1 /* SPDX-License-Identifier: BSD-2-Clause */
3 * Privilege Separation for dhcpcd
4 * Copyright (c) 2006-2023 Roy Marples <roy@marples.name>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * The current design is this:
31 * Spawn a priv process to carry out privileged actions and
32 * spawning unpriv process to initate network connections such as BPF
33 * or address specific listener.
34 * Spawn an unpriv process to send/receive common network data.
35 * Then drop all privs and start running.
36 * Every process aside from the privileged proxy is chrooted.
37 * All privsep processes ignore signals - only the manager process accepts them.
39 * dhcpcd will maintain the config file in the chroot, no need to handle
40 * this in a script or something.
43 #include <sys/resource.h>
44 #include <sys/socket.h>
46 #include <sys/types.h>
50 #include <net/if_dl.h>
59 #include <stddef.h> /* For offsetof, struct padding debug */
77 #include <sys/capsicum.h>
78 #include <sys/procdesc.h>
79 #include <capsicum_helpers.h>
85 /* CMSG_ALIGN is a Linux extension */
87 #define CMSG_ALIGN(n) (CMSG_SPACE((n)) - CMSG_SPACE(0))
90 /* Calculate number of padding bytes to achieve 'struct cmsghdr' alignment */
91 #define CALC_CMSG_PADLEN(has_cmsg, pos) \
92 ((has_cmsg) ? (socklen_t)(CMSG_ALIGN((pos)) - (pos)) : 0)
95 ps_init(struct dhcpcd_ctx
*ctx
)
101 if ((ctx
->ps_user
= pw
= getpwnam(PRIVSEP_USER
)) == NULL
) {
102 ctx
->options
&= ~DHCPCD_PRIVSEP
;
104 logerrx("no such user %s", PRIVSEP_USER
);
105 /* Just incase logerrx caused an error... */
112 if (stat(pw
->pw_dir
, &st
) == -1 || !S_ISDIR(st
.st_mode
)) {
113 ctx
->options
&= ~DHCPCD_PRIVSEP
;
114 logerrx("refusing chroot: %s: %s",
115 PRIVSEP_USER
, pw
->pw_dir
);
120 ctx
->options
|= DHCPCD_PRIVSEP
;
125 ps_dropprivs(struct dhcpcd_ctx
*ctx
)
127 struct passwd
*pw
= ctx
->ps_user
;
129 if (ctx
->options
& DHCPCD_LAUNCHER
)
130 logdebugx("chrooting as %s to %s", pw
->pw_name
, pw
->pw_dir
);
131 if (chroot(pw
->pw_dir
) == -1 &&
132 (errno
!= EPERM
|| ctx
->options
& DHCPCD_FORKED
))
133 logerr("%s: chroot: %s", __func__
, pw
->pw_dir
);
134 if (chdir("/") == -1)
135 logerr("%s: chdir: /", __func__
);
137 if ((setgroups(1, &pw
->pw_gid
) == -1 ||
138 setgid(pw
->pw_gid
) == -1 ||
139 setuid(pw
->pw_uid
) == -1) &&
140 (errno
!= EPERM
|| ctx
->options
& DHCPCD_FORKED
))
142 logerr("failed to drop privileges");
146 struct rlimit rzero
= { .rlim_cur
= 0, .rlim_max
= 0 };
148 /* Prohibit new files, sockets, etc */
150 * If poll(2) is called with nfds>RLIMIT_NOFILE then it returns EINVAL.
151 * We don't know the final value of nfds at this point *easily*.
152 * Sadly, this is a POSIX limitation and most platforms adhere to it.
153 * However, some are not that strict and are whitelisted below.
154 * Also, if we're not using poll then we can be restrictive.
156 * For the non whitelisted platforms there should be a sandbox to
157 * fallback to where we don't allow new files, etc:
158 * Linux:seccomp, FreeBSD:capsicum, OpenBSD:pledge
159 * Solaris users are sadly out of luck on both counts.
161 #if defined(__NetBSD__) || defined(__DragonFly__) || \
162 defined(HAVE_KQUEUE) || defined(HAVE_EPOLL)
163 /* The control proxy *does* need to create new fd's via accept(2). */
164 if (ctx
->ps_ctl
== NULL
|| ctx
->ps_ctl
->psp_pid
!= getpid()) {
165 if (setrlimit(RLIMIT_NOFILE
, &rzero
) == -1)
166 logerr("setrlimit RLIMIT_NOFILE");
170 #define DHC_NOCHKIO (DHCPCD_STARTED | DHCPCD_DAEMONISE)
171 /* Prohibit writing to files.
