search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dhcpcd: Update to dhcpcd-9.3.3 with the following changes:
[dragonfly.git] / contrib / dhcpcd / src / privsep.c
blob55bb3c4295ceacfa602afbfb5db731de11f23807
1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3 * Privilege Separation for dhcpcd
4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name>
5 * All rights reserved
6
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 /*
30 * The current design is this:
31 * Spawn a priv process to carry out privileged actions and
32 * spawning unpriv process to initate network connections such as BPF
33 * or address specific listener.
34 * Spawn an unpriv process to send/receive common network data.
35 * Then drop all privs and start running.
36 * Every process aside from the privileged actioneer is chrooted.
37 * All privsep processes ignore signals - only the master process accepts them.
38 *
39 * dhcpcd will maintain the config file in the chroot, no need to handle
40 * this in a script or something.
41 */
42
43 #include <sys/resource.h>
44 #include <sys/socket.h>
45 #include <sys/stat.h>
46 #include <sys/types.h>
47 #include <sys/wait.h>
48
49 #ifdef AF_LINK
50 #include <net/if_dl.h>
51 #endif
52
53 #include <assert.h>
54 #include <errno.h>
55 #include <fcntl.h>
56 #include <grp.h>
57 #include <paths.h>
58 #include <pwd.h>
59 #include <stddef.h> /* For offsetof, struct padding debug */
60 #include <signal.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #include <unistd.h>
64
65 #include "arp.h"
66 #include "common.h"
67 #include "control.h"
68 #include "dev.h"
69 #include "dhcp.h"
70 #include "dhcp6.h"
71 #include "eloop.h"
72 #include "ipv6nd.h"
73 #include "logerr.h"
74 #include "privsep.h"
75
76 #ifdef HAVE_CAPSICUM
77 #include <sys/capsicum.h>
78 #include <capsicum_helpers.h>
79 #endif
80 #ifdef HAVE_UTIL_H
81 #include <util.h>
82 #endif
83
84 int
85 ps_init(struct dhcpcd_ctx *ctx)
86 {
87 struct passwd *pw;
88 struct stat st;
89
90 errno = 0;
91 if ((ctx->ps_user = pw = getpwnam(PRIVSEP_USER)) == NULL) {
92 ctx->options &= ~DHCPCD_PRIVSEP;
93 if (errno == 0) {
94 logerrx("no such user %s", PRIVSEP_USER);
95 /* Just incase logerrx caused an error... */
96 errno = 0;
97 } else
98 logerr("getpwnam");
99 return -1;
100 }
101
102 if (stat(pw->pw_dir, &st) == -1 || !S_ISDIR(st.st_mode)) {
103 ctx->options &= ~DHCPCD_PRIVSEP;
104 logerrx("refusing chroot: %s: %s",
105 PRIVSEP_USER, pw->pw_dir);
106 errno = 0;
107 return -1;
108 }
109
110 ctx->options |= DHCPCD_PRIVSEP;
111 return 0;
112 }
113
114 static int
115 ps_dropprivs(struct dhcpcd_ctx *ctx)
116 {
117 struct passwd *pw = ctx->ps_user;
118
119 if (ctx->options & DHCPCD_LAUNCHER)
120 logdebugx("chrooting as %s to %s", pw->pw_name, pw->pw_dir);
121 if (chroot(pw->pw_dir) == -1 &&
122 (errno != EPERM || ctx->options & DHCPCD_FORKED))
123 logerr("%s: chroot: %s", __func__, pw->pw_dir);
124 if (chdir("/") == -1)
125 logerr("%s: chdir: /", __func__);
126
127 if ((setgroups(1, &pw->pw_gid) == -1 ||
128 setgid(pw->pw_gid) == -1 ||
129 setuid(pw->pw_uid) == -1) &&
130 (errno != EPERM || ctx->options & DHCPCD_FORKED))
131 {
132 logerr("failed to drop privileges");
133 return -1;
134 }
135
136 struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
137
138 if (ctx->ps_control_pid != getpid()) {
139 /* Prohibit new files, sockets, etc */
140 #if defined(__linux__) || defined(__sun) || defined(__OpenBSD__)
141 /*
142 * If poll(2) is called with nfds > RLIMIT_NOFILE
143 * then it returns EINVAL.
144 * This blows.
145 * Do the best we can and limit to what we need.
146 * An attacker could potentially close a file and
147 * open a new one still, but that cannot be helped.
