hg/dhcpcd: src/privsep.c annotate

annotate src/privsep.c @ 5525:26b5d9bc2985 draft

privsep: Send all log messages to the privileged actioneer If dhcpcd starts and no syslogd implementation is running then various syscall filters could be triggered when dhcpcd wants to syslog and it's already in a chroot. Not all libc openlog implementations support LOG_NDELAY and openlog does not return an error code and can also mask errno back to 0. So we have no way of knowing if we have a syslog connection or not. This means we cannot cache the connection at startup because syslog itself will try and open if no connection. As such, all logging is now directed to the dhcpcd privileged actioneer process which will handle all the syslog and log file writing actions. The only downside of this approach (other than an extra fd per process) is that we no longer know which PID raised the message. While we could put the correct PID in the logfile as we control the API, we cannot put it into syslog as we cannot control that API. As all privsep errors should log which function they came from this will hopefully not be an issue as on the happy path only the master process will log stuff.

author	Roy Marples <roy@marples.name>
date	Fri, 30 Oct 2020 03:43:51 +0000
parents	652b46c01097
children	a0d828e25482

rev	line source
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	1 /* SPDX-License-Identifier: BSD-2-Clause */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	2 /*
5060 4539ffcdd656 spelling: Correct both privilege and separation Roy Marples <roy@marples.name> parents: 5000 diff changeset	3 * Privilege Separation for dhcpcd
4922 555d7d1a4939 Welcome to 2020! Roy Marples <roy@marples.name> parents: 4870 diff changeset	4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	5 * All rights reserved
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	6
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	7 * Redistribution and use in source and binary forms, with or without
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	8 * modification, are permitted provided that the following conditions
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	9 * are met:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	10 * 1. Redistributions of source code must retain the above copyright
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	11 * notice, this list of conditions and the following disclaimer.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	12 * 2. Redistributions in binary form must reproduce the above copyright
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	13 * notice, this list of conditions and the following disclaimer in the
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	14 * documentation and/or other materials provided with the distribution.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	15 *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	26 * SUCH DAMAGE.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	27 */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	28
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	29 /*
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	30 * The current design is this:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	31 * Spawn a priv process to carry out privileged actions and
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	32 * spawning unpriv process to initate network connections such as BPF
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	33 * or address specific listener.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	34 * Spawn an unpriv process to send/receive common network data.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	35 * Then drop all privs and start running.
4995 91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	36 * Every process aside from the privileged actioneer is chrooted.
5425 9edfc000a89b privsep: Only the master process accepts signals Roy Marples <roy@marples.name> parents: 5420 diff changeset	37 * All privsep processes ignore signals - only the master process accepts them.
4995 91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	38 *
91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	39 * dhcpcd will maintain the config file in the chroot, no need to handle
91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	40 * this in a script or something.
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	41 */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	42
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	43 #include <sys/resource.h>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	44 #include <sys/socket.h>
4991 45bd88c307ed privsep: copy configuration file into chroot Roy Marples <roy@marples.name> parents: 4989 diff changeset	45 #include <sys/stat.h>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	46 #include <sys/types.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	47 #include <sys/wait.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	48
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	49 #ifdef AF_LINK
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	50 #include <net/if_dl.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	51 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	52
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	53 #include <assert.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	54 #include <errno.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	55 #include <fcntl.h>
5000 62e3afcc867c privsep: Fix compile on Linux Roy Marples <roy@marples.name> parents: 4997 diff changeset	56 #include <grp.h>
4988 1369161bbc7c privsep: Close stdout/stderr after forking processes Roy Marples <roy@marples.name> parents: 4976 diff changeset	57 #include <paths.h>
5000 62e3afcc867c privsep: Fix compile on Linux Roy Marples <roy@marples.name> parents: 4997 diff changeset	58 #include <pwd.h>
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	59 #include <stddef.h> /* For offsetof, struct padding debug */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	60 #include <signal.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	61 #include <stdlib.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	62 #include <string.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	63 #include <unistd.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	64
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	65 #include "arp.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	66 #include "common.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	67 #include "control.h"
5260 7571d82b48da privsep: Allow dev plugins to work Roy Marples <roy@marples.name> parents: 5248 diff changeset	68 #include "dev.h"
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	69 #include "dhcp.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	70 #include "dhcp6.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	71 #include "eloop.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	72 #include "ipv6nd.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	73 #include "logerr.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	74 #include "privsep.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	75
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	76 #ifdef HAVE_CAPSICUM
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	77 #include <sys/capsicum.h>
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	78 #include <capsicum_helpers.h>
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	79 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	80 #ifdef HAVE_UTIL_H
