hg/dhcpcd: src/privsep.c annotate

annotate src/privsep.c @ 5538:fc24946f9b2a draft

dhcpcd: Don't create launcher process if keeping in foreground There is little point.

author	Roy Marples <roy@marples.name>
date	Wed, 11 Nov 2020 17:44:55 +0000
parents	a0d828e25482
children	8f7592a6f80d

rev	line source
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	1 /* SPDX-License-Identifier: BSD-2-Clause */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	2 /*
5060 4539ffcdd656 spelling: Correct both privilege and separation Roy Marples <roy@marples.name> parents: 5000 diff changeset	3 * Privilege Separation for dhcpcd
4922 555d7d1a4939 Welcome to 2020! Roy Marples <roy@marples.name> parents: 4870 diff changeset	4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	5 * All rights reserved
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	6
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	7 * Redistribution and use in source and binary forms, with or without
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	8 * modification, are permitted provided that the following conditions
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	9 * are met:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	10 * 1. Redistributions of source code must retain the above copyright
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	11 * notice, this list of conditions and the following disclaimer.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	12 * 2. Redistributions in binary form must reproduce the above copyright
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	13 * notice, this list of conditions and the following disclaimer in the
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	14 * documentation and/or other materials provided with the distribution.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	15 *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	26 * SUCH DAMAGE.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	27 */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	28
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	29 /*
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	30 * The current design is this:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	31 * Spawn a priv process to carry out privileged actions and
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	32 * spawning unpriv process to initate network connections such as BPF
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	33 * or address specific listener.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	34 * Spawn an unpriv process to send/receive common network data.
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	35 * Then drop all privs and start running.
4995 91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	36 * Every process aside from the privileged actioneer is chrooted.
5425 9edfc000a89b privsep: Only the master process accepts signals Roy Marples <roy@marples.name> parents: 5420 diff changeset	37 * All privsep processes ignore signals - only the master process accepts them.
4995 91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	38 *
91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	39 * dhcpcd will maintain the config file in the chroot, no need to handle
91c3d1ed3496 privsep: Note CHROOT script Roy Marples <roy@marples.name> parents: 4992 diff changeset	40 * this in a script or something.
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	41 */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	42
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	43 #include <sys/resource.h>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	44 #include <sys/socket.h>
4991 45bd88c307ed privsep: copy configuration file into chroot Roy Marples <roy@marples.name> parents: 4989 diff changeset	45 #include <sys/stat.h>
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	46 #include <sys/types.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	47 #include <sys/wait.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	48
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	49 #ifdef AF_LINK
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	50 #include <net/if_dl.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	51 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	52
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	53 #include <assert.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	54 #include <errno.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	55 #include <fcntl.h>
5000 62e3afcc867c privsep: Fix compile on Linux Roy Marples <roy@marples.name> parents: 4997 diff changeset	56 #include <grp.h>
4988 1369161bbc7c privsep: Close stdout/stderr after forking processes Roy Marples <roy@marples.name> parents: 4976 diff changeset	57 #include <paths.h>
5000 62e3afcc867c privsep: Fix compile on Linux Roy Marples <roy@marples.name> parents: 4997 diff changeset	58 #include <pwd.h>
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	59 #include <stddef.h> /* For offsetof, struct padding debug */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	60 #include <signal.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	61 #include <stdlib.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	62 #include <string.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	63 #include <unistd.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	64
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	65 #include "arp.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	66 #include "common.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	67 #include "control.h"
5260 7571d82b48da privsep: Allow dev plugins to work Roy Marples <roy@marples.name> parents: 5248 diff changeset	68 #include "dev.h"
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	69 #include "dhcp.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	70 #include "dhcp6.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	71 #include "eloop.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	72 #include "ipv6nd.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	73 #include "logerr.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	74 #include "privsep.h"
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	75
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	76 #ifdef HAVE_CAPSICUM
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	77 #include <sys/capsicum.h>
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	78 #include <capsicum_helpers.h>
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	79 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	80 #ifdef HAVE_UTIL_H
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	81 #include <util.h>
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	82 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	83
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	84 int
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	85 ps_init(struct dhcpcd_ctx *ctx)
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	86 {
5183 09e3f731e43e privsep: Add --chroot configurable Roy Marples <roy@marples.name> parents: 5165 diff changeset	87 struct passwd *pw;
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	88 struct stat st;
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	89
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	90 errno = 0;
4992 b7dca2a85056 privsep: Only fetch PRIVSEP_USER at init Roy Marples <roy@marples.name> parents: 4991 diff changeset	91 if ((ctx->ps_user = pw = getpwnam(PRIVSEP_USER)) == NULL) {
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	92 ctx->options &= ~DHCPCD_PRIVSEP;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	93 if (errno == 0) {
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	94 logerrx("no such user %s", PRIVSEP_USER);
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	95 /* Just incase logerrx caused an error... */
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	96 errno = 0;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	97 } else
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	98 logerr("getpwnam");
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	99 return -1;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	100 }
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	101
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	102 if (stat(pw->pw_dir, &st) == -1 \|\| !S_ISDIR(st.st_mode)) {
5122 a44d7acff84b privsep: If we fail to init privsep, continue Roy Marples <roy@marples.name> parents: 5099 diff changeset	103 ctx->options &= ~DHCPCD_PRIVSEP;
5183 09e3f731e43e privsep: Add --chroot configurable Roy Marples <roy@marples.name> parents: 5165 diff changeset	104 logerrx("refusing chroot: %s: %s",
5209 baab981d3929 privsep: No longer need the chrootdir configure option. Roy Marples <roy@marples.name> parents: 5207 diff changeset	105 PRIVSEP_USER, pw->pw_dir);
5099 b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	106 errno = 0;
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	107 return -1;
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	108 }
b1cd4029f8b2 privsep: Refuse chroot if privsep users home dir is /var/empty Roy Marples <roy@marples.name> parents: 5091 diff changeset	109
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	110 ctx->options \|= DHCPCD_PRIVSEP;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	111 return 0;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	112 }