148 */
149 unsigned long maxfd;
150 maxfd = (unsigned long)eloop_event_count(ctx->eloop);
151 if (IN_PRIVSEP_SE(ctx))
152 maxfd++; /* XXX why? */
153
154 struct rlimit rmaxfd = {
155 .rlim_cur = maxfd,
156 .rlim_max = maxfd
157 };
158 if (setrlimit(RLIMIT_NOFILE, &rmaxfd) == -1)
159 logerr("setrlimit RLIMIT_NOFILE");
160 #else
161 if (setrlimit(RLIMIT_NOFILE, &rzero) == -1)
162 logerr("setrlimit RLIMIT_NOFILE");
163 #endif
164 }
165
166 #define DHC_NOCHKIO (DHCPCD_STARTED | DHCPCD_DAEMONISE)
167 /* Prohibit writing to files.
168 * Obviously this won't work if we are using a logfile
169 * or redirecting stderr to a file. */
170 if ((ctx->options & DHC_NOCHKIO) == DHC_NOCHKIO ||
171 (ctx->logfile == NULL &&
172 (!ctx->stderr_valid || isatty(STDERR_FILENO) == 1)))
173 {
174 if (setrlimit(RLIMIT_FSIZE, &rzero) == -1)
175 logerr("setrlimit RLIMIT_FSIZE");
176 }
177
178 #ifdef RLIMIT_NPROC
179 /* Prohibit forks */
180 if (setrlimit(RLIMIT_NPROC, &rzero) == -1)
181 logerr("setrlimit RLIMIT_NPROC");
182 #endif
183
184 return 0;
185 }
186
187 static int
188 ps_setbuf0(int fd, int ctl, int minlen)
189 {
190 int len;
191 socklen_t slen;
192
193 slen = sizeof(len);
194 if (getsockopt(fd, SOL_SOCKET, ctl, &len, &slen) == -1)
195 return -1;
196
197 #ifdef __linux__
198 len /= 2;
199 #endif
200 if (len >= minlen)
201 return 0;
202
203 return setsockopt(fd, SOL_SOCKET, ctl, &minlen, sizeof(minlen));
204 }
205
206 static int
207 ps_setbuf(int fd)
208 {
209 /* Ensure we can receive a fully sized privsep message.
210 * Double the send buffer. */
211 int minlen = (int)sizeof(struct ps_msg);
212
213 if (ps_setbuf0(fd, SO_RCVBUF, minlen) == -1 ||
214 ps_setbuf0(fd, SO_SNDBUF, minlen * 2) == -1)
215 {
216 logerr(__func__);
217 return -1;
218 }
219 return 0;
220 }
221
222 int
223 ps_setbuf_fdpair(int fd[])
224 {
225
226 if (ps_setbuf(fd[0]) == -1 || ps_setbuf(fd[1]) == -1)
227 return -1;
228 return 0;
229 }
230
231 #ifdef PRIVSEP_RIGHTS
232 int
233 ps_rights_limit_ioctl(int fd)
234 {
235 cap_rights_t rights;
236
237 cap_rights_init(&rights, CAP_IOCTL);
238 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
239 return -1;
240 return 0;
241 }
242
243 int
244 ps_rights_limit_fd_fctnl(int fd)
245 {
246 cap_rights_t rights;
247
248 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
249 CAP_ACCEPT, CAP_FCNTL);
250 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
251 return -1;
252 return 0;
253 }
254
255 int
256 ps_rights_limit_fd(int fd)
257 {
258 cap_rights_t rights;
259
260 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SHUTDOWN);
261 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
262 return -1;
263 return 0;
264 }
265
266 int
267 ps_rights_limit_fd_sockopt(int fd)
268 {
269 cap_rights_t rights;
270
271 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT,
272 CAP_GETSOCKOPT, CAP_SETSOCKOPT);
273 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
274 return -1;
275 return 0;
276 }
277
278 int
279 ps_rights_limit_fd_rdonly(int fd)
280 {
281 cap_rights_t rights;
282
283 cap_rights_init(&rights, CAP_READ, CAP_EVENT);
284 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