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	81 #include <util.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	82 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	83
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	84 int
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	85 ps_init(struct dhcpcd_ctx *ctx)
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	86 {
5183 09e3f731e43e privsep: Add --chroot configurable Roy Marples <roy@marples.name> parents: 5165 diff changeset	87 struct passwd *pw;
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	88 struct stat st;
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	89
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	90 errno = 0;
4992 b7dca2a85056 privsep: Only fetch PRIVSEP_USER at init Roy Marples <roy@marples.name> parents: 4991 diff changeset	91 if ((ctx->ps_user = pw = getpwnam(PRIVSEP_USER)) == NULL) {
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	92 ctx->options &= ~DHCPCD_PRIVSEP;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	93 if (errno == 0) {
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	94 logerrx("no such user %s", PRIVSEP_USER);
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	95 /* Just incase logerrx caused an error... */
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	96 errno = 0;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	97 } else
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	98 logerr("getpwnam");
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	99 return -1;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	100 }
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	101
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	102 if (stat(pw->pw_dir, &st) == -1 \|\| !S_ISDIR(st.st_mode)) {
5122 a44d7acff84b privsep: If we fail to init privsep, continue Roy Marples <roy@marples.name> parents: 5099 diff changeset	103 ctx->options &= ~DHCPCD_PRIVSEP;
5183 09e3f731e43e privsep: Add --chroot configurable Roy Marples <roy@marples.name> parents: 5165 diff changeset	104 logerrx("refusing chroot: %s: %s",
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	105 PRIVSEP_USER, pw->pw_dir);
5099 b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	106 errno = 0;
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	107 return -1;
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	108 }
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	109
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	110 ctx->options \|= DHCPCD_PRIVSEP;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	111 return 0;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	112 }
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	113
5444 d861892268ff privsep: dropprivs can be static Roy Marples <roy@marples.name> parents: 5443 diff changeset	114 static int
5228 82c7e8204e9b BPF: Set write filters where supported Roy Marples <roy@marples.name> parents: 5223 diff changeset	115 ps_dropprivs(struct dhcpcd_ctx *ctx)
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	116 {
4992 b7dca2a85056 privsep: Only fetch PRIVSEP_USER at init Roy Marples <roy@marples.name> parents: 4991 diff changeset	117 struct passwd *pw = ctx->ps_user;
4954 52e1039652ea privsep: Fix prior so we init Roy Marples <roy@marples.name> parents: 4953 diff changeset	118
5501 5b2272a0f3c3 privsep: Only log chrooting from the launcher process Roy Marples <roy@marples.name> parents: 5494 diff changeset	119 if (ctx->options & DHCPCD_LAUNCHER)
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	120 logdebugx("chrooting as %s to %s", pw->pw_name, pw->pw_dir);
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	121 if (chroot(pw->pw_dir) == -1 &&
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	122 (errno != EPERM \|\| ctx->options & DHCPCD_FORKED))
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	123 logerr("%s: chroot: %s", __func__, pw->pw_dir);
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	124 if (chdir("/") == -1)
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	125 logerr("%s: chdir: /", __func__);
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	126
5447 66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	127 if ((setgroups(1, &pw->pw_gid) == -1 \|\|
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	128 setgid(pw->pw_gid) == -1 \|\|
5447 66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	129 setuid(pw->pw_uid) == -1) &&
66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	130 (errno != EPERM \|\| ctx->options & DHCPCD_FORKED))
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	131 {
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	132 logerr("failed to drop privileges");
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	133 return -1;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	134 }
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	135
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	136 struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	137
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	138 if (ctx->ps_control_pid != getpid()) {
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	139 /* Prohibit new files, sockets, etc */
5335 d708e3b7cce0 privsep: Apply resource limits to OpenBSD as well where we can Roy Marples <roy@marples.name> parents: 5334 diff changeset	140 #if defined(__linux__) \|\| defined(__sun) \|\| defined(__OpenBSD__)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	141 /*
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	142 * If poll(2) is called with nfds > RLIMIT_NOFILE
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	143 * then it returns EINVAL.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	144 * This blows.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	145 * Do the best we can and limit to what we need.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	146 * An attacker could potentially close a file and
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	147 * open a new one still, but that cannot be helped.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	148 */
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	149 unsigned long maxfd;
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	150 maxfd = (unsigned long)eloop_event_count(ctx->eloop);
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	151 if (IN_PRIVSEP_SE(ctx))
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	152 maxfd++; /* XXX why? */
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	153
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	154 struct rlimit rmaxfd = {
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	155 .rlim_cur = maxfd,
d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	156 .rlim_max = maxfd
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	157 };
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	158 if (setrlimit(RLIMIT_NOFILE, &rmaxfd) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	159 logerr("setrlimit RLIMIT_NOFILE");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	160 #else
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	161 if (setrlimit(RLIMIT_NOFILE, &rzero) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	162 logerr("setrlimit RLIMIT_NOFILE");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	163 #endif
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	164 }
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	165
5344 3df49497d40b privsep: RLIMIT_FSIZE works fine on pledge and capsicum Roy Marples <roy@marples.name> parents: 5337 diff changeset	166 /* Prohibit writing to files.
