Mercurial > hg > dhcpcd

changeset 5492:9fe902232341 draft

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
privsep: allow CAP_SETSOCKOPT for route(4) fd. If FreeBSD ever implements RO_MISSFILTER it will need special rights to work over Capsium.
author Roy Marples <roy@marples.name>
date Fri, 02 Oct 2020 15:57:01 +0100
parents 6cd47402148f
children 41d06921177b
files src/if-bsd.c src/privsep.c src/privsep.h
diffstat 3 files changed, 17 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/if-bsd.c	Wed Sep 30 17:25:32 2020 +0100
+++ b/src/if-bsd.c	Fri Oct 02 15:57:01 2020 +0100
@@ -215,6 +215,11 @@
 #warning kernel does not support route message filtering
 #endif
 
+#ifdef PRIVSEP_RIGHTS
+	if (IN_PRIVSEP(ctx))
+		ps_rights_limit_fd_setsockopt(ctx->link_fd);
+#endif
+
 	return 0;
 }
 
--- a/src/privsep.c	Wed Sep 30 17:25:32 2020 +0100
+++ b/src/privsep.c	Fri Oct 02 15:57:01 2020 +0100
@@ -260,6 +260,17 @@
 }
 
 int
+ps_rights_limit_fd_setsockopt(int fd)
+{
+	cap_rights_t rights;
+
+	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SETSOCKOPT);
+	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+		return -1;
+	return 0;
+}
+
+int
 ps_rights_limit_fd_rdonly(int fd)
 {
 	cap_rights_t rights;
@@ -537,7 +548,6 @@
 #ifdef PRIVSEP_RIGHTS
 	if ((ctx->pf_inet_fd != -1 &&
 	    ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) ||
-	    (ctx->link_fd != -1 && ps_rights_limit_fd(ctx->link_fd) == -1) ||
 	     ps_rights_limit_stdio(ctx) == -1)
 	{
 		logerr("%s: cap_rights_limit", __func__);
--- a/src/privsep.h	Wed Sep 30 17:25:32 2020 +0100
+++ b/src/privsep.h	Fri Oct 02 15:57:01 2020 +0100
@@ -197,6 +197,7 @@
 int ps_rights_limit_ioctl(int);
 int ps_rights_limit_fd_fctnl(int);
 int ps_rights_limit_fd_rdonly(int);
+int ps_rights_limit_fd_setsockopt(int);
 int ps_rights_limit_fd(int);
 int ps_rights_limit_fdpair(int []);
 #endif