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	113
5444 d861892268ff privsep: dropprivs can be static Roy Marples <roy@marples.name> parents: 5443 diff changeset	114 static int
5228 82c7e8204e9b BPF: Set write filters where supported Roy Marples <roy@marples.name> parents: 5223 diff changeset	115 ps_dropprivs(struct dhcpcd_ctx *ctx)
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	116 {
4992 b7dca2a85056 privsep: Only fetch PRIVSEP_USER at init Roy Marples <roy@marples.name> parents: 4991 diff changeset	117 struct passwd *pw = ctx->ps_user;
4954 52e1039652ea privsep: Fix prior so we init Roy Marples <roy@marples.name> parents: 4953 diff changeset	118
5501 5b2272a0f3c3 privsep: Only log chrooting from the launcher process Roy Marples <roy@marples.name> parents: 5494 diff changeset	119 if (ctx->options & DHCPCD_LAUNCHER)
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	120 logdebugx("chrooting as %s to %s", pw->pw_name, pw->pw_dir);
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	121 if (chroot(pw->pw_dir) == -1 &&
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	122 (errno != EPERM \|\| ctx->options & DHCPCD_FORKED))
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	123 logerr("%s: chroot: %s", __func__, pw->pw_dir);
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	124 if (chdir("/") == -1)
5494 0fbde4769bbe Don't log backticks. Roy Marples <roy@marples.name> parents: 5493 diff changeset	125 logerr("%s: chdir: /", __func__);
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	126
5447 66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	127 if ((setgroups(1, &pw->pw_gid) == -1 \|\|
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	128 setgid(pw->pw_gid) == -1 \|\|
5447 66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	129 setuid(pw->pw_uid) == -1) &&
66512375d759 privsep: dump leases in a sandbox Roy Marples <roy@marples.name> parents: 5445 diff changeset	130 (errno != EPERM \|\| ctx->options & DHCPCD_FORKED))
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	131 {
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	132 logerr("failed to drop privileges");
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	133 return -1;
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	134 }
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	135
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	136 struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	137
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	138 if (ctx->ps_control_pid != getpid()) {
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	139 /* Prohibit new files, sockets, etc */
5335 d708e3b7cce0 privsep: Apply resource limits to OpenBSD as well where we can Roy Marples <roy@marples.name> parents: 5334 diff changeset	140 #if defined(__linux__) \|\| defined(__sun) \|\| defined(__OpenBSD__)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	141 /*
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	142 * If poll(2) is called with nfds > RLIMIT_NOFILE
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	143 * then it returns EINVAL.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	144 * This blows.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	145 * Do the best we can and limit to what we need.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	146 * An attacker could potentially close a file and
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	147 * open a new one still, but that cannot be helped.
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	148 */
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	149 unsigned long maxfd;
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	150 maxfd = (unsigned long)eloop_event_count(ctx->eloop);
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	151 if (IN_PRIVSEP_SE(ctx))
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	152 maxfd++; /* XXX why? */
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	153
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	154 struct rlimit rmaxfd = {
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	155 .rlim_cur = maxfd,
d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	156 .rlim_max = maxfd
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	157 };
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	158 if (setrlimit(RLIMIT_NOFILE, &rmaxfd) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	159 logerr("setrlimit RLIMIT_NOFILE");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	160 #else
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	161 if (setrlimit(RLIMIT_NOFILE, &rzero) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	162 logerr("setrlimit RLIMIT_NOFILE");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	163 #endif
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	164 }
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	165
5538 fc24946f9b2a dhcpcd: Don't create launcher process if keeping in foreground Roy Marples <roy@marples.name> parents: 5535 diff changeset	166 #define DHC_NOCHKIO (DHCPCD_STARTED \| DHCPCD_DAEMONISE)
5344 3df49497d40b privsep: RLIMIT_FSIZE works fine on pledge and capsicum Roy Marples <roy@marples.name> parents: 5337 diff changeset	167 /* Prohibit writing to files.
5396 541348d5a5a9 privsep: Don't limit file writes if logging to a file Roy Marples <roy@marples.name> parents: 5393 diff changeset	168 * Obviously this won't work if we are using a logfile
541348d5a5a9 privsep: Don't limit file writes if logging to a file Roy Marples <roy@marples.name> parents: 5393 diff changeset	169 * or redirecting stderr to a file. */
5538 fc24946f9b2a dhcpcd: Don't create launcher process if keeping in foreground Roy Marples <roy@marples.name> parents: 5535 diff changeset	170 if ((ctx->options & DHC_NOCHKIO) == DHC_NOCHKIO \|\|
fc24946f9b2a dhcpcd: Don't create launcher process if keeping in foreground Roy Marples <roy@marples.name> parents: 5535 diff changeset	171 (ctx->logfile == NULL &&
fc24946f9b2a dhcpcd: Don't create launcher process if keeping in foreground Roy Marples <roy@marples.name> parents: 5535 diff changeset	172 (!ctx->stderr_valid \|\| isatty(STDERR_FILENO) == 1)))
5513 93df3880bcaa privsep: Fix stderr redirection again Roy Marples <roy@marples.name> parents: 5502 diff changeset	173 {
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	174 if (setrlimit(RLIMIT_FSIZE, &rzero) == -1)
5337 e1edd674d9ae privsep: Disable RLIMIT_FSIZE when using the logfile option Roy Marples <roy@marples.name> parents: 5335 diff changeset	175 logerr("setrlimit RLIMIT_FSIZE");
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	176 }
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	177
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	178 #ifdef RLIMIT_NPROC
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	179 /* Prohibit forks */
5358 d2c66d08c2d7 privsep: don't abort if setrlimit fails Roy Marples <roy@marples.name> parents: 5351 diff changeset	180 if (setrlimit(RLIMIT_NPROC, &rzero) == -1)
5331 d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	181 logerr("setrlimit RLIMIT_NPROC");
d075e31eb148 privsep: For Linux and Solaris, set RLIMIT_NOFILES to nevents Roy Marples <roy@marples.name> parents: 5328 diff changeset	182 #endif
5312 b336a280de82 privsep: Set resource limits when dropping privs Roy Marples <roy@marples.name> parents: 5307 diff changeset	183
4953 109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	184 return 0;
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	185 }
109206a59cc6 privsep: Delay control startup after starting privsep Roy Marples <roy@marples.name> parents: 4950 diff changeset	186
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	187 static int
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	188 ps_setbuf0(int fd, int ctl, int minlen)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	189 {
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	190 int len;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	191 socklen_t slen;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	192
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	193 slen = sizeof(len);
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	194 if (getsockopt(fd, SOL_SOCKET, ctl, &len, &slen) == -1)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	195 return -1;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	196
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	197 #ifdef __linux__
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	198 len /= 2;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	199 #endif
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	200 if (len >= minlen)
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	201 return 0;
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	202
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	203 return setsockopt(fd, SOL_SOCKET, ctl, &minlen, sizeof(minlen));
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	204 }
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	205
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	206 static int
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	207 ps_setbuf(int fd)
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	208 {
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	209 /* Ensure we can receive a fully sized privsep message.