285 return -1;
286 return 0;
287 }
288
289 int
290 ps_rights_limit_fdpair(int fd[])
291 {
292
293 if (ps_rights_limit_fd(fd[0]) == -1 || ps_rights_limit_fd(fd[1]) == -1)
294 return -1;
295 return 0;
296 }
297
298 static int
299 ps_rights_limit_stdio(struct dhcpcd_ctx *ctx)
300 {
301 const int iebadf = CAPH_IGNORE_EBADF;
302 int error = 0;
303
304 if (ctx->stdin_valid &&
305 caph_limit_stream(STDIN_FILENO, CAPH_READ | iebadf) == -1)
306 error = -1;
307 if (ctx->stdout_valid &&
308 caph_limit_stream(STDOUT_FILENO, CAPH_WRITE | iebadf) == -1)
309 error = -1;
310 if (ctx->stderr_valid &&
311 caph_limit_stream(STDERR_FILENO, CAPH_WRITE | iebadf) == -1)
312 error = -1;
313
314 return error;
315 }
316 #endif
317
318 pid_t
319 ps_dostart(struct dhcpcd_ctx *ctx,
320 pid_t *priv_pid, int *priv_fd,
321 void (*recv_msg)(void *), void (*recv_unpriv_msg),
322 void *recv_ctx, int (*callback)(void *), void (*signal_cb)(int, void *),
323 unsigned int flags)
324 {
325 int fd[2];
326 pid_t pid;
327
328 if (xsocketpair(AF_UNIX, SOCK_DGRAM | SOCK_CXNB, 0, fd) == -1) {
329 logerr("%s: socketpair", __func__);
330 return -1;
331 }
332 if (ps_setbuf_fdpair(fd) == -1) {
333 logerr("%s: ps_setbuf_fdpair", __func__);
334 return -1;
335 }
336 #ifdef PRIVSEP_RIGHTS
337 if (ps_rights_limit_fdpair(fd) == -1) {
338 logerr("%s: ps_rights_limit_fdpair", __func__);
339 return -1;
340 }
341 #endif
342
343 switch (pid = fork()) {
344 case -1:
345 logerr("fork");
346 return -1;
347 case 0:
348 *priv_fd = fd[1];
349 close(fd[0]);
350 break;
351 default:
352 *priv_pid = pid;
353 *priv_fd = fd[0];
354 close(fd[1]);
355 if (recv_unpriv_msg == NULL)
356 ;
357 else if (eloop_event_add(ctx->eloop, *priv_fd,
358 recv_unpriv_msg, recv_ctx) == -1)
359 {
360 logerr("%s: eloop_event_add", __func__);
361 return -1;
362 }
363 return pid;
364 }
365
366 ctx->options |= DHCPCD_FORKED;
367 if (ctx->fork_fd != -1) {
368 close(ctx->fork_fd);
369 ctx->fork_fd = -1;
370 }
371 pidfile_clean();
372 eloop_clear(ctx->eloop);
373
374 /* We are not root */
375 if (priv_fd != &ctx->ps_root_fd) {
376 ps_freeprocesses(ctx, recv_ctx);
377 if (ctx->ps_root_fd != -1) {
378 close(ctx->ps_root_fd);
379 ctx->ps_root_fd = -1;
380 }
381
382 #ifdef PRIVSEP_RIGHTS
383 /* We cannot limit the root process in any way. */
384 if (ps_rights_limit_stdio(ctx) == -1) {
385 logerr("ps_rights_limit_stdio");
386 goto errexit;
387 }
388 #endif
389 }
390
391 if (priv_fd != &ctx->ps_inet_fd && ctx->ps_inet_fd != -1) {
392 close(ctx->ps_inet_fd);
393 ctx->ps_inet_fd = -1;
394 }
395
396 eloop_signal_set_cb(ctx->eloop,
397 dhcpcd_signals, dhcpcd_signals_len, signal_cb, ctx);
398
399 /* ctx->sigset aready has the initial sigmask set in main() */
400 if (eloop_signal_mask(ctx->eloop, NULL) == -1) {
401 logerr("%s: eloop_signal_mask", __func__);
402 goto errexit;
403 }
404
405 if (eloop_event_add(ctx->eloop, *priv_fd, recv_msg, recv_ctx) == -1)
406 {
407 logerr("%s: eloop_event_add", __func__);
408 goto errexit;
409 }
410
411 if (callback(recv_ctx) == -1)
412 goto errexit;
413
414 if (flags & PSF_DROPPRIVS)
415 ps_dropprivs(ctx);
416
417 return 0;
418