5396 541348d5a5a9 privsep: Don't limit file writes if logging to a file Roy Marples <roy@marples.name> parents: 5393 diff changeset	167 * Obviously this won't work if we are using a logfile
541348d5a5a9 privsep: Don't limit file writes if logging to a file Roy Marples <roy@marples.name> parents: 5393 diff changeset	168 * or redirecting stderr to a file. */
5513 93df3880bcaa privsep: Fix stderr redirection again Roy Marples <roy@marples.name> parents: 5502 diff changeset	169 if (ctx->logfile == NULL &&
5514 cf82a4ba8f27 privsep: We need to ensure stderr is valid before testing if tty Roy Marples <roy@marples.name> parents: 5513 diff changeset	170 (ctx->options & DHCPCD_STARTED \|\|
5515 652b46c01097 privsep: Minor correction to prior logic Roy Marples <roy@marples.name> parents: 5514 diff changeset	171 !ctx->stderr_valid \|\| isatty(STDERR_FILENO) == 1))
5513 93df3880bcaa privsep: Fix stderr redirection again Roy Marples <roy@marples.name> parents: 5502 diff changeset	172 {
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	173 if (setrlimit(RLIMIT_FSIZE, &rzero) == -1)
5337 e1edd674d9ae privsep: Disable RLIMIT_FSIZE when using the logfile option Roy Marples <roy@marples.name> parents: 5335 diff changeset	174 logerr("setrlimit RLIMIT_FSIZE");
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	175 }
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	176
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	177 #ifdef RLIMIT_NPROC
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	178 /* Prohibit forks */
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	179 if (setrlimit(RLIMIT_NPROC, &rzero) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	180 logerr("setrlimit RLIMIT_NPROC");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	181 #endif
5312 b336a280de82 privsep: Set resource limits when dropping privs Roy Marples <roy@marples.name> parents: 5307 diff changeset	182
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	183 return 0;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	184 }
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	185
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	186 static int
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	187 ps_setbuf0(int fd, int ctl, int minlen)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	188 {
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	189 int len;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	190 socklen_t slen;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	191
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	192 slen = sizeof(len);
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	193 if (getsockopt(fd, SOL_SOCKET, ctl, &len, &slen) == -1)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	194 return -1;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	195
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	196 #ifdef __linux__
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	197 len /= 2;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	198 #endif
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	199 if (len >= minlen)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	200 return 0;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	201
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	202 return setsockopt(fd, SOL_SOCKET, ctl, &minlen, sizeof(minlen));
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	203 }
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	204
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	205 static int
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	206 ps_setbuf(int fd)
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	207 {
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	208 /* Ensure we can receive a fully sized privsep message.
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	209 * Double the send buffer. */
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	210 int minlen = (int)sizeof(struct ps_msg);
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	211
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	212 if (ps_setbuf0(fd, SO_RCVBUF, minlen) == -1 \|\|
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	213 ps_setbuf0(fd, SO_SNDBUF, minlen * 2) == -1)
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	214 {
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	215 logerr(__func__);
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	216 return -1;
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	217 }
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	218 return 0;
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	219 }
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	220
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	221 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	222 ps_setbuf_fdpair(int fd[])
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	223 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	224
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	225 if (ps_setbuf(fd[0]) == -1 \|\| ps_setbuf(fd[1]) == -1)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	226 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	227 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	228 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	229
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	230 #ifdef PRIVSEP_RIGHTS
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	231 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	232 ps_rights_limit_ioctl(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	233 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	234 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	235
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	236 cap_rights_init(&rights, CAP_IOCTL);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	237 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	238 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	239 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	240 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	241
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	242 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	243 ps_rights_limit_fd_fctnl(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	244 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	245 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	246
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	247 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	248 CAP_ACCEPT, CAP_FCNTL);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	249 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	250 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	251 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	252 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	253
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	254 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	255 ps_rights_limit_fd(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	256 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	257 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	258
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	259 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SHUTDOWN);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	260 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	261 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	262 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	263 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	264
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	265 int
5493 41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	266 ps_rights_limit_fd_sockopt(int fd)
5492 9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	267 {
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	268 cap_rights_t rights;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	269
5493 41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	270 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	271 CAP_GETSOCKOPT, CAP_SETSOCKOPT);
5492 9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	272 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	273 return -1;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	274 return 0;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	275 }
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	276
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	277 int
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	278 ps_rights_limit_fd_rdonly(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	279 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	280 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	281
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	282 cap_rights_init(&rights, CAP_READ, CAP_EVENT);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	283 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	284 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	285 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	286 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	287
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	288 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	289 ps_rights_limit_fdpair(int fd[])
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	290 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	291
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	292 if (ps_rights_limit_fd(fd[0]) == -1 \|\| ps_rights_limit_fd(fd[1]) == -1)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	293 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	294 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	295 }
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	296
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	297 static int
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	298 ps_rights_limit_stdio(struct dhcpcd_ctx *ctx)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	299 {
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	300 const int iebadf = CAPH_IGNORE_EBADF;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	301 int error = 0;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	302
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	303 if (ctx->stdin_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	304 caph_limit_stream(STDIN_FILENO, CAPH_READ \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	305 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	306 if (ctx->stdout_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	307 caph_limit_stream(STDOUT_FILENO, CAPH_WRITE \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	308 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	309 if (ctx->stderr_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	310 caph_limit_stream(STDERR_FILENO, CAPH_WRITE \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	311 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	312