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	210 * Double the send buffer. */
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	211 int minlen = (int)sizeof(struct ps_msg);
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	212
5291 d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	213 if (ps_setbuf0(fd, SO_RCVBUF, minlen) == -1 \|\|
d1e1fe84e3b3 privsep: Double the size of the send buffer. Roy Marples <roy@marples.name> parents: 5290 diff changeset	214 ps_setbuf0(fd, SO_SNDBUF, minlen * 2) == -1)
5290 fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	215 {
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	216 logerr(__func__);
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	217 return -1;
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	218 }
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	219 return 0;
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	220 }
fae6670fef23 privsep: Ensure socketpair IPC buffers are large enough. Roy Marples <roy@marples.name> parents: 5281 diff changeset	221
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	222 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	223 ps_setbuf_fdpair(int fd[])
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	224 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	225
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	226 if (ps_setbuf(fd[0]) == -1 \|\| ps_setbuf(fd[1]) == -1)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	227 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	228 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	229 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	230
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	231 #ifdef PRIVSEP_RIGHTS
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	232 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	233 ps_rights_limit_ioctl(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	234 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	235 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	236
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	237 cap_rights_init(&rights, CAP_IOCTL);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	238 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	239 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	240 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	241 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	242
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	243 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	244 ps_rights_limit_fd_fctnl(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	245 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	246 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	247
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	248 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	249 CAP_ACCEPT, CAP_FCNTL);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	250 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	251 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	252 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	253 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	254
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	255 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	256 ps_rights_limit_fd(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	257 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	258 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	259
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	260 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SHUTDOWN);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	261 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	262 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	263 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	264 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	265
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	266 int
5493 41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	267 ps_rights_limit_fd_sockopt(int fd)
5492 9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	268 {
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	269 cap_rights_t rights;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	270
5493 41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	271 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
41d06921177b privsep: We need getsockopt as well as setsockopt on the link socket Roy Marples <roy@marples.name> parents: 5492 diff changeset	272 CAP_GETSOCKOPT, CAP_SETSOCKOPT);
5492 9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	273 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	274 return -1;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	275 return 0;
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	276 }
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	277
9fe902232341 privsep: allow CAP_SETSOCKOPT for route(4) fd. Roy Marples <roy@marples.name> parents: 5472 diff changeset	278 int
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	279 ps_rights_limit_fd_rdonly(int fd)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	280 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	281 cap_rights_t rights;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	282
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	283 cap_rights_init(&rights, CAP_READ, CAP_EVENT);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	284 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	285 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	286 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	287 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	288
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	289 int
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	290 ps_rights_limit_fdpair(int fd[])
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	291 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	292
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	293 if (ps_rights_limit_fd(fd[0]) == -1 \|\| ps_rights_limit_fd(fd[1]) == -1)
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	294 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	295 return 0;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	296 }
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	297
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	298 static int
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	299 ps_rights_limit_stdio(struct dhcpcd_ctx *ctx)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	300 {
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	301 const int iebadf = CAPH_IGNORE_EBADF;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	302 int error = 0;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	303
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	304 if (ctx->stdin_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	305 caph_limit_stream(STDIN_FILENO, CAPH_READ \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	306 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	307 if (ctx->stdout_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	308 caph_limit_stream(STDOUT_FILENO, CAPH_WRITE \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	309 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	310 if (ctx->stderr_valid &&
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	311 caph_limit_stream(STDERR_FILENO, CAPH_WRITE \| iebadf) == -1)
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	312 error = -1;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	313
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	314 return error;
68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	315 }
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	316 #endif
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	317
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	318 pid_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	319 ps_dostart(struct dhcpcd_ctx *ctx,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	320 pid_t priv_pid, int priv_fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	321 void (recv_msg)(void ), void (*recv_unpriv_msg),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	322 void recv_ctx, int (callback)(void ), void (signal_cb)(int, void *),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	323 unsigned int flags)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	324 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	325 int fd[2];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	326 pid_t pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	327
5437 5bbb5bae3e66 privsep: Use xsocketpair Roy Marples <roy@marples.name> parents: 5425 diff changeset	328 if (xsocketpair(AF_UNIX, SOCK_DGRAM \| SOCK_CXNB, 0, fd) == -1) {
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	329 logerr("%s: socketpair", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	330 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	331 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	332 if (ps_setbuf_fdpair(fd) == -1) {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	333 logerr("%s: ps_setbuf_fdpair", __func__);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	334 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	335 }
5440 248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	336 #ifdef PRIVSEP_RIGHTS
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	337 if (ps_rights_limit_fdpair(fd) == -1) {
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	338 logerr("%s: ps_rights_limit_fdpair", __func__);
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	339 return -1;
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	340 }
248013138b09 privsep: Fix prior for FreeBSD. Roy Marples <roy@marples.name> parents: 5437 diff changeset	341 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	342
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	343 switch (pid = fork()) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	344 case -1:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	345 logerr("fork");
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	346 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	347 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	348 *priv_fd = fd[1];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	349 close(fd[0]);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	350 break;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	351 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	352 *priv_pid = pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	353 *priv_fd = fd[0];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	354 close(fd[1]);
