Mercurial > hg > dhcpcd

changeset 5459:4ac77faa4990 draft

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
privsep: Fold capsicum and pledge entry points into ps_entersandbox
author Roy Marples <roy@marples.name>
date Sat, 19 Sep 2020 18:58:52 +0100
parents dd8347a0ea1c
children 5f999efcfe01
files src/privsep-bpf.c src/privsep-control.c src/privsep-inet.c src/privsep.c src/privsep.h
diffstat 5 files changed, 31 insertions(+), 58 deletions(-) [+]
line wrap: on
line diff
--- a/src/privsep-bpf.c	Sat Sep 19 15:05:51 2020 +0100
+++ b/src/privsep-bpf.c	Sat Sep 19 18:58:52 2020 +0100
@@ -53,10 +53,6 @@
 #include "logerr.h"
 #include "privsep.h"
 
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
 static void
 ps_bpf_recvbpf(void *arg)
 {
@@ -244,14 +240,7 @@
 		ps_freeprocess(psp);
 		return -1;
 	case 0:
-#ifdef HAVE_CAPSICUM
-		if (cap_enter() == -1 && errno != ENOSYS)
-			logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
-		if (pledge("stdio", NULL) == -1)
-			logerr("%s: pledge", __func__);
-#endif
+		ps_entersandbox("stdio");
 		break;
 	default:
 #ifdef PRIVSEP_DEBUG
--- a/src/privsep-control.c	Sat Sep 19 15:05:51 2020 +0100
+++ b/src/privsep-control.c	Sat Sep 19 18:58:52 2020 +0100
@@ -36,10 +36,6 @@
 #include "logerr.h"
 #include "privsep.h"
 
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
 static int
 ps_ctl_startcb(void *arg)
 {
@@ -267,14 +263,7 @@
 	    ps_ctl_listen, ctx) == -1)
 		return -1;
 
-#ifdef HAVE_CAPSICUM
-	if (cap_enter() == -1 && errno != ENOSYS)
-		logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
-	if (pledge("stdio inet", NULL) == -1)
-		logerr("%s: pledge", __func__);
-#endif
+	ps_entersandbox("stdio inet");
 	return 0;
 }
 
--- a/src/privsep-inet.c	Sat Sep 19 15:05:51 2020 +0100
+++ b/src/privsep-inet.c	Sat Sep 19 18:58:52 2020 +0100
@@ -47,10 +47,6 @@
 #include "logerr.h"
 #include "privsep.h"
 
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
 #ifdef INET
 static void
 ps_inet_recvbootp(void *arg)
@@ -337,14 +333,8 @@
 	    ps_inet_startcb, NULL,
 	    PSF_DROPPRIVS);
 
-#ifdef HAVE_CAPSICUM
-	if (pid == 0 && cap_enter() == -1 && errno != ENOSYS)
-		logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
-	if (pid == 0 && pledge("stdio", NULL) == -1)
-		logerr("%s: pledge", __func__);
-#endif
+	if (pid == 0)
+		ps_entersandbox("stdio");
 
 	return pid;
 }
@@ -570,14 +560,7 @@
 		ps_freeprocess(psp);
 		return -1;
 	case 0:
-#ifdef HAVE_CAPSICUM
-		if (cap_enter() == -1 && errno != ENOSYS)
-			logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
-		if (pledge("stdio", NULL) == -1)
-			logerr("%s: pledge", __func__);
-#endif
+		ps_entersandbox("stdio");
 		break;
 	default:
 		break;
--- a/src/privsep.c	Sat Sep 19 15:05:51 2020 +0100
+++ b/src/privsep.c	Sat Sep 19 18:58:52 2020 +0100
@@ -490,6 +490,28 @@
 }
 
 int
+ps_entersandbox(const char *_pledge)
+{
+
+#ifdef HAVE_CAPSICUM
+	if (cap_enter() == -1 && errno != ENOSYS) {
+		logerr("%s: cap_enter", __func__);
+		return -1;
+	}
+#endif
+#ifdef HAVE_PLEDGE
+	if (pledge(_pledge, NULL) == -1) {
+		logerr("%s: pledge", __func__);
+		return -1;
+	}
+#else
+	UNUSED(_pledge);
+#endif
+
+	return 0;
+}
+
+int
 ps_mastersandbox(struct dhcpcd_ctx *ctx)
 {
 
@@ -508,20 +530,8 @@
 		return -1;
 	}
 #endif
-#ifdef HAVE_CAPSICUM
-	if (cap_enter() == -1 && errno != ENOSYS) {
-		logerr("%s: cap_enter", __func__);
-		return -1;
-	}
-#endif
-#ifdef HAVE_PLEDGE
-	if (pledge("stdio route", NULL) == -1) {
-		logerr("%s: pledge", __func__);
-		return -1;
-	}
-#endif
 
-	return 0;
+	return ps_entersandbox("stdio route");
 }
 
 int
--- a/src/privsep.h	Sat Sep 19 15:05:51 2020 +0100
+++ b/src/privsep.h	Sat Sep 19 18:58:52 2020 +0100
@@ -92,7 +92,6 @@
 #define	IN_PRIVSEP_SE(ctx)	\
 	(((ctx)->options & (DHCPCD_PRIVSEP | DHCPCD_FORKED)) == DHCPCD_PRIVSEP)
 
-
 #if defined(PRIVSEP) && defined(HAVE_CAPSICUM)
 #define PRIVSEP_RIGHTS
 #endif
@@ -168,6 +167,7 @@
 int ps_init(struct dhcpcd_ctx *);
 int ps_start(struct dhcpcd_ctx *);
 int ps_stop(struct dhcpcd_ctx *);
+int ps_entersandbox(const char *);
 int ps_mastersandbox(struct dhcpcd_ctx *);
 
 int ps_unrollmsg(struct msghdr *, struct ps_msghdr *, const void *, size_t);
@@ -185,6 +185,7 @@
 
 /* Internal privsep functions. */
 int ps_setbuf_fdpair(int []);
+
 #ifdef PRIVSEP_RIGHTS
 int ps_rights_limit_ioctl(int);
 int ps_rights_limit_fd_fctnl(int);
@@ -192,6 +193,7 @@
 int ps_rights_limit_fd(int);
 int ps_rights_limit_fdpair(int []);
 #endif
+
 pid_t ps_dostart(struct dhcpcd_ctx * ctx,
     pid_t *priv_pid, int *priv_fd,
     void (*recv_msg)(void *), void (*recv_unpriv_msg),