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	313 return error;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	314 }
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	315 #endif
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	316
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	317 pid_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	318 ps_dostart(struct dhcpcd_ctx *ctx,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	319 pid_t priv_pid, int priv_fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	320 void (recv_msg)(void ), void (*recv_unpriv_msg),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	321 void recv_ctx, int (callback)(void ), void (signal_cb)(int, void *),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	322 unsigned int flags)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	323 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	324 int fd[2];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	325 pid_t pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	326
5437 5bbb5bae3e66 privsep: Use xsocketpair Roy Marples <roy@marples.name> parents: 5425 diff changeset	327 if (xsocketpair(AF_UNIX, SOCK_DGRAM \| SOCK_CXNB, 0, fd) == -1) {
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	328 logerr("%s: socketpair", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	329 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	330 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	331 if (ps_setbuf_fdpair(fd) == -1) {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	332 logerr("%s: ps_setbuf_fdpair", __func__);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	333 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	334 }
5440 248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	335 #ifdef PRIVSEP_RIGHTS
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	336 if (ps_rights_limit_fdpair(fd) == -1) {
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	337 logerr("%s: ps_rights_limit_fdpair", __func__);
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	338 return -1;
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	339 }
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	340 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	341
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	342 switch (pid = fork()) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	343 case -1:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	344 logerr("fork");
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	345 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	346 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	347 *priv_fd = fd[1];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	348 close(fd[0]);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	349 break;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	350 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	351 *priv_pid = pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	352 *priv_fd = fd[0];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	353 close(fd[1]);
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	354 if (recv_unpriv_msg == NULL)
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	355 ;
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	356 else if (eloop_event_add(ctx->eloop, *priv_fd,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	357 recv_unpriv_msg, recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	358 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	359 logerr("%s: eloop_event_add", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	360 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	361 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	362 return pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	363 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	364
4954 52e1039652ea privsep: Fix prior so we init Roy Marples <roy@marples.name> parents: 4953 diff changeset	365 ctx->options \|= DHCPCD_UNPRIV \| DHCPCD_FORKED;
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	366 if (ctx->fork_fd != -1) {
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	367 close(ctx->fork_fd);
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	368 ctx->fork_fd = -1;
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	369 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	370 pidfile_clean();
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	371 eloop_clear(ctx->eloop);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	372
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	373 /* We are not root */
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	374 if (priv_fd != &ctx->ps_root_fd) {
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	375 ps_freeprocesses(ctx, recv_ctx);
4870 8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	376 if (ctx->ps_root_fd != -1) {
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	377 close(ctx->ps_root_fd);
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	378 ctx->ps_root_fd = -1;
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	379 }
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	380
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	381 #ifdef PRIVSEP_RIGHTS
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	382 /* We cannot limit the root process in any way. */
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	383 if (ps_rights_limit_stdio(ctx) == -1) {
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	384 logerr("ps_rights_limit_stdio");
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	385 goto errexit;
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	386 }
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	387 #endif
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	388 }
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	389
4870 8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	390 if (priv_fd != &ctx->ps_inet_fd && ctx->ps_inet_fd != -1) {
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	391 close(ctx->ps_inet_fd);
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	392 ctx->ps_inet_fd = -1;
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	393 }
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	394
5301 e6f1372f2cf0 eloop: Just use ppoll(2) Roy Marples <roy@marples.name> parents: 5297 diff changeset	395 eloop_signal_set_cb(ctx->eloop,
e6f1372f2cf0 eloop: Just use ppoll(2) Roy Marples <roy@marples.name> parents: 5297 diff changeset	396 dhcpcd_signals, dhcpcd_signals_len, signal_cb, ctx);
5124 a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	397
a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	398 /* ctx->sigset aready has the initial sigmask set in main() */
a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	399 if (eloop_signal_mask(ctx->eloop, NULL) == -1) {
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	400 logerr("%s: eloop_signal_mask", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	401 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	402 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	403
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	404 if (eloop_event_add(ctx->eloop, *priv_fd, recv_msg, recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	405 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	406 logerr("%s: eloop_event_add", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	407 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	408 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	409
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	410 if (callback(recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	411 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	412
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	413 if (flags & PSF_DROPPRIVS)
5228 82c7e8204e9b BPF: Set write filters where supported Roy Marples <roy@marples.name> parents: 5223 diff changeset	414 ps_dropprivs(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	415
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	416 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	417
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	418 errexit:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	419 /* Failure to start root or inet processes is fatal. */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	420 if (priv_fd == &ctx->ps_root_fd \|\| priv_fd == &ctx->ps_inet_fd)
5281 9f9a330f6e24 Fix some Coverity isues Roy Marples <roy@marples.name> parents: 5268 diff changeset	421 (void)ps_sendcmd(ctx, *priv_fd, PS_STOP, 0, NULL, 0);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	422 shutdown(*priv_fd, SHUT_RDWR);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	423 *priv_fd = -1;
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	424 eloop_exit(ctx->eloop, EXIT_FAILURE);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	425 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	426 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	427
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	428 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	429 ps_dostop(struct dhcpcd_ctx ctx, pid_t pid, int *fd)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	430 {
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	431 int err = 0;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	432
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	433 #ifdef PRIVSEP_DEBUG
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	434 logdebugx("%s: pid=%d fd=%d", __func__, pid, fd);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	435 #endif
5223 333f66ce84bd privsep: Add a generic wrapper for getifaddrs(3) Roy Marples <roy@marples.name> parents: 5209 diff changeset	436
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	437 if (*fd != -1) {
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	438 eloop_event_delete(ctx->eloop, *fd);
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	439 if (ps_sendcmd(ctx, *fd, PS_STOP, 0, NULL, 0) == -1) {
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	440 logerr(__func__);
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	441 err = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	442 }
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	443 (void)shutdown(*fd, SHUT_RDWR);
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	444 close(*fd);
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	445 *fd = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	446 }