5197 b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	355 if (recv_unpriv_msg == NULL)
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	356 ;
b02566d71169 privsep: Enable capsicum for network facing processes Roy Marples <roy@marples.name> parents: 5186 diff changeset	357 else if (eloop_event_add(ctx->eloop, *priv_fd,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	358 recv_unpriv_msg, recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	359 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	360 logerr("%s: eloop_event_add", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	361 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	362 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	363 return pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	364 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	365
5535 a0d828e25482 Add --noconfigure option Roy Marples <roy@marples.name> parents: 5525 diff changeset	366 ctx->options \|= DHCPCD_FORKED;
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	367 if (ctx->fork_fd != -1) {
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	368 close(ctx->fork_fd);
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	369 ctx->fork_fd = -1;
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	370 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	371 pidfile_clean();
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	372 eloop_clear(ctx->eloop);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	373
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	374 /* We are not root */
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	375 if (priv_fd != &ctx->ps_root_fd) {
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	376 ps_freeprocesses(ctx, recv_ctx);
4870 8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	377 if (ctx->ps_root_fd != -1) {
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	378 close(ctx->ps_root_fd);
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	379 ctx->ps_root_fd = -1;
8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	380 }
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	381
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	382 #ifdef PRIVSEP_RIGHTS
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	383 /* We cannot limit the root process in any way. */
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	384 if (ps_rights_limit_stdio(ctx) == -1) {
5443 2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	385 logerr("ps_rights_limit_stdio");
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	386 goto errexit;
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	387 }
2d1bbc57daeb privsep: limit rights for stdout/stderr/stdin using capsicum Roy Marples <roy@marples.name> parents: 5441 diff changeset	388 #endif
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	389 }
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	390
4870 8af2c53f16b0 privsep: Don't close not open fd's Roy Marples <roy@marples.name> parents: 4868 diff changeset	391 if (priv_fd != &ctx->ps_inet_fd && ctx->ps_inet_fd != -1) {
4856 a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	392 close(ctx->ps_inet_fd);
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	393 ctx->ps_inet_fd = -1;
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	394 }
a0a073f9c5ef dhcpcd: Rework daemonisation Roy Marples <roy@marples.name> parents: 4851 diff changeset	395
5301 e6f1372f2cf0 eloop: Just use ppoll(2) Roy Marples <roy@marples.name> parents: 5297 diff changeset	396 eloop_signal_set_cb(ctx->eloop,
e6f1372f2cf0 eloop: Just use ppoll(2) Roy Marples <roy@marples.name> parents: 5297 diff changeset	397 dhcpcd_signals, dhcpcd_signals_len, signal_cb, ctx);
5124 a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	398
a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	399 /* ctx->sigset aready has the initial sigmask set in main() */
a044710d9480 privsep: Don't overwrite initial sigmask Roy Marples <roy@marples.name> parents: 5122 diff changeset	400 if (eloop_signal_mask(ctx->eloop, NULL) == -1) {
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	401 logerr("%s: eloop_signal_mask", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	402 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	403 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	404
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	405 if (eloop_event_add(ctx->eloop, *priv_fd, recv_msg, recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	406 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	407 logerr("%s: eloop_event_add", __func__);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	408 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	409 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	410
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	411 if (callback(recv_ctx) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	412 goto errexit;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	413
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	414 if (flags & PSF_DROPPRIVS)
5228 82c7e8204e9b BPF: Set write filters where supported Roy Marples <roy@marples.name> parents: 5223 diff changeset	415 ps_dropprivs(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	416
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	417 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	418
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	419 errexit:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	420 /* Failure to start root or inet processes is fatal. */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	421 if (priv_fd == &ctx->ps_root_fd \|\| priv_fd == &ctx->ps_inet_fd)
5281 9f9a330f6e24 Fix some Coverity isues Roy Marples <roy@marples.name> parents: 5268 diff changeset	422 (void)ps_sendcmd(ctx, *priv_fd, PS_STOP, 0, NULL, 0);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	423 shutdown(*priv_fd, SHUT_RDWR);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	424 *priv_fd = -1;
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	425 eloop_exit(ctx->eloop, EXIT_FAILURE);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	426 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	427 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	428
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	429 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	430 ps_dostop(struct dhcpcd_ctx ctx, pid_t pid, int *fd)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	431 {
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	432 int err = 0;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	433
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	434 #ifdef PRIVSEP_DEBUG
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	435 logdebugx("%s: pid=%d fd=%d", __func__, pid, fd);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	436 #endif
5223 333f66ce84bd privsep: Add a generic wrapper for getifaddrs(3) Roy Marples <roy@marples.name> parents: 5209 diff changeset	437
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	438 if (*fd != -1) {
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	439 eloop_event_delete(ctx->eloop, *fd);
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	440 if (ps_sendcmd(ctx, *fd, PS_STOP, 0, NULL, 0) == -1) {
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	441 logerr(__func__);
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	442 err = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	443 }
5351 00a3204a58af privsep: Fix a shutdown race Roy Marples <roy@marples.name> parents: 5344 diff changeset	444 (void)shutdown(*fd, SHUT_RDWR);
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	445 close(*fd);
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	446 *fd = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	447 }
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	448
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	449 /* Don't wait for the process as it may not respond to the shutdown
04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	450 * request. We'll reap the process on receipt of SIGCHLD. */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	451 *pid = 0;
5304 04f26d9f1885 privsep: Don't wait for the process to finish when stopping it Roy Marples <roy@marples.name> parents: 5301 diff changeset	452 return err;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	453 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	454
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	455 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	456 ps_start(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	457 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	458 pid_t pid;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	459
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	460 TAILQ_INIT(&ctx->ps_processes);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	461
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	462 switch (pid = ps_root_start(ctx)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	463 case -1:
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	464 logerr("ps_root_start");
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	465 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	466 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	467 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	468 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	469 logdebugx("spawned privileged actioneer on PID %d", pid);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	470 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	471
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	472 /* No point in spawning the generic network listener if we're
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	473 * not going to use it. */
5502 7100066d2c7e privsep: Only start network proxy if we need to Roy Marples <roy@marples.name> parents: 5501 diff changeset	474 if (!ps_inet_canstart(ctx))
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	475 goto started_net;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	476