172 * Obviously this won't work if we are using a logfile
173 * or redirecting stderr to a file. */
174 if ((ctx
->options
& DHC_NOCHKIO
) == DHC_NOCHKIO
||
175 (ctx
->logfile
== NULL
&& isatty(STDERR_FILENO
) == 1))
177 if (setrlimit(RLIMIT_FSIZE
, &rzero
) == -1)
178 logerr("setrlimit RLIMIT_FSIZE");
183 if (setrlimit(RLIMIT_NPROC
, &rzero
) == -1)
184 logerr("setrlimit RLIMIT_NPROC");
191 ps_setbuf0(int fd
, int ctl
, int minlen
)
197 if (getsockopt(fd
, SOL_SOCKET
, ctl
, &len
, &slen
) == -1)
206 return setsockopt(fd
, SOL_SOCKET
, ctl
, &minlen
, sizeof(minlen
));
212 /* Ensure we can receive a fully sized privsep message.
213 * Double the send buffer. */
214 int minlen
= (int)sizeof(struct ps_msg
);
216 if (ps_setbuf0(fd
, SO_RCVBUF
, minlen
) == -1 ||
217 ps_setbuf0(fd
, SO_SNDBUF
, minlen
* 2) == -1)
226 ps_setbuf_fdpair(int fd
[])
229 if (ps_setbuf(fd
[0]) == -1 || ps_setbuf(fd
[1]) == -1)
234 #ifdef PRIVSEP_RIGHTS
236 ps_rights_limit_ioctl(int fd
)
240 cap_rights_init(&rights
, CAP_IOCTL
);
241 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
247 ps_rights_limit_fd_fctnl(int fd
)
251 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
,
252 CAP_ACCEPT
, CAP_FCNTL
);
253 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
259 ps_rights_limit_fd(int fd
)
263 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
, CAP_SHUTDOWN
);
264 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
270 ps_rights_limit_fd_sockopt(int fd
)
274 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
,
275 CAP_GETSOCKOPT
, CAP_SETSOCKOPT
);
276 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
282 ps_rights_limit_fd_rdonly(int fd
)
286 cap_rights_init(&rights
, CAP_READ
, CAP_EVENT
);
287 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
293 ps_rights_limit_fdpair(int fd
[])
296 if (ps_rights_limit_fd(fd
[0]) == -1 || ps_rights_limit_fd(fd
[1]) == -1)
302 ps_rights_limit_stdio()
304 const int iebadf
= CAPH_IGNORE_EBADF
;
307 if (caph_limit_stream(STDIN_FILENO
, CAPH_READ
| iebadf
) == -1)
309 if (caph_limit_stream(STDOUT_FILENO
, CAPH_WRITE
| iebadf
) == -1)
311 if (caph_limit_stream(STDERR_FILENO
, CAPH_WRITE
| iebadf
) == -1)
320 ps_processhangup(void *arg
, unsigned short events
)
322 struct ps_process
*psp
= arg
;
323 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
325 if (!(events
& ELE_HANGUP
))
326 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
328 logdebugx("%s%s%s exited from PID %d",
329 psp
->psp_ifname
, psp
->psp_ifname
[0] != '\0' ? ": " : "",
330 psp
->psp_name
, psp
->psp_pid
);
334 if (!(ctx
->options
& DHCPCD_EXITING
))
336 if (!(ps_waitforprocs(ctx
)))
337 eloop_exit(ctx
->ps_eloop
, EXIT_SUCCESS
);
342 ps_startprocess(struct ps_process
*psp
,
343 void (*recv_msg
)(void *, unsigned short),
344 void (*recv_unpriv_msg
)(void *, unsigned short),
345 int (*callback
)(struct ps_process
*), void (*signal_cb
)(int, void *),
348 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
352 if (xsocketpair(AF_UNIX