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	447
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	448 /* Don't wait for the process as it may not respond to the shutdown
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	449 * request. We'll reap the process on receipt of SIGCHLD. */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	450 *pid = 0;
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	451 return err;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	452 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	453
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	454 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	455 ps_start(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	456 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	457 pid_t pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	458
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	459 TAILQ_INIT(&ctx->ps_processes);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	460
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	461 switch (pid = ps_root_start(ctx)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	462 case -1:
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	463 logerr("ps_root_start");
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	464 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	465 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	466 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	467 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	468 logdebugx("spawned privileged actioneer on PID %d", pid);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	469 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	470
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	471 /* No point in spawning the generic network listener if we're
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	472 * not going to use it. */
5502 7100066d2c7e privsep: Only start network proxy if we need to Roy Marples <roy@marples.name> parents: 5501 diff changeset	473 if (!ps_inet_canstart(ctx))
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	474 goto started_net;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	475
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	476 switch (pid = ps_inet_start(ctx)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	477 case -1:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	478 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	479 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	480 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	481 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	482 logdebugx("spawned network proxy on PID %d", pid);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	483 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	484
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	485 started_net:
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	486 if (!(ctx->options & DHCPCD_TEST)) {
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	487 switch (pid = ps_ctl_start(ctx)) {
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	488 case -1:
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	489 return -1;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	490 case 0:
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	491 return 0;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	492 default:
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	493 logdebugx("spawned controller proxy on PID %d", pid);
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	494 }
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	495 }
5268 a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	496
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	497 #ifdef ARC4RANDOM_H
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	498 /* Seed the random number generator early incase it needs /dev/urandom
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	499 * which won't be available in the chroot. */
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	500 arc4random();
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	501 #endif
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	502
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	503 return 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	504 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	505
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	506 int
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	507 ps_entersandbox(const char _pledge, const char *sandbox)
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	508 {
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	509
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	510 #if !defined(HAVE_PLEDGE)
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	511 UNUSED(_pledge);
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	512 #endif
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	513
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	514 #if defined(HAVE_CAPSICUM)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	515 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	516 *sandbox = "capsicum";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	517 return cap_enter();
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	518 #elif defined(HAVE_PLEDGE)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	519 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	520 *sandbox = "pledge";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	521 return pledge(_pledge, NULL);
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	522 #elif defined(HAVE_SECCOMP)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	523 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	524 *sandbox = "seccomp";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	525 return ps_seccomp_enter();
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	526 #else
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	527 if (sandbox != NULL)
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	528 *sandbox = "posix resource limited";
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	529 return 0;
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	530 #endif
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	531 }
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	532
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	533 int
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	534 ps_mastersandbox(struct dhcpcd_ctx ctx, const char _pledge)
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	535 {
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	536 const char *sandbox = NULL;
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	537 bool forked;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	538 int dropped;
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	539
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	540 forked = ctx->options & DHCPCD_FORKED;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	541 ctx->options &= ~DHCPCD_FORKED;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	542 dropped = ps_dropprivs(ctx);
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	543 if (forked)
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	544 ctx->options \|= DHCPCD_FORKED;
5525 26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	545
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	546 /*
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	547 * If we don't have a root process, we cannot use syslog.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	548 * If it cannot be opened before chrooting then syslog(3) will fail.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	549 * openlog(3) does not return an error which doubly sucks.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	550 */
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	551 if (ctx->ps_root_fd == -1) {
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	552 unsigned int logopts = loggetopts();
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	553
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	554 logopts &= ~LOGERR_LOG;
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	555 logsetopts(logopts);
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	556 }
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	557
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	558 if (dropped == -1) {
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	559 logerr("%s: ps_dropprivs", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	560 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	561 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	562
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	563 #ifdef PRIVSEP_RIGHTS
5445 2070a61faddd privsep: Dump leases from stdin in a limited sandbox Roy Marples <roy@marples.name> parents: 5444 diff changeset	564 if ((ctx->pf_inet_fd != -1 &&
2070a61faddd privsep: Dump leases from stdin in a limited sandbox Roy Marples <roy@marples.name> parents: 5444 diff changeset	565 ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) \|\|
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	566 ps_rights_limit_stdio(ctx) == -1)
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	567 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	568 logerr("%s: cap_rights_limit", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	569 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	570 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	571 #endif
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	572
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	573 if (_pledge == NULL)
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	574 _pledge = "stdio";
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	575 if (ps_entersandbox(_pledge, &sandbox) == -1) {
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	576 if (errno == ENOSYS) {
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	577 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	578 logwarnx("sandbox unavailable: %s", sandbox);
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	579 return 0;
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	580 }
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	581 logerr("%s: %s", __func__, sandbox);
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	582 return -1;
5501 5b2272a0f3c3 privsep: Only log chrooting from the launcher process Roy Marples <roy@marples.name> parents: 5494 diff changeset	583 } else if (ctx->options & DHCPCD_LAUNCHER)
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	584 logdebugx("sandbox: %s", sandbox);