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	477 switch (pid = ps_inet_start(ctx)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	478 case -1:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	479 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	480 case 0:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	481 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	482 default:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	483 logdebugx("spawned network proxy on PID %d", pid);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	484 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	485
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	486 started_net:
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	487 if (!(ctx->options & DHCPCD_TEST)) {
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	488 switch (pid = ps_ctl_start(ctx)) {
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	489 case -1:
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	490 return -1;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	491 case 0:
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	492 return 0;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	493 default:
5332 b22045bba8b9 privsep: control proxy is no longer optional Roy Marples <roy@marples.name> parents: 5331 diff changeset	494 logdebugx("spawned controller proxy on PID %d", pid);
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	495 }
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	496 }
5268 a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	497
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	498 #ifdef ARC4RANDOM_H
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	499 /* Seed the random number generator early incase it needs /dev/urandom
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	500 * which won't be available in the chroot. */
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	501 arc4random();
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	502 #endif
a96dc3692fce privsep: root and inet don't need arc4random Roy Marples <roy@marples.name> parents: 5265 diff changeset	503
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	504 return 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	505 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	506
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	507 int
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	508 ps_entersandbox(const char _pledge, const char *sandbox)
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	509 {
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	510
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	511 #if !defined(HAVE_PLEDGE)
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	512 UNUSED(_pledge);
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	513 #endif
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	514
f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	515 #if defined(HAVE_CAPSICUM)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	516 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	517 *sandbox = "capsicum";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	518 return cap_enter();
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	519 #elif defined(HAVE_PLEDGE)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	520 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	521 *sandbox = "pledge";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	522 return pledge(_pledge, NULL);
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	523 #elif defined(HAVE_SECCOMP)
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	524 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	525 *sandbox = "seccomp";
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	526 return ps_seccomp_enter();
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	527 #else
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	528 if (sandbox != NULL)
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	529 *sandbox = "posix resource limited";
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	530 return 0;
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	531 #endif
5459 4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	532 }
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	533
4ac77faa4990 privsep: Fold capsicum and pledge entry points into ps_entersandbox Roy Marples <roy@marples.name> parents: 5454 diff changeset	534 int
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	535 ps_mastersandbox(struct dhcpcd_ctx ctx, const char _pledge)
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	536 {
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	537 const char *sandbox = NULL;
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	538 bool forked;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	539 int dropped;
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	540
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	541 forked = ctx->options & DHCPCD_FORKED;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	542 ctx->options &= ~DHCPCD_FORKED;
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	543 dropped = ps_dropprivs(ctx);
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	544 if (forked)
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	545 ctx->options \|= DHCPCD_FORKED;
5525 26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	546
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	547 /*
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	548 * If we don't have a root process, we cannot use syslog.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	549 * If it cannot be opened before chrooting then syslog(3) will fail.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	550 * openlog(3) does not return an error which doubly sucks.
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	551 */
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	552 if (ctx->ps_root_fd == -1) {
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	553 unsigned int logopts = loggetopts();
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	554
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	555 logopts &= ~LOGERR_LOG;
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	556 logsetopts(logopts);
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	557 }
26b5d9bc2985 privsep: Send all log messages to the privileged actioneer Roy Marples <roy@marples.name> parents: 5515 diff changeset	558
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	559 if (dropped == -1) {
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	560 logerr("%s: ps_dropprivs", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	561 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	562 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	563
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	564 #ifdef PRIVSEP_RIGHTS
5445 2070a61faddd privsep: Dump leases from stdin in a limited sandbox Roy Marples <roy@marples.name> parents: 5444 diff changeset	565 if ((ctx->pf_inet_fd != -1 &&
2070a61faddd privsep: Dump leases from stdin in a limited sandbox Roy Marples <roy@marples.name> parents: 5444 diff changeset	566 ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) \|\|
5454 68ef863871d1 dhcpcd: Only manipulate stdin, stdout and stderr when valid Roy Marples <roy@marples.name> parents: 5447 diff changeset	567 ps_rights_limit_stdio(ctx) == -1)
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	568 {
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	569 logerr("%s: cap_rights_limit", __func__);
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	570 return -1;
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	571 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	572 #endif
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	573
5466 8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	574 if (_pledge == NULL)
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	575 _pledge = "stdio";
8bf1ce29152c privsep: sandbox the launcher process Roy Marples <roy@marples.name> parents: 5463 diff changeset	576 if (ps_entersandbox(_pledge, &sandbox) == -1) {
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	577 if (errno == ENOSYS) {
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	578 if (sandbox != NULL)
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	579 logwarnx("sandbox unavailable: %s", sandbox);
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	580 return 0;
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	581 }
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	582 logerr("%s: %s", __func__, sandbox);
6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	583 return -1;
5501 5b2272a0f3c3 privsep: Only log chrooting from the launcher process Roy Marples <roy@marples.name> parents: 5494 diff changeset	584 } else if (ctx->options & DHCPCD_LAUNCHER)
5463 f23587f4e8e2 privsep: Don't be noisy about the sandbox Roy Marples <roy@marples.name> parents: 5462 diff changeset	585 logdebugx("sandbox: %s", sandbox);
5462 6e80b8c6f70c privsep: Log if the platform sandbox is unavailable or available Roy Marples <roy@marples.name> parents: 5461 diff changeset	586 return 0;
5321 41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	587 }
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	588
41b99a2a12cf privsep: Limit rights generically rather than Capsicum specifc Roy Marples <roy@marples.name> parents: 5316 diff changeset	589 int
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	590 ps_stop(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	591 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	592 int r, ret = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	593
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	594 if (!(ctx->options & DHCPCD_PRIVSEP) \|\|
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	595 ctx->options & DHCPCD_FORKED \|\|
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	596 ctx->eloop == NULL)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	597 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	598
5328 ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	599 r = ps_ctl_stop(ctx);
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	600 if (r != 0)
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	601 ret = r;
ea68407e5ac8 privsep: Implement a resource limited sandbox Roy Marples <roy@marples.name> parents: 5321 diff changeset	602
4851 b615d58905ad privsep: Use another eloop instead of a blocking read. Roy Marples <roy@marples.name> parents: 4847 diff changeset	603 r = ps_inet_stop(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	604 if (r != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	605 ret = r;
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	606