, SOCK_SEQPACKET
| SOCK_CXNB
, 0, fd
) == -1) {
353 logerr("%s: socketpair", __func__
);
356 if (ps_setbuf_fdpair(fd
) == -1) {
357 logerr("%s: ps_setbuf_fdpair", __func__
);
360 #ifdef PRIVSEP_RIGHTS
361 if (ps_rights_limit_fdpair(fd
) == -1) {
362 logerr("%s: ps_rights_limit_fdpair", __func__
);
368 pid
= pdfork(&psp
->psp_pfd
, PD_CLOEXEC
);
381 psp
->psp_pid
= getpid();
389 if (recv_unpriv_msg
== NULL
)
391 else if (eloop_event_add(ctx
->eloop
, psp
->psp_fd
, ELE_READ
,
392 recv_unpriv_msg
, psp
) == -1)
394 logerr("%s: eloop_event_add fd %d",
395 __func__
, psp
->psp_fd
);
399 if (eloop_event_add(ctx
->eloop
, psp
->psp_pfd
, ELE_HANGUP
,
400 ps_processhangup
, psp
) == -1)
402 logerr("%s: eloop_event_add pfd %d",
403 __func__
, psp
->psp_pfd
);
407 psp
->psp_started
= true;
411 /* If we are not the root process, close un-needed stuff. */
412 if (ctx
->ps_root
!= psp
) {
419 ctx
->options
|= DHCPCD_FORKED
;
420 if (ctx
->ps_log_fd
!= -1)
421 logsetfd(ctx
->ps_log_fd
);
424 logerrx("pid %d log_fd=%d data_fd=%d psp_fd=%d",
425 getpid(), ctx
->ps_log_fd
, ctx
->ps_data_fd
, psp
->psp_fd
);
428 eloop_clear(ctx
->eloop
, -1);
429 eloop_forked(ctx
->eloop
);
430 eloop_signal_set_cb(ctx
->eloop
,
431 dhcpcd_signals
, dhcpcd_signals_len
, signal_cb
, ctx
);
432 /* ctx->sigset aready has the initial sigmask set in main() */
433 if (eloop_signal_mask(ctx
->eloop
, NULL
) == -1) {
434 logerr("%s: eloop_signal_mask", __func__
);
438 if (ctx
->fork_fd
!= -1) {
439 /* Already removed from eloop thanks to above clear. */
444 /* This process has no need of the blocking inner eloop. */
445 if (!(flags
& PSF_ELOOP
)) {
446 eloop_free(ctx
->ps_eloop
);
447 ctx
->ps_eloop
= NULL
;
449 eloop_forked(ctx
->ps_eloop
);
452 ps_freeprocesses(ctx
, psp
);
454 if (ctx
->ps_root
!= psp
) {
455 ctx
->options
&= ~DHCPCD_PRIVSEPROOT
;
457 if (ctx
->ps_log_root_fd
!= -1) {
458 /* Already removed from eloop thanks to above clear. */
459 close(ctx
->ps_log_root_fd
);
460 ctx
->ps_log_root_fd
= -1;
462 #ifdef PRIVSEP_RIGHTS
463 if (ps_rights_limit_stdio() == -1) {
464 logerr("ps_rights_limit_stdio");
470 if (eloop_event_add(ctx
->eloop
, psp
->psp_fd
, ELE_READ
,
471 recv_msg
, psp
) == -1)
473 logerr("%d %s: eloop_event_add XX fd %d", getpid(), __func__
, psp
->psp_fd
);
477 if (callback(psp
) == -1)
480 if (flags
& PSF_DROPPRIVS
)
483 psp
->psp_started
= true;
487 if (psp
->psp_fd
!= -1) {
491 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
496 ps_process_timeout(void *arg
)
498 struct dhcpcd_ctx
*ctx
= arg
;
500 logerrx("%s: timed out", __func__
);
501 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
505 ps_stopprocess(struct ps_process
*psp
)
512 psp
->psp_started
= false;
515 logdebugx("%s: me=%d pid=%d fd=%d %s", __func__
,
516 getpid(), psp
->psp_pid
, psp
->psp_fd
, psp
->psp_name
);
519 if (psp
->psp_fd
!= -1) {
520 eloop_event_delete(psp
->psp_ctx
->eloop
, psp
->psp_fd
);
522 if (ps_sendcmd(psp
->psp_ctx
, psp
->psp_fd
, PS_STOP