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	585 return 0;
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	586 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	587
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	588 int
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	589 ps_stop(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	590 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	591 int r, ret = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	592
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	593 if (!(ctx->options & DHCPCD_PRIVSEP) \|\|
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	594 ctx->options & DHCPCD_FORKED \|\|
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	595 ctx->eloop == NULL)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	596 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	597
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	598 r = ps_ctl_stop(ctx);
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	599 if (r != 0)
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	600 ret = r;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	601
4851 b615d58905ad privsep: Use another eloop instead of a blocking read. Roy Marples <roy@marples.name> parents: 4847 diff changeset	602 r = ps_inet_stop(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	603 if (r != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	604 ret = r;
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	605
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	606 /* We've been chrooted, so we need to tell the
5060 4539ffcdd656 spelling: Correct both privilege and separation Roy Marples <roy@marples.name> parents: 5000 diff changeset	607 * privileged actioneer to remove the pidfile. */
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	608 ps_root_unlink(ctx, ctx->pidfile);
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	609
4851 b615d58905ad privsep: Use another eloop instead of a blocking read. Roy Marples <roy@marples.name> parents: 4847 diff changeset	610 r = ps_root_stop(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	611 if (r != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	612 ret = r;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	613
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	614 ctx->options &= ~DHCPCD_PRIVSEP;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	615 return ret;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	616 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	617
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	618 void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	619 ps_freeprocess(struct ps_process *psp)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	620 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	621
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	622 TAILQ_REMOVE(&psp->psp_ctx->ps_processes, psp, next);
4956 51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	623 if (psp->psp_fd != -1) {
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	624 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_fd);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	625 close(psp->psp_fd);
4956 51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	626 }
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	627 if (psp->psp_work_fd != -1) {
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	628 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_work_fd);
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	629 close(psp->psp_work_fd);
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	630 }
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	631 #ifdef INET
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	632 if (psp->psp_bpf != NULL)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	633 bpf_close(psp->psp_bpf);
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	634 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	635 free(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	636 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	637
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	638 static void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	639 ps_free(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	640 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	641 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	642 bool stop = ctx->ps_root_pid == getpid();
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	643
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	644 while ((psp = TAILQ_FIRST(&ctx->ps_processes)) != NULL) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	645 if (stop)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	646 ps_dostop(ctx, &psp->psp_pid, &psp->psp_fd);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	647 ps_freeprocess(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	648 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	649 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	650
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	651 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	652 ps_unrollmsg(struct msghdr msg, struct ps_msghdr psm,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	653 const void *data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	654 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	655 uint8_t datap, namep, *controlp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	656
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	657 namep = UNCONST(data);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	658 controlp = namep + psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	659 datap = controlp + psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	660
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	661 if (psm->ps_namelen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	662 if (psm->ps_namelen > len) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	663 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	664 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	665 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	666 msg->msg_name = namep;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	667 len -= psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	668 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	669 msg->msg_name = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	670 msg->msg_namelen = psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	671
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	672 if (psm->ps_controllen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	673 if (psm->ps_controllen > len) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	674 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	675 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	676 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	677 msg->msg_control = controlp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	678 len -= psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	679 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	680 msg->msg_control = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	681 msg->msg_controllen = psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	682
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	683 if (len != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	684 msg->msg_iovlen = 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	685 msg->msg_iov[0].iov_base = datap;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	686 msg->msg_iov[0].iov_len = len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	687 } else {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	688 msg->msg_iovlen = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	689 msg->msg_iov[0].iov_base = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	690 msg->msg_iov[0].iov_len = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	691 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	692 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	693 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	694
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	695 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	696 ps_sendpsmmsg(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	697 struct ps_msghdr psm, const struct msghdr msg)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	698 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	699 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	700 { .iov_base = UNCONST(psm), .iov_len = sizeof(*psm) },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	701 { .iov_base = NULL, }, /* name */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	702 { .iov_base = NULL, }, /* control */
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	703 { .iov_base = NULL, }, /* payload 1 */
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	704 { .iov_base = NULL, }, /* payload 2 */
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	705 { .iov_base = NULL, }, /* payload 3 */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	706 };
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	707 int iovlen;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	708 ssize_t len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	709
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	710 if (msg != NULL) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	711 struct iovec *iovp = &iov[1];
5234 bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	712 int i;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	713
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	714 psm->ps_namelen = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	715 psm->ps_controllen = (socklen_t)msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	716
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	717 iovp->iov_base = msg->msg_name;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	718 iovp->iov_len = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	719 iovp++;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	720 iovp->iov_base = msg->msg_control;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	721 iovp->iov_len = msg->msg_controllen;
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	722 iovlen = 3;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	723
5234 bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	724 for (i = 0; i < (int)msg->msg_iovlen; i++) {
bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	725 if ((size_t)(iovlen + i) > __arraycount(iov)) {
