dhcpcd
2 years agoRelease dhcpcd-9.1.2 dhcpcd-9.1.2
Roy Marples [Mon, 15 Jun 2020 15:28:31 +0000 (16:28 +0100)]
Release dhcpcd-9.1.2

2 years agoDHCP6: Use sla setting when calculating delegated prefix length
Roy Marples [Mon, 15 Jun 2020 14:51:17 +0000 (15:51 +0100)]
DHCP6: Use sla setting when calculating delegated prefix length

This is fine as we have a limited list of interfaces we're
delegating to so we know all the numbers.
This fixes an issue where an interface index could exceed 8 bits.

While here change sla_set to a boolean.

2 years agoprivsep: don't abort if setrlimit fails
Roy Marples [Mon, 15 Jun 2020 14:14:53 +0000 (15:14 +0100)]
privsep: don't abort if setrlimit fails

Just log the error.
This allows valgrind to be used still as it uses big fd numbers in
the client.

2 years agoDHCP6: Add requested addresses after freeing all state addresses
Roy Marples [Mon, 15 Jun 2020 11:52:55 +0000 (12:52 +0100)]
DHCP6: Add requested addresses after freeing all state addresses

Otherwise we don't request the correct prefix delegation length
for example....

2 years agoBSD: Mark routes as static only from static config
Roy Marples [Mon, 15 Jun 2020 08:49:34 +0000 (09:49 +0100)]
BSD: Mark routes as static only from static config

Rather than if genered by an address.
This allows RA prefix routes without an address to be non static,
so you could derive whether a route came from something autoconf
or not.

2 years agoBSD: Mark address AUTOCONF if no kernel RA
Roy Marples [Sun, 14 Jun 2020 14:26:59 +0000 (15:26 +0100)]
BSD: Mark address AUTOCONF if no kernel RA

2 years agoWarn if the OS lacks support to lock down BPF or equivalent
Roy Marples [Thu, 11 Jun 2020 14:37:33 +0000 (15:37 +0100)]
Warn if the OS lacks support to lock down BPF or equivalent

2 years agoudev: disable for non Linux systems
Roy Marples [Thu, 11 Jun 2020 10:35:20 +0000 (11:35 +0100)]
udev: disable for non Linux systems

On FreeBSD udev, the function udev_device_new_from_subsystem_sysname
exists but is not implemented.
As such it breaks our device initialisation detection.

Disabled by default, but can be enabled with ./configure --with-udev

2 years agoIPv4LL: free the arp state once announced for RFC 5227 kernels
Roy Marples [Wed, 10 Jun 2020 18:00:45 +0000 (19:00 +0100)]
IPv4LL: free the arp state once announced for RFC 5227 kernels

Otherwise the BPF process will hang around

2 years agoprivsep: Fix a shutdown race
Roy Marples [Wed, 10 Jun 2020 15:32:04 +0000 (16:32 +0100)]
privsep: Fix a shutdown race

Only test a successful stop IPC command.
By the time we shutdown the socket to be extra nice, the
process we sent stop to could have already exited, therefore
we can discard any error.

2 years agoprivsep: fix size of rdm
Roy Marples [Wed, 10 Jun 2020 13:47:00 +0000 (14:47 +0100)]
privsep: fix size of rdm

2 years agoFix some logic
Roy Marples [Wed, 10 Jun 2020 13:42:08 +0000 (14:42 +0100)]
Fix some logic

2 years agodhcpcd: Ensure dump is terminated
Roy Marples [Wed, 10 Jun 2020 13:38:46 +0000 (14:38 +0100)]
dhcpcd: Ensure dump is terminated

2 years agologerr: Remove setvbuf diagnostic - it's not critical
Roy Marples [Wed, 10 Jun 2020 13:31:03 +0000 (14:31 +0100)]
logerr: Remove setvbuf diagnostic - it's not critical

2 years agominor cleanup
Roy Marples [Wed, 10 Jun 2020 13:16:08 +0000 (14:16 +0100)]
minor cleanup

2 years agoTry and guard against impossibly large data.
Roy Marples [Wed, 10 Jun 2020 10:16:14 +0000 (11:16 +0100)]
Try and guard against impossibly large data.