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	607 /* We've been chrooted, so we need to tell the
5060 4539ffcdd656 spelling: Correct both privilege and separation Roy Marples <roy@marples.name> parents: 5000 diff changeset	608 * privileged actioneer to remove the pidfile. */
4989 ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	609 ps_root_unlink(ctx, ctx->pidfile);
ca9234046989 privsep: chroot the master process Roy Marples <roy@marples.name> parents: 4988 diff changeset	610
4851 b615d58905ad privsep: Use another eloop instead of a blocking read. Roy Marples <roy@marples.name> parents: 4847 diff changeset	611 r = ps_root_stop(ctx);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	612 if (r != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	613 ret = r;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	614
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	615 ctx->options &= ~DHCPCD_PRIVSEP;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	616 return ret;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	617 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	618
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	619 void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	620 ps_freeprocess(struct ps_process *psp)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	621 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	622
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	623 TAILQ_REMOVE(&psp->psp_ctx->ps_processes, psp, next);
4956 51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	624 if (psp->psp_fd != -1) {
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	625 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_fd);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	626 close(psp->psp_fd);
4956 51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	627 }
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	628 if (psp->psp_work_fd != -1) {
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	629 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_work_fd);
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	630 close(psp->psp_work_fd);
51ee8eedecfa privsep: Remove fd's from event loop and ensure all closed. Roy Marples <roy@marples.name> parents: 4954 diff changeset	631 }
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	632 #ifdef INET
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	633 if (psp->psp_bpf != NULL)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	634 bpf_close(psp->psp_bpf);
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	635 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	636 free(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	637 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	638
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	639 static void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	640 ps_free(struct dhcpcd_ctx *ctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	641 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	642 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	643 bool stop = ctx->ps_root_pid == getpid();
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	644
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	645 while ((psp = TAILQ_FIRST(&ctx->ps_processes)) != NULL) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	646 if (stop)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	647 ps_dostop(ctx, &psp->psp_pid, &psp->psp_fd);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	648 ps_freeprocess(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	649 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	650 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	651
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	652 int
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	653 ps_unrollmsg(struct msghdr msg, struct ps_msghdr psm,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	654 const void *data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	655 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	656 uint8_t datap, namep, *controlp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	657
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	658 namep = UNCONST(data);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	659 controlp = namep + psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	660 datap = controlp + psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	661
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	662 if (psm->ps_namelen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	663 if (psm->ps_namelen > len) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	664 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	665 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	666 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	667 msg->msg_name = namep;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	668 len -= psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	669 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	670 msg->msg_name = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	671 msg->msg_namelen = psm->ps_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	672
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	673 if (psm->ps_controllen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	674 if (psm->ps_controllen > len) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	675 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	676 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	677 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	678 msg->msg_control = controlp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	679 len -= psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	680 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	681 msg->msg_control = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	682 msg->msg_controllen = psm->ps_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	683
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	684 if (len != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	685 msg->msg_iovlen = 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	686 msg->msg_iov[0].iov_base = datap;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	687 msg->msg_iov[0].iov_len = len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	688 } else {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	689 msg->msg_iovlen = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	690 msg->msg_iov[0].iov_base = NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	691 msg->msg_iov[0].iov_len = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	692 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	693 return 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	694 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	695
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	696 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	697 ps_sendpsmmsg(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	698 struct ps_msghdr psm, const struct msghdr msg)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	699 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	700 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	701 { .iov_base = UNCONST(psm), .iov_len = sizeof(*psm) },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	702 { .iov_base = NULL, }, /* name */
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	703 { .iov_base = NULL, }, /* control */
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	704 { .iov_base = NULL, }, /* payload 1 */
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	705 { .iov_base = NULL, }, /* payload 2 */
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	706 { .iov_base = NULL, }, /* payload 3 */
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	707 };
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	708 int iovlen;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	709 ssize_t len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	710
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	711 if (msg != NULL) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	712 struct iovec *iovp = &iov[1];
5234 bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	713 int i;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	714
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	715 psm->ps_namelen = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	716 psm->ps_controllen = (socklen_t)msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	717
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	718 iovp->iov_base = msg->msg_name;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	719 iovp->iov_len = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	720 iovp++;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	721 iovp->iov_base = msg->msg_control;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	722 iovp->iov_len = msg->msg_controllen;
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	723 iovlen = 3;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	724
5234 bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	725 for (i = 0; i < (int)msg->msg_iovlen; i++) {
bcd021398c1d Fix compile on Linux Roy Marples <roy@marples.name> parents: 5231 diff changeset	726 if ((size_t)(iovlen + i) > __arraycount(iov)) {
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	727 errno = ENOBUFS;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	728 return -1;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	729 }
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	730 iovp++;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	731 iovp->iov_base = msg->msg_iov[i].iov_base;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	732 iovp->iov_len = msg->msg_iov[i].iov_len;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	733 }
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	734 iovlen += i;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	735 } else
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	736 iovlen = 1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	737
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	738 len = writev(fd, iov, iovlen);
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	739 if (len == -1) {
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	740 logerr(__func__);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	741 if (ctx->options & DHCPCD_FORKED &&
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	742 !(ctx->options & DHCPCD_PRIVSEPROOT))