, 0,
525 logerr("%d %d %s %s", getpid(), psp
->psp_pid
, psp
->psp_name
, __func__
);
528 shutdown(psp
->psp_fd
, SHUT_WR
);
530 if (shutdown(psp
->psp_fd
, SHUT_WR
) == -1) {
537 /* Don't wait for the process as it may not respond to the shutdown
538 * request. We'll reap the process on receipt of SIGCHLD where we
539 * also close the fd. */
544 ps_start(struct dhcpcd_ctx
*ctx
)
548 TAILQ_INIT(&ctx
->ps_processes
);
550 /* We need an inner eloop to block with. */
551 if ((ctx
->ps_eloop
= eloop_new()) == NULL
)
553 eloop_signal_set_cb(ctx
->ps_eloop
,
554 dhcpcd_signals
, dhcpcd_signals_len
,
555 dhcpcd_signal_cb
, ctx
);
557 switch (pid
= ps_root_start(ctx
)) {
559 logerr("ps_root_start");
564 logdebugx("spawned privileged proxy on PID %d", pid
);
567 /* No point in spawning the generic network listener if we're
568 * not going to use it. */
569 if (!ps_inet_canstart(ctx
))
572 switch (pid
= ps_inet_start(ctx
)) {
578 logdebugx("spawned network proxy on PID %d", pid
);
582 if (!(ctx
->options
& DHCPCD_TEST
)) {
583 switch (pid
= ps_ctl_start(ctx
)) {
589 logdebugx("spawned controller proxy on PID %d", pid
);
594 /* Seed the random number generator early incase it needs /dev/urandom
595 * which won't be available in the chroot. */
603 ps_entersandbox(const char *_pledge
, const char **sandbox
)
606 #if !defined(HAVE_PLEDGE)
610 #if defined(HAVE_CAPSICUM)
612 *sandbox
= "capsicum";
614 #elif defined(HAVE_PLEDGE)
617 // There is no need to use unveil(2) because we are in an empty chroot
618 // This is encouraged by Theo de Raadt himself:
619 // https://www.mail-archive.com/misc@openbsd.org/msg171655.html
620 return pledge(_pledge
, NULL
);
621 #elif defined(HAVE_SECCOMP)
623 *sandbox
= "seccomp";
624 return ps_seccomp_enter();
627 *sandbox
= "posix resource limited";
633 ps_managersandbox(struct dhcpcd_ctx
*ctx
, const char *_pledge
)
635 const char *sandbox
= NULL
;
639 forked
= ctx
->options
& DHCPCD_FORKED
;
640 ctx
->options
&= ~DHCPCD_FORKED
;
641 dropped
= ps_dropprivs(ctx
);
643 ctx
->options
|= DHCPCD_FORKED
;
646 * If we don't have a root process, we cannot use syslog.
647 * If it cannot be opened before chrooting then syslog(3) will fail.
648 * openlog(3) does not return an error which doubly sucks.
650 if (ctx
->ps_root
== NULL
) {
651 unsigned int logopts
= loggetopts();
653 logopts
&= ~LOGERR_LOG
;
658 logerr("%s: ps_dropprivs", __func__
);
662 #ifdef PRIVSEP_RIGHTS
663 if ((ctx
->pf_inet_fd
!= -1 &&
664 ps_rights_limit_ioctl(ctx
->pf_inet_fd
) == -1) ||
665 ps_rights_limit_stdio() == -1)
667 logerr("%s: cap_rights_limit", __func__
);
674 if (ps_entersandbox(_pledge
, &sandbox
) == -1) {
675 if (errno
== ENOSYS
) {
677 logwarnx("sandbox unavailable: %s", sandbox
);
680 logerr("%s: %s", __func__
, sandbox
);
682 } else if (ctx
->options
& DHCPCD_LAUNCHER
||
683 ((!(ctx
->options
& DHCPCD_DAEMONISE
)) &&
684 ctx
->options
& DHCPCD_MANAGER
))
685 logdebugx("sandbox: %s", sandbox
);
690 ps_stop(struct dhcpcd_ctx
*ctx
