reader sockets.
This is slightly wasteful for OS's without sandboxing but does
have the very nice side effect of not needing a source address
to unicast DHCPs replies from which makes the code smaller.
|
| |
|
|
|
| |
While here make Capsicum and Pledge more granular so we can
easily Pledge the BPF BOOTP process but not the ARP one.
|
| |
|
|
|
|
|
|
| |
Although this is only for Capsicum, the getifaddrs interface is
quite portable although not POSIX.
With this final change, the Master process can now enter Capsicum
Capabilites Mode and this completes the Capsicum integration.
|
| |
|
|
|
|
|
|
|
|
| |
This allows us to move the database directory back into the
root of the filesystem.
While here, harden the files by denying any user read access to them.
As part of this change, init the DUID from any machine data and
cache the default DHCP vendor field before dropping priviledges as we
may lose access to this later.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
|
| |
|
|
| |
Found by Arfrever.
|
| |
|
|
|
|
| |
Only if it has changed.
Saves having to maintian it outside of dhcpcdm in a script or
something.
|
| |
|
|
|
|
|
| |
This means that the privileged actioneer process needs to cleanup
sockets and pidfile.
It also has some reliance on how dhcpcd is started to create
a decent chroot area AND copy the configuration file to it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This works by randomising the hardware address when carrier is down
and using this to construct a DUID LL which is used over any saved
DUID. IAID is defaulted to zero and hostname + FQDN are disabled.
Then every possible option is masked out except for essential ones.
It's possible to request options *after* anonymous option which
will enable it. This is RFC compliant and allows 100% flexability
in letting the user decide what, if any, details leek out.
This is disabled by default.
Only works on NetBSD, other OS coming shortly.
|
| |
|
|
|
|
| |
This means we don't need to close it for other processes.
Add ps_init so that we can change directory permissions before
starting privsep itself.
|
| | |
|
| |
|
|
| |
Add #ifdef'd out debug code for them as well.
|
| | |
|
| |
|
|
|
| |
This brings parity with non privsep features.
Aside from the lack of Solaris support, but that's another day.
|
| | |
|
|
|
Not enabled by default - enable with ./configure --enable-privsep
Requires a user added to the system - default _dhcpcd
Several processes will be spawned off the main state engine:
a privileged actioneer and a generic network proxy.
Only the privileged actioneer process will retain root permissions.
When required, the privileged actioneer will also spawn
BPF listeners for BOOTP (DHCP) and ARP.
The BOOTP BPF listener should be a short lived process.
On kernels with RFC 5227 support, the ARP BPF listener will only
be used for ARPing and announcing a preferred address and will
also be a short lived process.
When not running in master mode, an address listener will be
spawned for each address (with the exception of RA dervived addresses)
dhcpcd cares about.
TODO:
* Solaris support.
* ARP BPF address filtering.
|