419 errexit:
420 /* Failure to start root or inet processes is fatal. */
421 if (priv_fd == &ctx->ps_root_fd || priv_fd == &ctx->ps_inet_fd)
422 (void)ps_sendcmd(ctx, *priv_fd, PS_STOP, 0, NULL, 0);
423 shutdown(*priv_fd, SHUT_RDWR);
424 *priv_fd = -1;
425 eloop_exit(ctx->eloop, EXIT_FAILURE);
426 return -1;
427 }
428
429 int
430 ps_dostop(struct dhcpcd_ctx *ctx, pid_t *pid, int *fd)
431 {
432 int err = 0;
433
434 #ifdef PRIVSEP_DEBUG
435 logdebugx("%s: pid=%d fd=%d", __func__, *pid, *fd);
436 #endif
437
438 if (*fd != -1) {
439 eloop_event_delete(ctx->eloop, *fd);
440 if (ps_sendcmd(ctx, *fd, PS_STOP, 0, NULL, 0) == -1) {
441 logerr(__func__);
442 err = -1;
443 }
444 (void)shutdown(*fd, SHUT_RDWR);
445 close(*fd);
446 *fd = -1;
447 }
448
449 /* Don't wait for the process as it may not respond to the shutdown
450 * request. We'll reap the process on receipt of SIGCHLD. */
451 *pid = 0;
452 return err;
453 }
454
455 int
456 ps_start(struct dhcpcd_ctx *ctx)
457 {
458 pid_t pid;
459
460 TAILQ_INIT(&ctx->ps_processes);
461
462 switch (pid = ps_root_start(ctx)) {
463 case -1:
464 logerr("ps_root_start");
465 return -1;
466 case 0:
467 return 0;
468 default:
469 logdebugx("spawned privileged actioneer on PID %d", pid);
470 }
471
472 /* No point in spawning the generic network listener if we're
473 * not going to use it. */
474 if (!ps_inet_canstart(ctx))
475 goto started_net;
476
477 switch (pid = ps_inet_start(ctx)) {
478 case -1:
479 return -1;
480 case 0:
481 return 0;
482 default:
483 logdebugx("spawned network proxy on PID %d", pid);
484 }
485
486 started_net:
487 if (!(ctx->options & DHCPCD_TEST)) {
488 switch (pid = ps_ctl_start(ctx)) {
489 case -1:
490 return -1;
491 case 0:
492 return 0;
493 default:
494 logdebugx("spawned controller proxy on PID %d", pid);
495 }
496 }
497
498 #ifdef ARC4RANDOM_H
499 /* Seed the random number generator early incase it needs /dev/urandom
500 * which won't be available in the chroot. */
501 arc4random();
502 #endif
503
504 return 1;
505 }
506
507 int
508 ps_entersandbox(const char *_pledge, const char **sandbox)
509 {
510
511 #if !defined(HAVE_PLEDGE)
512 UNUSED(_pledge);
513 #endif
514
515 #if defined(HAVE_CAPSICUM)
516 if (sandbox != NULL)
517 *sandbox = "capsicum";
518 return cap_enter();
519 #elif defined(HAVE_PLEDGE)
520 if (sandbox != NULL)
521 *sandbox = "pledge";
522 return pledge(_pledge, NULL);
523 #elif defined(HAVE_SECCOMP)
524 if (sandbox != NULL)
525 *sandbox = "seccomp";
526 return ps_seccomp_enter();
527 #else
528 if (sandbox != NULL)
529 *sandbox = "posix resource limited";
530 return 0;
531 #endif
532 }
533
534 int
535 ps_mastersandbox(struct dhcpcd_ctx *ctx, const char *_pledge)
536 {
537 const char *sandbox = NULL;
538 bool forked;
539 int dropped;
540
541 forked = ctx->options & DHCPCD_FORKED;
542 ctx->options &= ~DHCPCD_FORKED;
543 dropped = ps_dropprivs(ctx);
544 if (forked)
545 ctx->options |= DHCPCD_FORKED;
546
547 /*
548 * If we don't have a root process, we cannot use syslog.
549 * If it cannot be opened before chrooting then syslog(3) will fail.
550 * openlog(3) does not return an error which doubly sucks.