)
694 if (!(ctx
->options
& DHCPCD_PRIVSEP
) ||
695 ctx
->options
& DHCPCD_FORKED
||
699 if (ctx
->ps_ctl
!= NULL
) {
700 r
= ps_ctl_stop(ctx
);
705 if (ctx
->ps_inet
!= NULL
) {
706 r
= ps_inet_stop(ctx
);
711 if (ctx
->ps_root
!= NULL
) {
712 if (ps_root_stopprocesses(ctx
) == -1)
720 ps_waitforprocs(struct dhcpcd_ctx
*ctx
)
722 struct ps_process
*psp
= TAILQ_FIRST(&ctx
->ps_processes
);
727 /* Different processes */
728 if (psp
!= TAILQ_LAST(&ctx
->ps_processes
, ps_process_head
))
731 return !psp
->psp_started
;
735 ps_stopwait(struct dhcpcd_ctx
*ctx
)
737 int error
= EXIT_SUCCESS
;
739 if (ctx
->ps_eloop
== NULL
|| !ps_waitforprocs(ctx
))
742 ctx
->options
|= DHCPCD_EXITING
;
743 if (eloop_timeout_add_sec(ctx
->ps_eloop
, PS_PROCESS_TIMEOUT
,
744 ps_process_timeout
, ctx
) == -1)
745 logerr("%s: eloop_timeout_add_sec", __func__
);
746 eloop_enter(ctx
->ps_eloop
);
749 struct ps_process
*psp
;
751 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
752 if (psp
->psp_pfd
== -1)
754 if (eloop_event_add(ctx
->ps_eloop
, psp
->psp_pfd
,
755 ELE_HANGUP
, ps_processhangup
, psp
) == -1)
756 logerr("%s: eloop_event_add pfd %d",
757 __func__
, psp
->psp_pfd
);
761 error
= eloop_start(ctx
->ps_eloop
, &ctx
->sigset
);
762 if (error
!= EXIT_SUCCESS
)
763 logerr("%s: eloop_start", __func__
);
765 eloop_timeout_delete(ctx
->ps_eloop
, ps_process_timeout
, ctx
);
771 ps_freeprocess(struct ps_process
*psp
)
773 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
775 TAILQ_REMOVE(&ctx
->ps_processes
, psp
, next
);
777 if (psp
->psp_fd
!= -1) {
778 eloop_event_delete(ctx
->eloop
, psp
->psp_fd
);
781 if (psp
->psp_work_fd
!= -1) {
782 eloop_event_delete(ctx
->eloop
, psp
->psp_work_fd
);
783 close(psp
->psp_work_fd
);
786 if (psp
->psp_pfd
!= -1) {
787 eloop_event_delete(ctx
->eloop
, psp
->psp_pfd
);
788 if (ctx
->ps_eloop
!= NULL
)
789 eloop_event_delete(ctx
->ps_eloop
, psp
->psp_pfd
);
793 if (ctx
->ps_root
== psp
)
795 if (ctx
->ps_inet
== psp
)
797 if (ctx
->ps_ctl
== psp
)
800 if (psp
->psp_bpf
!= NULL
)
801 bpf_close(psp
->psp_bpf
);
807 ps_free(struct dhcpcd_ctx
*ctx
)
809 struct ps_process
*ppsp
, *psp
;
812 if (ctx
->ps_root
!= NULL
)
814 else if (ctx
->ps_ctl
!= NULL
)
819 stop
= ppsp
->psp_pid
== getpid();
823 while ((psp
= TAILQ_FIRST(&ctx
->ps_processes
)) != NULL
) {
824 if (stop
&& psp
!= ppsp
)
831 ps_unrollmsg(struct msghdr
*msg
, struct ps_msghdr
*psm
,
832 const void *data
, size_t len
)
834 uint8_t *datap
, *namep
, *controlp
;
835 socklen_t cmsg_padlen
=
836 CALC_CMSG_PADLEN(psm
->ps_controllen
, psm
->ps_namelen
);
838 namep
= UNCONST(data
);
839 controlp
= namep
+ psm
->ps_namelen
+ cmsg_padlen
;
840 datap
= controlp
+ psm
->ps_controllen
;
842 if (psm
->ps_namelen
!= 0) {
843 if (psm
->ps_namelen
> len
) {
847 msg
->msg_name
= namep
;
848 len
-= psm
->ps_namelen
;
850 msg
->msg_name
= NULL
;
851 msg
->msg_namelen
= psm
->ps_namelen
;
853 if (psm
->ps_controllen
!= 0) {
854 if (psm
->ps_controllen
> len
) {