2 years agoprivsep: RLIMIT_FSIZE works fine on pledge and capsicum
Roy Marples [Wed, 10 Jun 2020 07:30:28 +0000 (08:30 +0100)]
privsep: RLIMIT_FSIZE works fine on pledge and capsicum

If you don't use the dhcpcd logfile option.
Duh.

2 years agoDHCP6: Apply delegations to interface on carrier up
Roy Marples [Wed, 10 Jun 2020 06:34:18 +0000 (07:34 +0100)]
DHCP6: Apply delegations to interface on carrier up

Even with DHCP6 turned off for the interface.
As long as it was activated by another interface this is fine.

2 years agoLinux: Fix compile for systems without route preference
Roy Marples [Wed, 10 Jun 2020 06:16:41 +0000 (07:16 +0100)]
Linux: Fix compile for systems without route preference

2 years agoLinux: fix compile on old ones
Roy Marples [Wed, 10 Jun 2020 06:13:21 +0000 (07:13 +0100)]
Linux: fix compile on old ones

2 years agoprivsep: Disable RLIMIT_FSIZE when using the logfile option
Roy Marples [Wed, 10 Jun 2020 06:04:29 +0000 (07:04 +0100)]
privsep: Disable RLIMIT_FSIZE when using the logfile option

We cannot offload it to the root process either because not all
sandboxes have access to that.....
Really need to fix syslog so that it starts before dhcpcd.

2 years agoprivsep: Fix compile on alpine linux
Roy Marples [Wed, 10 Jun 2020 05:35:54 +0000 (06:35 +0100)]
privsep: Fix compile on alpine linux

2 years agoprivsep: Apply resource limits to OpenBSD as well where we can
Roy Marples [Wed, 10 Jun 2020 04:46:19 +0000 (05:46 +0100)]
privsep: Apply resource limits to OpenBSD as well where we can

After all, pledge or capsicum could have bugs.

2 years agoprivsep: Apply what resource limits we can to capsicum
Roy Marples [Wed, 10 Jun 2020 04:27:25 +0000 (05:27 +0100)]
privsep: Apply what resource limits we can to capsicum

2 years agoprivsep: Fix prior for capsicum
Roy Marples [Wed, 10 Jun 2020 04:04:02 +0000 (05:04 +0100)]
privsep: Fix prior for capsicum

2 years agoprivsep: control proxy is no longer optional
Roy Marples [Wed, 10 Jun 2020 03:57:02 +0000 (04:57 +0100)]
privsep: control proxy is no longer optional

It's required for pledge.
It *could* be optional for capsicum but I'd like to try and
keep the sandboxing the same for now.

2 years agoprivsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents
Roy Marples [Tue, 9 Jun 2020 21:39:05 +0000 (22:39 +0100)]
privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents

Because poll(2) returns EINVAL if nfds is higher.
This really blows chunks, but it is what it is.
An attacker could close a fd and open something else, but it's
the best we can do.

2 years agoprivsep: Fix bogus warnings without inet.
Roy Marples [Tue, 9 Jun 2020 19:36:22 +0000 (20:36 +0100)]
privsep: Fix bogus warnings without inet.

2 years agoprivsep: limit psr_datalen to SSIZE_MAX
Roy Marples [Tue, 9 Jun 2020 18:33:23 +0000 (19:33 +0100)]
privsep: limit psr_datalen to SSIZE_MAX

2 years agoprivsep: Implement a resource limited sandbox
Roy Marples [Tue, 9 Jun 2020 17:25:18 +0000 (18:25 +0100)]
privsep: Implement a resource limited sandbox

For systems without Capsicum or Pledge we can create a resource
limited sandbox provided that either ppoll(2) or works with
RLIMIT_NOFILES set to zero.

As far as dhcpcd is concerned, that means Linux and Solaris
won't work with this, but NetBSD and DragonFlyBSD will.

To achieve this, a special control proxy process will be spawned
just to accept new connections over the control socket because
this *cannot* be limited by RLIMIT_NOFILES.