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	726 errno = ENOBUFS;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	727 return -1;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	728 }
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	729 iovp++;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	730 iovp->iov_base = msg->msg_iov[i].iov_base;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	731 iovp->iov_len = msg->msg_iov[i].iov_len;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	732 }
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	733 iovlen += i;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	734 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	735 iovlen = 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	736
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	737 len = writev(fd, iov, iovlen);
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	738 if (len == -1) {
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	739 logerr(__func__);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	740 if (ctx->options & DHCPCD_FORKED &&
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	741 !(ctx->options & DHCPCD_PRIVSEPROOT))
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	742 eloop_exit(ctx->eloop, EXIT_FAILURE);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	743 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	744 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	745 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	746
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	747 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	748 ps_sendpsmdata(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	749 struct ps_msghdr psm, const void data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	750 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	751 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	752 { .iov_base = UNCONST(data), .iov_len = len },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	753 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	754 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	755 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	756 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	757
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	758 return ps_sendpsmmsg(ctx, fd, psm, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	759 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	760
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	761
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	762 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	763 ps_sendmsg(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	764 const struct msghdr *msg)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	765 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	766 struct ps_msghdr psm = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	767 .ps_cmd = cmd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	768 .ps_flags = flags,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	769 .ps_namelen = msg->msg_namelen,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	770 .ps_controllen = (socklen_t)msg->msg_controllen,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	771 };
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	772 size_t i;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	773
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	774 for (i = 0; i < (size_t)msg->msg_iovlen; i++)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	775 psm.ps_datalen += msg->msg_iov[i].iov_len;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	776
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	777 #if 0 /* For debugging structure padding. */
4950 ba9558e22e1c privsep: correct debug struct name Roy Marples <roy@marples.name> parents: 4949 diff changeset	778 logerrx("psa.family %lu %zu", offsetof(struct ps_addr, psa_family), sizeof(psm.ps_id.psi_addr.psa_family));
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	779 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr, psa_pad), sizeof(psm.ps_id.psi_addr.psa_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	780 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr, psa_u), sizeof(psm.ps_id.psi_addr.psa_u));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	781 logerrx("psa %zu", sizeof(psm.ps_id.psi_addr));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	782
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	783 logerrx("psi.addr %lu %zu", offsetof(struct ps_id, psi_addr), sizeof(psm.ps_id.psi_addr));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	784 logerrx("psi.index %lu %zu", offsetof(struct ps_id, psi_ifindex), sizeof(psm.ps_id.psi_ifindex));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	785 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id, psi_cmd), sizeof(psm.ps_id.psi_cmd));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	786 logerrx("psi.pad %lu %zu", offsetof(struct ps_id, psi_pad), sizeof(psm.ps_id.psi_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	787 logerrx("psi %zu", sizeof(struct ps_id));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	788
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	789 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr, ps_cmd));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	790 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr, ps_pad), sizeof(psm.ps_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	791 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr, ps_flags), sizeof(psm.ps_flags));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	792
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	793 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr, ps_id), sizeof(psm.ps_id));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	794
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	795 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr, ps_namelen), sizeof(psm.ps_namelen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	796 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr, ps_controllen), sizeof(psm.ps_controllen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	797 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr, ps_pad2), sizeof(psm.ps_pad2));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	798 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr, ps_datalen), sizeof(psm.ps_datalen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	799 logerrx("psm %zu", sizeof(psm));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	800 #endif
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	801
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	802 return ps_sendpsmmsg(ctx, fd, &psm, msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	803 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	804
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	805 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	806 ps_sendcmd(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	807 const void *data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	808 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	809 struct ps_msghdr psm = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	810 .ps_cmd = cmd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	811 .ps_flags = flags,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	812 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	813 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	814 { .iov_base = UNCONST(data), .iov_len = len }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	815 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	816 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	817 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	818 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	819
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	820 return ps_sendpsmmsg(ctx, fd, &psm, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	821 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	822
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	823 static ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	824 ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr *msg)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	825 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	826 struct ps_msghdr psm = { .ps_cmd = cmd };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	827 uint8_t data[PS_BUFLEN], *p = data;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	828 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	829 { .iov_base = &psm, .iov_len = sizeof(psm) },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	830 { .iov_base = data, .iov_len = 0 },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	831 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	832 size_t dl = sizeof(data);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	833
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	834 if (msg->msg_namelen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	835 if (msg->msg_namelen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	836 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	837 psm.ps_namelen = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	838 memcpy(p, msg->msg_name, msg->msg_namelen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	839 p += msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	840 dl -= msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	841 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	842
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	843 if (msg->msg_controllen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	844 if (msg->msg_controllen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	845 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	846 psm.ps_controllen = (socklen_t)msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	847 memcpy(p, msg->msg_control, msg->msg_controllen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	848 p += msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	849 dl -= msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	850 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	851
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	852 psm.ps_datalen = msg->msg_iov[0].iov_len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	853 if (psm.ps_datalen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	854 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	855