858 msg
->msg_control
= controlp
;
859 len
-= psm
->ps_controllen
+ cmsg_padlen
;
861 msg
->msg_control
= NULL
;
862 msg
->msg_controllen
= psm
->ps_controllen
;
866 msg
->msg_iov
[0].iov_base
= datap
;
867 msg
->msg_iov
[0].iov_len
= len
;
870 msg
->msg_iov
[0].iov_base
= NULL
;
871 msg
->msg_iov
[0].iov_len
= 0;
877 ps_sendpsmmsg(struct dhcpcd_ctx
*ctx
, int fd
,
878 struct ps_msghdr
*psm
, const struct msghdr
*msg
)
880 long padding
[1] = { 0 };
881 struct iovec iov
[] = {
882 { .iov_base
= UNCONST(psm
), .iov_len
= sizeof(*psm
) },
883 { .iov_base
= NULL
, }, /* name */
884 { .iov_base
= NULL
, }, /* control padding */
885 { .iov_base
= NULL
, }, /* control */
886 { .iov_base
= NULL
, }, /* payload 1 */
887 { .iov_base
= NULL
, }, /* payload 2 */
888 { .iov_base
= NULL
, }, /* payload 3 */
894 struct iovec
*iovp
= &iov
[1];
896 socklen_t cmsg_padlen
;
898 psm
->ps_namelen
= msg
->msg_namelen
;
899 psm
->ps_controllen
= (socklen_t
)msg
->msg_controllen
;
901 iovp
->iov_base
= msg
->msg_name
;
902 iovp
->iov_len
= msg
->msg_namelen
;
906 CALC_CMSG_PADLEN(msg
->msg_controllen
, msg
->msg_namelen
);
907 assert(cmsg_padlen
<= sizeof(padding
));
908 iovp
->iov_len
= cmsg_padlen
;
909 iovp
->iov_base
= cmsg_padlen
!= 0 ? padding
: NULL
;
912 iovp
->iov_base
= msg
->msg_control
;
913 iovp
->iov_len
= msg
->msg_controllen
;
916 for (i
= 0; i
< (int)msg
->msg_iovlen
; i
++) {
917 if ((size_t)(iovlen
+ i
) > __arraycount(iov
)) {
922 iovp
->iov_base
= msg
->msg_iov
[i
].iov_base
;
923 iovp
->iov_len
= msg
->msg_iov
[i
].iov_len
;
929 len
= writev(fd
, iov
, iovlen
);
931 if (ctx
->options
& DHCPCD_FORKED
&&
932 !(ctx
->options
& DHCPCD_PRIVSEPROOT
))
933 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
939 ps_sendpsmdata(struct dhcpcd_ctx
*ctx
, int fd
,
940 struct ps_msghdr
*psm
, const void *data
, size_t len
)
942 struct iovec iov
[] = {
943 { .iov_base
= UNCONST(data
), .iov_len
= len
},
945 struct msghdr msg
= {
946 .msg_iov
= iov
, .msg_iovlen
= 1,
949 return ps_sendpsmmsg(ctx
, fd
, psm
, &msg
);
954 ps_sendmsg(struct dhcpcd_ctx
*ctx
, int fd
, uint16_t cmd
, unsigned long flags
,
955 const struct msghdr
*msg
)
957 struct ps_msghdr psm
= {
960 .ps_namelen
= msg
->msg_namelen
,
961 .ps_controllen
= (socklen_t
)msg
->msg_controllen
,
965 for (i
= 0; i
< (size_t)msg
->msg_iovlen
; i
++)
966 psm
.ps_datalen
+= msg
->msg_iov
[i
].iov_len
;
968 #if 0 /* For debugging structure padding. */
969 logerrx("psa.family %lu %zu", offsetof(struct ps_addr
, psa_family
), sizeof(psm
.ps_id
.psi_addr
.psa_family
));
970 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr
, psa_pad
), sizeof(psm
.ps_id
.psi_addr
.psa_pad
));
971 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr
, psa_u
), sizeof(psm
.ps_id
.psi_addr
.psa_u
));
972 logerrx("psa %zu", sizeof(psm
.ps_id
.psi_addr
));
974 logerrx("psi.addr %lu %zu", offsetof(struct ps_id
, psi_addr
), sizeof(psm
.ps_id
.psi_addr
));
975 logerrx("psi.index %lu %zu", offsetof(struct ps_id