2 years agoThis hook no longer exists
Roy Marples [Tue, 9 Jun 2020 16:56:03 +0000 (17:56 +0100)]
This hook no longer exists

2 years agologerr: buffer stderr as we now have many processes
Roy Marples [Tue, 9 Jun 2020 16:49:51 +0000 (17:49 +0100)]
logerr: buffer stderr as we now have many processes

2 years agoeloop: Fix making the initial event listener
Roy Marples [Tue, 9 Jun 2020 16:48:59 +0000 (17:48 +0100)]
eloop: Fix making the initial event listener

2 years agoeloop: Don't remove existing callbacks when adding events
Roy Marples [Mon, 8 Jun 2020 20:41:42 +0000 (21:41 +0100)]
eloop: Don't remove existing callbacks when adding events

While here, add some debug when dealing with many sockets.

2 years agoeloop: if we take a free event, add it to the main queue
Roy Marples [Sun, 7 Jun 2020 22:39:46 +0000 (23:39 +0100)]
eloop: if we take a free event, add it to the main queue

Otherwise it goes into the ether....

2 years agoRA: Abort if no state
Roy Marples [Sat, 6 Jun 2020 19:52:28 +0000 (20:52 +0100)]
RA: Abort if no state

We might have received data for an interface before
its been initialised.

2 years agoprivsep: Limit rights generically rather than Capsicum specifc
Roy Marples [Fri, 5 Jun 2020 19:24:21 +0000 (20:24 +0100)]
privsep: Limit rights generically rather than Capsicum specifc

You never know when another sandbox tech comes around.
While here, add limits for every socket in the unpriviledged
processes. Some were absent before.

Also, note that RLIMIT_NOFILE breaks our control socket so
temporary disable that.

2 years agoARP: gc stale function arp_cancel
Roy Marples [Fri, 5 Jun 2020 13:52:35 +0000 (14:52 +0100)]
ARP: gc stale function arp_cancel

2 years agoBSD: In privsep with no GIFALIAS support? getifaddrs over privsep
Roy Marples [Fri, 5 Jun 2020 13:39:06 +0000 (14:39 +0100)]
BSD: In privsep with no GIFALIAS support? getifaddrs over privsep

This makes the heavy weight call even more heavy weight :(

2 years agoLinux: more freeifaddrs
Roy Marples [Fri, 5 Jun 2020 13:28:27 +0000 (14:28 +0100)]
Linux: more freeifaddrs

2 years agoprivsep: Only use freeifaddrs if not using privsep
Roy Marples [Fri, 5 Jun 2020 13:20:55 +0000 (14:20 +0100)]
privsep: Only use freeifaddrs if not using privsep

2 years agoLinux: make resource limits work by using getifaddrs over privsep
Roy Marples [Fri, 5 Jun 2020 13:12:23 +0000 (14:12 +0100)]
Linux: make resource limits work by using getifaddrs over privsep

2 years agoLinux: resource limits don't easily work here either....
Roy Marples [Fri, 5 Jun 2020 12:51:51 +0000 (13:51 +0100)]
Linux: resource limits don't easily work here either....

2 years agoFreeBSD: Fix prior for capsicum as well.
Roy Marples [Fri, 5 Jun 2020 12:15:51 +0000 (13:15 +0100)]
FreeBSD: Fix prior for capsicum as well.

2 years agoOpenBSD: disable setting resource limits as we have pledge.
Roy Marples [Fri, 5 Jun 2020 12:02:32 +0000 (13:02 +0100)]
OpenBSD: disable setting resource limits as we have pledge.

2 years agoprivsep: Set resource limits when dropping privs
Roy Marples [Fri, 5 Jun 2020 11:24:44 +0000 (12:24 +0100)]
privsep: Set resource limits when dropping privs

Disables forking, new files, sockets and writing large files.

2 years agoif: Keep the PF_LINK socket open throughout
Roy Marples [Fri, 5 Jun 2020 11:23:51 +0000 (12:23 +0100)]
if: Keep the PF_LINK socket open throughout

Saves opening it and closing it each time we discover interfaces.

2 years agoprivsep: Remove pledges inet and dns from the master process
Roy Marples [Fri, 5 Jun 2020 10:12:21 +0000 (11:12 +0100)]
privsep: Remove pledges inet and dns from the master process

Achieved by adding IPC to ignore interfaces names based on
the interface group.