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	743 eloop_exit(ctx->eloop, EXIT_FAILURE);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	744 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	745 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	746 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	747
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	748 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	749 ps_sendpsmdata(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	750 struct ps_msghdr psm, const void data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	751 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	752 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	753 { .iov_base = UNCONST(data), .iov_len = len },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	754 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	755 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	756 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	757 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	758
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	759 return ps_sendpsmmsg(ctx, fd, psm, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	760 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	761
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	762
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	763 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	764 ps_sendmsg(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	765 const struct msghdr *msg)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	766 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	767 struct ps_msghdr psm = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	768 .ps_cmd = cmd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	769 .ps_flags = flags,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	770 .ps_namelen = msg->msg_namelen,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	771 .ps_controllen = (socklen_t)msg->msg_controllen,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	772 };
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	773 size_t i;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	774
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	775 for (i = 0; i < (size_t)msg->msg_iovlen; i++)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	776 psm.ps_datalen += msg->msg_iov[i].iov_len;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	777
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	778 #if 0 /* For debugging structure padding. */
4950 ba9558e22e1c privsep: correct debug struct name Roy Marples <roy@marples.name> parents: 4949 diff changeset	779 logerrx("psa.family %lu %zu", offsetof(struct ps_addr, psa_family), sizeof(psm.ps_id.psi_addr.psa_family));
4946 c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	780 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr, psa_pad), sizeof(psm.ps_id.psi_addr.psa_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	781 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr, psa_u), sizeof(psm.ps_id.psi_addr.psa_u));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	782 logerrx("psa %zu", sizeof(psm.ps_id.psi_addr));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	783
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	784 logerrx("psi.addr %lu %zu", offsetof(struct ps_id, psi_addr), sizeof(psm.ps_id.psi_addr));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	785 logerrx("psi.index %lu %zu", offsetof(struct ps_id, psi_ifindex), sizeof(psm.ps_id.psi_ifindex));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	786 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id, psi_cmd), sizeof(psm.ps_id.psi_cmd));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	787 logerrx("psi.pad %lu %zu", offsetof(struct ps_id, psi_pad), sizeof(psm.ps_id.psi_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	788 logerrx("psi %zu", sizeof(struct ps_id));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	789
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	790 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr, ps_cmd));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	791 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr, ps_pad), sizeof(psm.ps_pad));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	792 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr, ps_flags), sizeof(psm.ps_flags));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	793
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	794 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr, ps_id), sizeof(psm.ps_id));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	795
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	796 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr, ps_namelen), sizeof(psm.ps_namelen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	797 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr, ps_controllen), sizeof(psm.ps_controllen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	798 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr, ps_pad2), sizeof(psm.ps_pad2));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	799 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr, ps_datalen), sizeof(psm.ps_datalen));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	800 logerrx("psm %zu", sizeof(psm));
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	801 #endif
c80386966f1f privsep: Pad structs out so there are no uninited memory issues Roy Marples <roy@marples.name> parents: 4922 diff changeset	802
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	803 return ps_sendpsmmsg(ctx, fd, &psm, msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	804 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	805
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	806 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	807 ps_sendcmd(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	808 const void *data, size_t len)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	809 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	810 struct ps_msghdr psm = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	811 .ps_cmd = cmd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	812 .ps_flags = flags,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	813 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	814 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	815 { .iov_base = UNCONST(data), .iov_len = len }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	816 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	817 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	818 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	819 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	820
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	821 return ps_sendpsmmsg(ctx, fd, &psm, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	822 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	823
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	824 static ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	825 ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr *msg)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	826 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	827 struct ps_msghdr psm = { .ps_cmd = cmd };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	828 uint8_t data[PS_BUFLEN], *p = data;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	829 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	830 { .iov_base = &psm, .iov_len = sizeof(psm) },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	831 { .iov_base = data, .iov_len = 0 },
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	832 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	833 size_t dl = sizeof(data);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	834
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	835 if (msg->msg_namelen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	836 if (msg->msg_namelen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	837 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	838 psm.ps_namelen = msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	839 memcpy(p, msg->msg_name, msg->msg_namelen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	840 p += msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	841 dl -= msg->msg_namelen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	842 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	843
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	844 if (msg->msg_controllen != 0) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	845 if (msg->msg_controllen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	846 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	847 psm.ps_controllen = (socklen_t)msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	848 memcpy(p, msg->msg_control, msg->msg_controllen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	849 p += msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	850 dl -= msg->msg_controllen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	851 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	852
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	853 psm.ps_datalen = msg->msg_iov[0].iov_len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	854 if (psm.ps_datalen > dl)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	855 goto nobufs;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	856
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	857 iov[1].iov_len = psm.ps_namelen + psm.ps_controllen + psm.ps_datalen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	858 if (psm.ps_datalen != 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	859 memcpy(p, msg->msg_iov[0].iov_base, psm.ps_datalen);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	860 return writev(fd, iov, __arraycount(iov));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	861
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	862 nobufs:
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	863 errno = ENOBUFS;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	864 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	865 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	866
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	867 ssize_t
5207 84b63f09c8a4 privsep: Handle all file IO in the Priviledged Actioneer Roy Marples <roy@marples.name> parents: 5204 diff changeset	868 ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd)