, psi_ifindex
), sizeof(psm
.ps_id
.psi_ifindex
));
976 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id
, psi_cmd
), sizeof(psm
.ps_id
.psi_cmd
));
977 logerrx("psi.pad %lu %zu", offsetof(struct ps_id
, psi_pad
), sizeof(psm
.ps_id
.psi_pad
));
978 logerrx("psi %zu", sizeof(struct ps_id
));
980 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr
, ps_cmd
));
981 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr
, ps_pad
), sizeof(psm
.ps_pad
));
982 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr
, ps_flags
), sizeof(psm
.ps_flags
));
984 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr
, ps_id
), sizeof(psm
.ps_id
));
986 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr
, ps_namelen
), sizeof(psm
.ps_namelen
));
987 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr
, ps_controllen
), sizeof(psm
.ps_controllen
));
988 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr
, ps_pad2
), sizeof(psm
.ps_pad2
));
989 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr
, ps_datalen
), sizeof(psm
.ps_datalen
));
990 logerrx("psm %zu", sizeof(psm
));
993 return ps_sendpsmmsg(ctx
, fd
, &psm
, msg
);
997 ps_sendcmd(struct dhcpcd_ctx
*ctx
, int fd
, uint16_t cmd
, unsigned long flags
,
998 const void *data
, size_t len
)
1000 struct ps_msghdr psm
= {
1004 struct iovec iov
[] = {
1005 { .iov_base
= UNCONST(data
), .iov_len
= len
}
1007 struct msghdr msg
= {
1008 .msg_iov
= iov
, .msg_iovlen
= 1,
1011 return ps_sendpsmmsg(ctx
, fd
, &psm
, &msg
);
1015 ps_sendcmdmsg(int fd
, uint16_t cmd
, const struct msghdr
*msg
)
1017 struct ps_msghdr psm
= { .ps_cmd
= cmd
};
1018 uint8_t data
[PS_BUFLEN
], *p
= data
;
1019 struct iovec iov
[] = {
1020 { .iov_base
= &psm
, .iov_len
= sizeof(psm
) },
1021 { .iov_base
= data
, .iov_len
= 0 },
1023 size_t dl
= sizeof(data
);
1024 socklen_t cmsg_padlen
=
1025 CALC_CMSG_PADLEN(msg
->msg_controllen
, msg
->msg_namelen
);
1027 if (msg
->msg_namelen
!= 0) {
1028 if (msg
->msg_namelen
> dl
)
1030 psm
.ps_namelen
= msg
->msg_namelen
;
1031 memcpy(p
, msg
->msg_name
, msg
->msg_namelen
);
1032 p
+= msg
->msg_namelen
;
1033 dl
-= msg
->msg_namelen
;
1036 if (msg
->msg_controllen
!= 0) {
1037 if (msg
->msg_controllen
+ cmsg_padlen
> dl
)
1039 if (cmsg_padlen
!= 0) {
1040 memset(p
, 0, cmsg_padlen
);
1044 psm
.ps_controllen
= (socklen_t
)msg
->msg_controllen
;
1045 memcpy(p
, msg
->msg_control
, msg
->msg_controllen
);
1046 p
+= msg
->msg_controllen
;
1047 dl
-= msg
->msg_controllen
;
1050 psm
.ps_datalen
= msg
->msg_iov
[0].iov_len
;
1051 if (psm
.ps_datalen
> dl
)
1055 psm
.ps_namelen
+ psm
.ps_controllen
+ psm
.ps_datalen
+ cmsg_padlen
;
1056 if (psm
.ps_datalen
!= 0)
1057 memcpy(p
, msg
->msg_iov
[0].iov_base
, psm
.ps_datalen
);
1058 return writev(fd
, iov
, __arraycount(iov
));
1066 ps_recvmsg(int rfd
, unsigned short events
, uint16_t cmd
, int wfd
)
1068 struct sockaddr_storage ss
= { .ss_family
= AF_UNSPEC
};
1069 uint8_t controlbuf
[sizeof(struct sockaddr_storage
)] = { 0 };