This means every process just pledges stdio for IPC which the
exception of the master process which also pledges route so it
can access the routing table.

2 years agoFix installing the embedded config as a file.
Roy Marples [Thu, 4 Jun 2020 20:49:37 +0000 (21:49 +0100)]
Fix installing the embedded config as a file.

2 years agoRelease dhcpcd-9.1.1 dhcpcd-9.1.1
Roy Marples [Thu, 4 Jun 2020 12:35:46 +0000 (13:35 +0100)]
Release dhcpcd-9.1.1

2 years agoprivsep: Remove this error masking as well.
Roy Marples [Thu, 4 Jun 2020 11:36:10 +0000 (12:36 +0100)]
privsep: Remove this error masking as well.

2 years agoprivsep: Log ECONNRESET errors again
Roy Marples [Thu, 4 Jun 2020 11:31:24 +0000 (12:31 +0100)]
privsep: Log ECONNRESET errors again

Now that we've improved the robustness of the IPC this is important.

2 years agoprivsep: Set buffer sizes before setting rights.
Roy Marples [Thu, 4 Jun 2020 11:22:40 +0000 (12:22 +0100)]
privsep: Set buffer sizes before setting rights.

2 years agoprivsep: Don't wait for the process to finish when stopping it
Roy Marples [Thu, 4 Jun 2020 11:15:20 +0000 (12:15 +0100)]
privsep: Don't wait for the process to finish when stopping it

Instead, wait on receipt of SIGCHLD so we're not blocked.

2 years agoFix warning for prior on Linux
Roy Marples [Thu, 4 Jun 2020 10:30:20 +0000 (11:30 +0100)]
Fix warning for prior on Linux

2 years agoprivsep: Fix returning indirect ioctl data
Roy Marples [Thu, 4 Jun 2020 10:25:11 +0000 (11:25 +0100)]
privsep: Fix returning indirect ioctl data

2 years agoeloop: Just use ppoll(2)
Roy Marples [Wed, 3 Jun 2020 22:30:08 +0000 (23:30 +0100)]
eloop: Just use ppoll(2)

epoll and kqueue are really too heavy weight.
With privsep, we now favour more processes for BPF and per address sockets.
As such, the number of fds to monitor will always be quite small.

All modern OS now have ppoll(2) (NetBSD has pollts, which is the same)
which works perfectly for us.
If neither are present, the a wrapper around pselect(2) is provided,
which can be found on all POSIX systems.

This makes the code a lot smaller and easier to follow.
The reduced binary size and memory usage is a nice win here.

2 years agoauth: Fix warning for non privsep builds
Roy Marples [Wed, 3 Jun 2020 22:12:59 +0000 (23:12 +0100)]
auth: Fix warning for non privsep builds

2 years agoprivsep: Access the RDM monotic file via IPC
Roy Marples [Tue, 2 Jun 2020 16:48:34 +0000 (17:48 +0100)]
privsep: Access the RDM monotic file via IPC

As we can't get at it in the chroot.
While here, harden the file.

2 years agoBSD: Ignore fwip(4)
Roy Marples [Tue, 2 Jun 2020 16:07:12 +0000 (17:07 +0100)]
BSD: Ignore fwip(4)

2 years agoprivsep: harden process handling
Roy Marples [Tue, 2 Jun 2020 14:50:17 +0000 (15:50 +0100)]
privsep: harden process handling

If eloop is exited, only allow explicit re-entry.
Only exit on read/write error if a forked process and not root.
If the root process fails to read/write to a sub-process,
stop the sub-process.

2 years agoifaces could be NULL here
Roy Marples [Tue, 2 Jun 2020 13:51:20 +0000 (14:51 +0100)]
ifaces could be NULL here

2 years agoARP: call arp_announced when cancelling it
Roy Marples [Tue, 2 Jun 2020 10:48:35 +0000 (11:48 +0100)]
ARP: call arp_announced when cancelling it

This signals that the announcement has finished and any BPF process
can then be closed off.

2 years agoauth: Only accept RECONFIGURE messages from LL hosts
Roy Marples [Tue, 2 Jun 2020 02:01:37 +0000 (03:01 +0100)]
auth: Only accept RECONFIGURE messages from LL hosts

This has to be authentiated, and there is a chance we cannot know
the token if IP address sharing.
The initial messages are send via LL anyway, so the peer address
the server should record is the LL.