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	856 iov[1].iov_len = psm.ps_namelen + psm.ps_controllen + psm.ps_datalen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	857 if (psm.ps_datalen != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	858 memcpy(p, msg->msg_iov[0].iov_base, psm.ps_datalen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	859 return writev(fd, iov, __arraycount(iov));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	860
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	861 nobufs:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	862 errno = ENOBUFS;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	863 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	864 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	865
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	866 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	867 ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	868 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	869 struct sockaddr_storage ss = { .ss_family = AF_UNSPEC };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	870 uint8_t controlbuf[sizeof(struct sockaddr_storage)] = { 0 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	871 uint8_t databuf[64 * 1024];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	872 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	873 { .iov_base = databuf, .iov_len = sizeof(databuf) }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	874 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	875 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	876 .msg_name = &ss, .msg_namelen = sizeof(ss),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	877 .msg_control = controlbuf, .msg_controllen = sizeof(controlbuf),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	878 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	879 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	880
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	881 ssize_t len = recvmsg(rfd, &msg, 0);
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	882
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	883 if (len == -1)
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	884 logerr("%s: recvmsg", __func__);
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	885 if (len == -1 \|\| len == 0) {
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	886 if (ctx->options & DHCPCD_FORKED &&
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	887 !(ctx->options & DHCPCD_PRIVSEPROOT))
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	888 eloop_exit(ctx->eloop,
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	889 len == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	890 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	891 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	892
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	893 iov[0].iov_len = (size_t)len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	894 len = ps_sendcmdmsg(wfd, cmd, &msg);
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	895 if (len == -1) {
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	896 logerr("ps_sendcmdmsg");
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	897 if (ctx->options & DHCPCD_FORKED &&
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	898 !(ctx->options & DHCPCD_PRIVSEPROOT))
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	899 eloop_exit(ctx->eloop, EXIT_FAILURE);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	900 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	901 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	902 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	903
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	904 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	905 ps_recvpsmsg(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	906 ssize_t (callback)(void , struct ps_msghdr , struct msghdr ),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	907 void *cbctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	908 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	909 struct ps_msg psm;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	910 ssize_t len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	911 size_t dlen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	912 struct iovec iov[1];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	913 struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	914 bool stop = false;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	915
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	916 len = read(fd, &psm, sizeof(psm));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	917 #ifdef PRIVSEP_DEBUG
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	918 logdebugx("%s: %zd", __func__, len);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	919 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	920
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	921 if (len == -1 \|\| len == 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	922 stop = true;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	923 else {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	924 dlen = (size_t)len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	925 if (dlen < sizeof(psm.psm_hdr)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	926 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	927 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	928 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	929
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	930 if (psm.psm_hdr.ps_cmd == PS_STOP) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	931 stop = true;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	932 len = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	933 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	934 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	935
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	936 if (stop) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	937 #ifdef PRIVSEP_DEBUG
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	938 logdebugx("process %d stopping", getpid());
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	939 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	940 ps_free(ctx);
5262 f168a25dd330 privsep: Fix compile for prior without dev plugins Roy Marples <roy@marples.name> parents: 5260 diff changeset	941 #ifdef PLUGIN_DEV
5260 7571d82b48da privsep: Allow dev plugins to work Roy Marples <roy@marples.name> parents: 5248 diff changeset	942 dev_stop(ctx);
5262 f168a25dd330 privsep: Fix compile for prior without dev plugins Roy Marples <roy@marples.name> parents: 5260 diff changeset	943 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	944 eloop_exit(ctx->eloop, len != -1 ? EXIT_SUCCESS : EXIT_FAILURE);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	945 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	946 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	947 dlen -= sizeof(psm.psm_hdr);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	948
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	949 if (ps_unrollmsg(&msg, &psm.psm_hdr, psm.psm_data, dlen) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	950 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	951
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	952 if (callback == NULL)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	953 return 0;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	954
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	955 errno = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	956 return callback(cbctx, &psm.psm_hdr, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	957 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	958
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	959 struct ps_process *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	960 ps_findprocess(struct dhcpcd_ctx ctx, struct ps_id psid)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	961 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	962 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	963
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	964 TAILQ_FOREACH(psp, &ctx->ps_processes, next) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	965 if (memcmp(&psp->psp_id, psid, sizeof(psp->psp_id)) == 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	966 return psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	967 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	968 errno = ESRCH;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	969 return NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	970 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	971
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	972 struct ps_process *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	973 ps_newprocess(struct dhcpcd_ctx ctx, struct ps_id psid)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	974 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	975 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	976
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	977 psp = calloc(1, sizeof(*psp));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	978 if (psp == NULL)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	979 return NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	980 psp->psp_ctx = ctx;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	981 memcpy(&psp->psp_id, psid, sizeof(psp->psp_id));
4868 119c8986dfc8 privsep: Enable ARP BPF filtering for interesting addresses Roy Marples <roy@marples.name> parents: 4864 diff changeset	982 psp->psp_work_fd = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	983 TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	984 return psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	985 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	986
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	987 void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	988 ps_freeprocesses(struct dhcpcd_ctx ctx, struct ps_process notthis)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	989 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	990 struct ps_process psp, psn;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	991
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	992 TAILQ_FOREACH_SAFE(psp, &ctx->ps_processes, next, psn) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	993 if (psp == notthis)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	994 continue;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	995 ps_freeprocess(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	996 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	997 }

Mercurial > hg > dhcpcd

annotate src/privsep.c @ 5525:26b5d9bc2985 draft