1070 uint8_t databuf
[64 * 1024];
1071 struct iovec iov
[] = {
1072 { .iov_base
= databuf
, .iov_len
= sizeof(databuf
) }
1074 struct msghdr msg
= {
1075 .msg_name
= &ss
, .msg_namelen
= sizeof(ss
),
1076 .msg_control
= controlbuf
, .msg_controllen
= sizeof(controlbuf
),
1077 .msg_iov
= iov
, .msg_iovlen
= 1,
1081 if (!(events
& ELE_READ
))
1082 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
1084 len
= recvmsg(rfd
, &msg
, 0);
1086 logerr("%s: recvmsg", __func__
);
1090 iov
[0].iov_len
= (size_t)len
;
1091 len
= ps_sendcmdmsg(wfd
, cmd
, &msg
);
1093 logerr("%s: ps_sendcmdmsg", __func__
);
1098 ps_daemonised(struct dhcpcd_ctx
*ctx
)
1100 struct ps_process
*psp
;
1103 dhcpcd_daemonised(ctx
);
1105 /* Echo the message to all processes */
1106 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
1107 if (psp
->psp_pid
== getpid())
1109 if (ps_sendcmd(psp
->psp_ctx
, psp
->psp_fd
, PS_DAEMONISED
,
1118 ps_recvpsmsg(struct dhcpcd_ctx
*ctx
, int fd
, unsigned short events
,
1119 ssize_t (*callback
)(void *, struct ps_msghdr
*, struct msghdr
*),
1125 struct iovec iov
[1];
1126 struct msghdr msg
= { .msg_iov
= iov
, .msg_iovlen
= 1 };
1129 if (!(events
& ELE_READ
))
1130 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
1132 len
= read(fd
, &psm
, sizeof(psm
));
1133 #ifdef PRIVSEP_DEBUG
1134 logdebugx("%s: %zd", __func__
, len
);
1137 if (len
== -1 || len
== 0)
1141 if (dlen
< sizeof(psm
.psm_hdr
)) {
1146 if (psm
.psm_hdr
.ps_cmd
== PS_STOP
) {
1149 } else if (psm
.psm_hdr
.ps_cmd
== PS_DAEMONISED
) {
1156 ctx
->options
|= DHCPCD_EXITING
;
1157 #ifdef PRIVSEP_DEBUG
1158 logdebugx("process %d stopping", getpid());
1161 eloop_exit(ctx
->eloop
, len
!= -1 ? EXIT_SUCCESS
: EXIT_FAILURE
);
1164 dlen
-= sizeof(psm
.psm_hdr
);
1166 if (ps_unrollmsg(&msg
, &psm
.psm_hdr
, psm
.psm_data
, dlen
) == -1)
1169 if (callback
== NULL
)
1173 return callback(cbctx
, &psm
.psm_hdr
, &msg
);
1177 ps_findprocess(struct dhcpcd_ctx
*ctx
, struct ps_id
*psid
)
1179 struct ps_process
*psp
;
1181 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
1182 if (!(psp
->psp_started
))
1184 if (memcmp(&psp
->psp_id
, psid
, sizeof(psp
->psp_id
)) == 0)
1192 ps_findprocesspid(struct dhcpcd_ctx
*ctx
, pid_t pid
)
1194 struct ps_process
*psp
;
1196 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
1197 if (psp
->psp_pid
== pid
)
1205 ps_newprocess(struct dhcpcd_ctx
*ctx
, struct ps_id
*psid
)
1207 struct ps_process
*psp
;
1209 psp
= calloc(1, sizeof(*psp
));
1213 memcpy(&psp
->psp_id
, psid
, sizeof(psp
->psp_id
));
1215 psp
->psp_work_fd
= -1;
1216 #ifdef HAVE_CAPSICUM
1220 if (!(ctx
->options
& DHCPCD_MANAGER
))
1221 strlcpy(psp
->psp_ifname
, ctx
->ifv
[0], sizeof(psp
->psp_ifname
));
1222 TAILQ_INSERT_TAIL(&ctx
->ps_processes
, psp
, next
);
1227 ps_freeprocesses(struct dhcpcd_ctx
*ctx
, struct ps_process
*notthis
)
1229 struct ps_process
*psp
, *psn
;
1231 TAILQ_FOREACH_SAFE(psp
, &ctx
->ps_processes
, next
, psn
) {
1234 ps_freeprocess(psp
);