While here, drop the lease at exit if we accepted a reconfigure token.
The token may not be in all the replies from the server and we
always save the last reply.

XXX Save the token in another file?

2 years agoprivsep: Only open raw sockets for the needed protocols.
Roy Marples [Mon, 1 Jun 2020 17:59:08 +0000 (18:59 +0100)]
privsep: Only open raw sockets for the needed protocols.

Just warn about any errors rather than forcing an early exit as well.
While here, fix startup if DHCPv6 disabled globally but enabled per if.

2 years agoFix compile without DHCP or DHCP6
Roy Marples [Mon, 1 Jun 2020 14:38:51 +0000 (15:38 +0100)]
Fix compile without DHCP or DHCP6

2 years agoprivsep: Double the size of the send buffer.
Roy Marples [Mon, 1 Jun 2020 14:33:05 +0000 (15:33 +0100)]
privsep: Double the size of the send buffer.

And ensure the buffer size is not reduced.

2 years agoprivsep: Ensure socketpair IPC buffers are large enough.
Roy Marples [Mon, 1 Jun 2020 14:03:46 +0000 (15:03 +0100)]
privsep: Ensure socketpair IPC buffers are large enough.

For at least one fully sized message.

2 years agoprivsep: Don't carry ifa_next
Roy Marples [Mon, 1 Jun 2020 12:57:31 +0000 (13:57 +0100)]
privsep: Don't carry ifa_next

While harmless, it's also meaningless.

2 years agoRestore dumping a lease from stdin
Roy Marples [Sun, 31 May 2020 20:06:32 +0000 (21:06 +0100)]
Restore dumping a lease from stdin

2 years agoRelease dhcpcd-9.1.0 dhcpcd-9.1.0
Roy Marples [Sun, 31 May 2020 11:14:28 +0000 (12:14 +0100)]
Release dhcpcd-9.1.0

2 years agoFix compile with inet or inet6 disabled
Roy Marples [Sat, 30 May 2020 14:50:25 +0000 (14:50 +0000)]
Fix compile with inet or inet6 disabled

2 years agoLinux: File compile without plugins
Julian Wollrath [Sat, 30 May 2020 14:21:04 +0000 (14:21 +0000)]
Linux: File compile without plugins

2 years agoroute: improve overflow logging
Roy Marples [Sat, 30 May 2020 14:01:47 +0000 (14:01 +0000)]
route: improve overflow logging

2 years agologerr: Preserve errno
Roy Marples [Sat, 30 May 2020 13:54:31 +0000 (14:54 +0100)]
logerr: Preserve errno

2 years agoprivsep: Drain the link socket as we can't re-open it.
Roy Marples [Sat, 30 May 2020 12:25:41 +0000 (13:25 +0100)]
privsep: Drain the link socket as we can't re-open it.

Add debug per 100 messages.

2 years agoFix some Coverity isues
Roy Marples [Sat, 30 May 2020 10:36:20 +0000 (10:36 +0000)]
Fix some Coverity isues

2 years agoFix some clang analyzer issues
Roy Marples [Sat, 30 May 2020 09:51:49 +0000 (09:51 +0000)]
Fix some clang analyzer issues

2 years agoSolaris: IP_RECVIF is busted on DilOS at least
Roy Marples [Fri, 29 May 2020 19:33:30 +0000 (22:33 +0300)]
Solaris: IP_RECVIF is busted on DilOS at least

Luckily Solaris supports IP_PKTINFO as well so lets fall back
to that for the time being.

2 years agoSolaris: Fix sending RS probes
Roy Marples [Fri, 29 May 2020 19:07:49 +0000 (22:07 +0300)]
Solaris: Fix sending RS probes

2 years agoSolaris: driver names have numbers
Roy Marples [Fri, 29 May 2020 19:01:10 +0000 (22:01 +0300)]
Solaris: driver names have numbers

So we can't use the BSD/Linux methodology

2 years agoSolaris: Fix compile
Roy Marples [Fri, 29 May 2020 18:13:11 +0000 (21:13 +0300)]
Solaris: Fix compile

But if_init is failing? Odd as this has not changed.