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	869 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	870 struct sockaddr_storage ss = { .ss_family = AF_UNSPEC };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	871 uint8_t controlbuf[sizeof(struct sockaddr_storage)] = { 0 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	872 uint8_t databuf[64 * 1024];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	873 struct iovec iov[] = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	874 { .iov_base = databuf, .iov_len = sizeof(databuf) }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	875 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	876 struct msghdr msg = {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	877 .msg_name = &ss, .msg_namelen = sizeof(ss),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	878 .msg_control = controlbuf, .msg_controllen = sizeof(controlbuf),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	879 .msg_iov = iov, .msg_iovlen = 1,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	880 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	881
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	882 ssize_t len = recvmsg(rfd, &msg, 0);
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	883
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	884 if (len == -1)
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	885 logerr("%s: recvmsg", __func__);
5297 477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	886 if (len == -1 \|\| len == 0) {
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	887 if (ctx->options & DHCPCD_FORKED &&
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	888 !(ctx->options & DHCPCD_PRIVSEPROOT))
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	889 eloop_exit(ctx->eloop,
477edd06fea7 privsep: harden process handling Roy Marples <roy@marples.name> parents: 5291 diff changeset	890 len == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	891 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	892 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	893
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	894 iov[0].iov_len = (size_t)len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	895 len = ps_sendcmdmsg(wfd, cmd, &msg);
5420 d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	896 if (len == -1) {
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	897 logerr("ps_sendcmdmsg");
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	898 if (ctx->options & DHCPCD_FORKED &&
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	899 !(ctx->options & DHCPCD_PRIVSEPROOT))
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	900 eloop_exit(ctx->eloop, EXIT_FAILURE);
d9038a8c3241 privsep: Improve some errors Roy Marples <roy@marples.name> parents: 5396 diff changeset	901 }
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	902 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	903 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	904
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	905 ssize_t
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	906 ps_recvpsmsg(struct dhcpcd_ctx *ctx, int fd,
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	907 ssize_t (callback)(void , struct ps_msghdr , struct msghdr ),
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	908 void *cbctx)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	909 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	910 struct ps_msg psm;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	911 ssize_t len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	912 size_t dlen;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	913 struct iovec iov[1];
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	914 struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1 };
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	915 bool stop = false;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	916
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	917 len = read(fd, &psm, sizeof(psm));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	918 #ifdef PRIVSEP_DEBUG
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	919 logdebugx("%s: %zd", __func__, len);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	920 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	921
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	922 if (len == -1 \|\| len == 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	923 stop = true;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	924 else {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	925 dlen = (size_t)len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	926 if (dlen < sizeof(psm.psm_hdr)) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	927 errno = EINVAL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	928 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	929 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	930
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	931 if (psm.psm_hdr.ps_cmd == PS_STOP) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	932 stop = true;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	933 len = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	934 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	935 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	936
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	937 if (stop) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	938 #ifdef PRIVSEP_DEBUG
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	939 logdebugx("process %d stopping", getpid());
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	940 #endif
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	941 ps_free(ctx);
5262 f168a25dd330 privsep: Fix compile for prior without dev plugins Roy Marples <roy@marples.name> parents: 5260 diff changeset	942 #ifdef PLUGIN_DEV
5260 7571d82b48da privsep: Allow dev plugins to work Roy Marples <roy@marples.name> parents: 5248 diff changeset	943 dev_stop(ctx);
5262 f168a25dd330 privsep: Fix compile for prior without dev plugins Roy Marples <roy@marples.name> parents: 5260 diff changeset	944 #endif
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	945 eloop_exit(ctx->eloop, len != -1 ? EXIT_SUCCESS : EXIT_FAILURE);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	946 return len;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	947 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	948 dlen -= sizeof(psm.psm_hdr);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	949
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	950 if (ps_unrollmsg(&msg, &psm.psm_hdr, psm.psm_data, dlen) == -1)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	951 return -1;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	952
5231 a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	953 if (callback == NULL)
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	954 return 0;
a2c342295221 privsep: Enable Capsicum for all processes. Roy Marples <roy@marples.name> parents: 5228 diff changeset	955
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	956 errno = 0;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	957 return callback(cbctx, &psm.psm_hdr, &msg);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	958 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	959
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	960 struct ps_process *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	961 ps_findprocess(struct dhcpcd_ctx ctx, struct ps_id psid)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	962 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	963 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	964
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	965 TAILQ_FOREACH(psp, &ctx->ps_processes, next) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	966 if (memcmp(&psp->psp_id, psid, sizeof(psp->psp_id)) == 0)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	967 return psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	968 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	969 errno = ESRCH;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	970 return NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	971 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	972
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	973 struct ps_process *
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	974 ps_newprocess(struct dhcpcd_ctx ctx, struct ps_id psid)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	975 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	976 struct ps_process *psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	977
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	978 psp = calloc(1, sizeof(*psp));
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	979 if (psp == NULL)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	980 return NULL;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	981 psp->psp_ctx = ctx;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	982 memcpy(&psp->psp_id, psid, sizeof(psp->psp_id));
4868 119c8986dfc8 privsep: Enable ARP BPF filtering for interesting addresses Roy Marples <roy@marples.name> parents: 4864 diff changeset	983 psp->psp_work_fd = -1;
4840 073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	984 TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	985 return psp;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	986 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	987
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	988 void
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	989 ps_freeprocesses(struct dhcpcd_ctx ctx, struct ps_process notthis)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	990 {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	991 struct ps_process psp, psn;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	992
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	993 TAILQ_FOREACH_SAFE(psp, &ctx->ps_processes, next, psn) {
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	994 if (psp == notthis)
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	995 continue;
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	996 ps_freeprocess(psp);
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	997 }
073fcd86db9b privsep: Add support for priviledge separation Roy Marples <roy@marples.name> parents: diff changeset	998 }

Mercurial > hg > dhcpcd

annotate src/privsep.c @ 5538:fc24946f9b2a draft