# HG changeset patch # User Roy Marples # Date 1600558508 -3600 # Node ID 6e80b8c6f70c7ddf19648885361b182bf358b752 # Parent 30f55aaa5fd6ee97e198d9679b7ce47b0ada3872 privsep: Log if the platform sandbox is unavailable or available This is kinda important. diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep-bpf.c --- a/src/privsep-bpf.c Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep-bpf.c Sun Sep 20 00:35:08 2020 +0100 @@ -240,7 +240,7 @@ ps_freeprocess(psp); return -1; case 0: - ps_entersandbox("stdio"); + ps_entersandbox("stdio", NULL); break; default: #ifdef PRIVSEP_DEBUG diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep-control.c --- a/src/privsep-control.c Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep-control.c Sun Sep 20 00:35:08 2020 +0100 @@ -263,7 +263,7 @@ ps_ctl_listen, ctx) == -1) return -1; - ps_entersandbox("stdio inet"); + ps_entersandbox("stdio inet", NULL); return 0; } diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep-inet.c --- a/src/privsep-inet.c Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep-inet.c Sun Sep 20 00:35:08 2020 +0100 @@ -334,7 +334,7 @@ PSF_DROPPRIVS); if (pid == 0) - ps_entersandbox("stdio"); + ps_entersandbox("stdio", NULL); return pid; } @@ -560,7 +560,7 @@ ps_freeprocess(psp); return -1; case 0: - ps_entersandbox("stdio"); + ps_entersandbox("stdio", NULL); break; default: break; diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep-linux.c --- a/src/privsep-linux.c Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep-linux.c Sun Sep 20 00:35:08 2020 +0100 @@ -256,9 +256,12 @@ ps_seccomp_enter(void) { - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) - return errno == EINVAL ? 0 : -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1) - return errno == EINVAL ? 0 : -1; + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 || + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1) + { + if (errno == EINVAL) + errno = ENOSYS; + return -1; + } return 0; } diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep.c --- a/src/privsep.c Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep.c Sun Sep 20 00:35:08 2020 +0100 @@ -490,36 +490,36 @@ } int -ps_entersandbox(const char *_pledge) +ps_entersandbox(const char *_pledge, const char **sandbox) { #ifdef HAVE_CAPSICUM - if (cap_enter() == -1 && errno != ENOSYS) { - logerr("%s: cap_enter", __func__); - return -1; - } + if (sandbox != NULL) + *sandbox = "capsicum"; + return cap_enter(); #endif #ifdef HAVE_PLEDGE - if (pledge(_pledge, NULL) == -1) { - logerr("%s: pledge", __func__); - return -1; - } + if (sandbox != NULL) + *sandbox = "pledge"; + return pledge(_pledge, NULL); #else UNUSED(_pledge); #endif #ifdef HAVE_SECCOMP - if (ps_seccomp_enter() == -1) { - logerr("%s: ps_seccomp_enter", __func__); - return -1; - } + if (sandbox != NULL) + *sandbox = "seccomp"; + return ps_seccomp_enter(); #endif + if (sandbox != NULL) + *sandbox = NULL; return 0; } int ps_mastersandbox(struct dhcpcd_ctx *ctx) { + const char *sandbox = NULL; if (ps_dropprivs(ctx) == -1) { logerr("%s: ps_dropprivs", __func__); @@ -537,7 +537,17 @@ } #endif - return ps_entersandbox("stdio route"); + if (ps_entersandbox("stdio route", &sandbox) == -1) { + if (errno == ENOSYS) { + if (sandbox != NULL) + logwarnx("sandbox unavailable: %s", sandbox); + return 0; + } + logerr("%s: %s", __func__, sandbox); + return -1; + } else if (sandbox != NULL) + loginfox("sandbox: %s", sandbox); + return 0; } int diff -r 30f55aaa5fd6 -r 6e80b8c6f70c src/privsep.h --- a/src/privsep.h Sat Sep 19 20:53:23 2020 +0100 +++ b/src/privsep.h Sun Sep 20 00:35:08 2020 +0100 @@ -174,7 +174,7 @@ int ps_init(struct dhcpcd_ctx *); int ps_start(struct dhcpcd_ctx *); int ps_stop(struct dhcpcd_ctx *); -int ps_entersandbox(const char *); +int ps_entersandbox(const char *, const char **); int ps_mastersandbox(struct dhcpcd_ctx *); int ps_unrollmsg(struct msghdr *, struct ps_msghdr *, const void *, size_t);