2 years agoDHCP6: Revert part of prior - only allow vendorclassid to disable
Roy Marples [Thu, 28 May 2020 08:02:13 +0000 (09:02 +0100)]
DHCP6: Revert part of prior - only allow vendorclassid to disable

Not set.
dhcpcd owns the IANA_PEN defined.
Either use it as is, or get your own.
This restores the prior behaviour but still allows the option
as a whole to be disabled by vendorclassid being disabled.

2 years agodhcpcd.conf: harden default options
Roy Marples [Wed, 27 May 2020 22:34:16 +0000 (23:34 +0100)]
dhcpcd.conf: harden default options

Don't send the current hostname.
Don't send the default vendorclassid.
Slight re-org while here.

2 years agoDHCP6: Use interface vendorclassid rather than context
Roy Marples [Wed, 27 May 2020 20:49:05 +0000 (21:49 +0100)]
DHCP6: Use interface vendorclassid rather than context

This allows the vendor class to be turned off as well.

2 years agoAppease older compilers
Roy Marples [Wed, 27 May 2020 15:53:21 +0000 (15:53 +0000)]
Appease older compilers

2 years agoFor systems without open_memstream(3) warn that /tmp needs to exit
Roy Marples [Wed, 27 May 2020 15:52:01 +0000 (15:52 +0000)]
For systems without open_memstream(3) warn that /tmp needs to exit

Inside the privsep users home directory.

2 years agoCheck AF_PACKET is defined
Roy Marples [Wed, 27 May 2020 15:49:40 +0000 (15:49 +0000)]
Check AF_PACKET is defined

2 years agodhcpcd: Fix a memory error dumping leases.
Roy Marples [Sun, 24 May 2020 14:57:18 +0000 (14:57 +0000)]
dhcpcd: Fix a memory error dumping leases.

2 years agoprivsep: root and inet don't need arc4random
Roy Marples [Sun, 24 May 2020 14:38:06 +0000 (14:38 +0000)]
privsep: root and inet don't need arc4random

Saves a fd or two.

2 years agoprivsep: Avoid the /proc/../ escape
Roy Marples [Sun, 24 May 2020 13:49:41 +0000 (14:49 +0100)]
privsep: Avoid the /proc/../ escape

2 years agodhcpcd: Fix releasing addresses
Roy Marples [Sun, 24 May 2020 13:32:15 +0000 (14:32 +0100)]
dhcpcd: Fix releasing addresses

2 years agoprivsep: Init the arc4random seed before chrooting
Roy Marples [Sun, 24 May 2020 12:23:20 +0000 (12:23 +0000)]
privsep: Init the arc4random seed before chrooting

/dev/urandom isn't available in the chroot.
So keep a fd open to it.

2 years agoFix some memory issues with prior
Roy Marples [Sun, 24 May 2020 12:02:15 +0000 (12:02 +0000)]
Fix some memory issues with prior

2 years agoFix prior for BSD
Roy Marples [Sun, 24 May 2020 11:30:13 +0000 (12:30 +0100)]
Fix prior for BSD

2 years agoprivsep: Fix compile for prior without dev plugins
Roy Marples [Sun, 24 May 2020 10:49:58 +0000 (11:49 +0100)]
privsep: Fix compile for prior without dev plugins

2 years agoprivsep: Pass BPF flags via ps_flags
Roy Marples [Sun, 24 May 2020 10:36:14 +0000 (10:36 +0000)]
privsep: Pass BPF flags via ps_flags

2 years agoprivsep: Allow dev plugins to work
Roy Marples [Sun, 24 May 2020 10:30:23 +0000 (10:30 +0000)]
privsep: Allow dev plugins to work

For udev at least, it requires a /var/run to be available in the chroot
which is poor. As such, give it a full IPC.

2 years agoprivsep: No need for a CHROOT reason now
Roy Marples [Sun, 24 May 2020 05:54:40 +0000 (05:54 +0000)]
privsep: No need for a CHROOT reason now

2 years agoprivsep: Allow Linux to work without needing any mounts
Roy Marples [Sun, 24 May 2020 05:47:14 +0000 (05:47 +0000)]
privsep: Allow Linux to work without needing any mounts