551 */
552 if (ctx->ps_root_fd == -1) {
553 unsigned int logopts = loggetopts();
554
555 logopts &= ~LOGERR_LOG;
556 logsetopts(logopts);
557 }
558
559 if (dropped == -1) {
560 logerr("%s: ps_dropprivs", __func__);
561 return -1;
562 }
563
564 #ifdef PRIVSEP_RIGHTS
565 if ((ctx->pf_inet_fd != -1 &&
566 ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) ||
567 ps_rights_limit_stdio(ctx) == -1)
568 {
569 logerr("%s: cap_rights_limit", __func__);
570 return -1;
571 }
572 #endif
573
574 if (_pledge == NULL)
575 _pledge = "stdio";
576 if (ps_entersandbox(_pledge, &sandbox) == -1) {
577 if (errno == ENOSYS) {
578 if (sandbox != NULL)
579 logwarnx("sandbox unavailable: %s", sandbox);
580 return 0;
581 }
582 logerr("%s: %s", __func__, sandbox);
583 return -1;
584 } else if (ctx->options & DHCPCD_LAUNCHER)
585 logdebugx("sandbox: %s", sandbox);
586 return 0;
587 }
588
589 int
590 ps_stop(struct dhcpcd_ctx *ctx)
591 {
592 int r, ret = 0;
593
594 if (!(ctx->options & DHCPCD_PRIVSEP) ||
595 ctx->options & DHCPCD_FORKED ||
596 ctx->eloop == NULL)
597 return 0;
598
599 r = ps_ctl_stop(ctx);
600 if (r != 0)
601 ret = r;
602
603 r = ps_inet_stop(ctx);
604 if (r != 0)
605 ret = r;
606
607 /* We've been chrooted, so we need to tell the
608 * privileged actioneer to remove the pidfile. */
609 ps_root_unlink(ctx, ctx->pidfile);
610
611 r = ps_root_stop(ctx);
612 if (r != 0)
613 ret = r;
614
615 ctx->options &= ~DHCPCD_PRIVSEP;
616 return ret;
617 }
618
619 void
620 ps_freeprocess(struct ps_process *psp)
621 {
622
623 TAILQ_REMOVE(&psp->psp_ctx->ps_processes, psp, next);
624 if (psp->psp_fd != -1) {
625 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_fd);
626 close(psp->psp_fd);
627 }
628 if (psp->psp_work_fd != -1) {
629 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_work_fd);
630 close(psp->psp_work_fd);
631 }
632 #ifdef INET
633 if (psp->psp_bpf != NULL)
634 bpf_close(psp->psp_bpf);
635 #endif
636 free(psp);
637 }
638
639 static void
640 ps_free(struct dhcpcd_ctx *ctx)
641 {
642 struct ps_process *psp;
643 bool stop = ctx->ps_root_pid == getpid();
644
645 while ((psp = TAILQ_FIRST(&ctx->ps_processes)) != NULL) {
646 if (stop)
647 ps_dostop(ctx, &psp->psp_pid, &psp->psp_fd);
648 ps_freeprocess(psp);
649 }
650 }
651
652 int
653 ps_unrollmsg(struct msghdr *msg, struct ps_msghdr *psm,
654 const void *data, size_t len)
655 {
656 uint8_t *datap, *namep, *controlp;
657
658 namep = UNCONST(data);
659 controlp = namep + psm->ps_namelen;
660 datap = controlp + psm->ps_controllen;
661
662 if (psm->ps_namelen != 0) {
663 if (psm->ps_namelen > len) {
664 errno = EINVAL;
665 return -1;
666 }
667 msg->msg_name = namep;
668 len -= psm->ps_namelen;
669 } else
670 msg->msg_name = NULL;
671 msg->msg_namelen = psm->ps_namelen;
672
673 if (psm->ps_controllen != 0) {
674 if (psm->ps_controllen > len) {
675 errno = EINVAL;
676 return -1;
677 }
678 msg->msg_control = controlp;
679 len -= psm->ps_controllen;
680 } else
681 msg->msg_control = NULL;
682 msg->msg_controllen = psm->ps_controllen;
683
684 if (len != 0) {
685 msg->msg_iovlen = 1;
686 msg->msg_iov[0].iov_base = datap;
687 msg->msg_iov[0].iov_len = len;
688 } else {
689 msg->msg_iovlen = 0;
690 msg->msg_iov[0].iov_base = NULL;
691 msg->msg_iov[0].iov_len = 0;
692 }
693 return 0;
694 }
695
696 ssize_t
697 ps_sendpsmmsg(struct dhcpcd_ctx *ctx, int fd,
698 struct ps_msghdr *psm, const struct msghdr *msg)
699 {
700 struct iovec iov[] = {
701 { .iov_base = UNCONST(psm), .iov_len = sizeof(*psm) },
702 { .iov_base = NULL, }, /* name */
703 { .iov_base = NULL, }, /* control */
704 { .iov_base = NULL, }, /* payload 1 */
705 { .iov_base = NULL, }, /* payload 2 */
706 { .iov_base = NULL, }, /* payload 3 */
707 };
708 int iovlen;
709 ssize_t len;
710
711 if (msg != NULL) {
712 struct iovec *iovp = &iov[1];
713 int i;
714
715 psm->ps_namelen = msg->msg_namelen;
716 psm->ps_controllen = (socklen_t)msg->msg_controllen;
717
718 iovp->iov_base = msg->msg_name;
719 iovp->iov_len = msg->msg_namelen;
720 iovp++;
721 iovp->iov_base = msg->msg_control;
722 iovp->iov_len = msg->msg_controllen;
723 iovlen = 3;
724
725 for (i = 0; i < (int)msg->msg_iovlen; i++) {
726 if ((size_t)(iovlen + i) > __arraycount(iov)) {
727 errno = ENOBUFS;
728 return -1;
729 }
730 iovp++;
731 iovp->iov_base = msg->msg_iov[i].iov_base;
732 iovp->iov_len = msg->msg_iov[i].iov_len;
733 }
734 iovlen += i;
735 } else
736 iovlen = 1;
737
738 len = writev(fd, iov, iovlen);
739 if (len == -1) {
740 logerr(__func__);
741 if (ctx->options & DHCPCD_FORKED &&
742 !(ctx->options & DHCPCD_PRIVSEPROOT))
743 eloop_exit(ctx->eloop, EXIT_FAILURE);
744 }
745 return len;
746 }
747
748 ssize_t
749 ps_sendpsmdata(struct dhcpcd_ctx *ctx, int fd,
750 struct ps_msghdr *psm, const void *data, size_t len)
751 {
752 struct iovec iov[] = {
753 { .iov_base = UNCONST(data), .iov_len = len },
754 };
755 struct msghdr msg = {
756 .msg_iov = iov, .msg_iovlen = 1,
757 };
758
759 return ps_sendpsmmsg(ctx, fd, psm, &msg);
760 }
761
762
763 ssize_t
764 ps_sendmsg(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
765 const struct msghdr *msg)
766 {
767 struct ps_msghdr psm = {
768 .ps_cmd = cmd,
769 .ps_flags = flags,
770 .ps_namelen = msg->msg_namelen,
771 .ps_controllen = (socklen_t)msg->msg_controllen,
772 };
773 size_t i;
774
775 for (i = 0; i < (size_t)msg->msg_iovlen; i++)
776 psm.ps_datalen += msg->msg_iov[i].iov_len;
777
778 #if 0 /* For debugging structure padding. */
779 logerrx("psa.family %lu %zu", offsetof(struct ps_addr, psa_family), sizeof(psm.ps_id.psi_addr.psa_family));
780 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr, psa_pad), sizeof(psm.ps_id.psi_addr.psa_pad));
781 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr, psa_u), sizeof(psm.ps_id.psi_addr.psa_u));
782 logerrx("psa %zu", sizeof(psm.ps_id.psi_addr));
783
784 logerrx("psi.addr %lu %zu", offsetof(struct ps_id, psi_addr), sizeof(psm.ps_id.psi_addr));
785 logerrx("psi.index %lu %zu", offsetof(struct ps_id, psi_ifindex), sizeof(psm.ps_id.psi_ifindex));
786 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id, psi_cmd), sizeof(psm.ps_id.psi_cmd));
787 logerrx("psi.pad %lu %zu", offsetof(struct ps_id, psi_pad), sizeof(psm.ps_id.psi_pad));
788 logerrx("psi %zu", sizeof(struct ps_id));
789
790 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr, ps_cmd));
791 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr, ps_pad), sizeof(psm.ps_pad));
792 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr, ps_flags), sizeof(psm.ps_flags));
793
794 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr, ps_id), sizeof(psm.ps_id));
795
796 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr, ps_namelen), sizeof(psm.ps_namelen));
797 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr, ps_controllen), sizeof(psm.ps_controllen));
798 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr, ps_pad2), sizeof(psm.ps_pad2));
799 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr, ps_datalen), sizeof(psm.ps_datalen));
800 logerrx("psm %zu", sizeof(psm));
801 #endif
802
803 return ps_sendpsmmsg(ctx, fd, &psm, msg);
804 }
805
806 ssize_t
807 ps_sendcmd(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags,
808 const void *data, size_t len)
809 {
810 struct ps_msghdr psm = {
811 .ps_cmd = cmd,
812 .ps_flags = flags,
813 };
814 struct iovec iov[] = {
815 { .iov_base = UNCONST(data), .iov_len = len }
816 };
817 struct msghdr msg = {
818 .msg_iov = iov, .msg_iovlen = 1,
819 };
820
821 return ps_sendpsmmsg(ctx, fd, &psm, &msg);
822 }
823
824 static ssize_t
825 ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr *msg)
826 {
827 struct ps_msghdr psm = { .ps_cmd = cmd };
828 uint8_t data[PS_BUFLEN], *p = data;
829 struct iovec iov[] = {
830 { .iov_base = &psm, .iov_len = sizeof(psm) },
831 { .iov_base = data, .iov_len = 0 },
832 };
833 size_t dl = sizeof(data);
834
835 if (msg->msg_namelen != 0) {
836 if (msg->msg_namelen > dl)
837 goto nobufs;
838 psm.ps_namelen = msg->msg_namelen;
839 memcpy(p, msg->msg_name, msg->msg_namelen);
840 p += msg->msg_namelen;
841 dl -= msg->msg_namelen;
842 }
843
844 if (msg->msg_controllen != 0) {
845 if (msg->msg_controllen > dl)
846 goto nobufs;
847 psm.ps_controllen = (socklen_t)msg->msg_controllen;
848 memcpy(p, msg->msg_control, msg->msg_controllen);
849 p += msg->msg_controllen;
850 dl -= msg->msg_controllen;
851 }
852
853 psm.ps_datalen = msg->msg_iov[0].iov_len;
854 if (psm.ps_datalen > dl)
855 goto nobufs;
856
857 iov[1].iov_len = psm.ps_namelen + psm.ps_controllen + psm.ps_datalen;
858 if (psm.ps_datalen != 0)
859 memcpy(p, msg->msg_iov[0].iov_base, psm.ps_datalen);
860 return writev(fd, iov, __arraycount(iov));
861
862 nobufs:
863 errno = ENOBUFS;
864 return -1;
865 }
866
867 ssize_t
868 ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd)
869 {
870 struct sockaddr_storage ss = { .ss_family = AF_UNSPEC };
871 uint8_t controlbuf[sizeof(struct sockaddr_storage)] = { 0 };
872 uint8_t databuf[64 * 1024];
873 struct iovec iov[] = {
874 { .iov_base = databuf, .iov_len = sizeof(databuf) }
875 };
876 struct msghdr msg = {
877 .msg_name = &ss, .msg_namelen = sizeof(ss),
878 .msg_control = controlbuf, .msg_controllen = sizeof(controlbuf),
879 .msg_iov = iov, .msg_iovlen = 1,
880 };
881
882 ssize_t len = recvmsg(rfd, &msg, 0);
883
884 if (len == -1)
885 logerr("%s: recvmsg", __func__);
886 if (len == -1 || len == 0) {
887 if (ctx->options & DHCPCD_FORKED &&
888 !(ctx->options & DHCPCD_PRIVSEPROOT))
889 eloop_exit(ctx->eloop,
890 len == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
891 return len;
892 }
893
894 iov[0].iov_len = (size_t)len;
895 len = ps_sendcmdmsg(wfd, cmd, &msg);
896 if (len == -1) {
897 logerr("ps_sendcmdmsg");
898 if (ctx->options & DHCPCD_FORKED &&
899 !(ctx->options & DHCPCD_PRIVSEPROOT))
900 eloop_exit(ctx->eloop, EXIT_FAILURE);
901 }
902 return len;
903 }
904
905 ssize_t
906 ps_recvpsmsg(struct dhcpcd_ctx *ctx, int fd,
907 ssize_t (*callback)(void *, struct ps_msghdr *, struct msghdr *),
908 void *cbctx)
909 {
910 struct ps_msg psm;
911 ssize_t len;
912 size_t dlen;
913 struct iovec iov[1];
914 struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1 };
915 bool stop = false;
916
917 len = read(fd, &psm, sizeof(psm));
918 #ifdef PRIVSEP_DEBUG
919 logdebugx("%s: %zd", __func__, len);
920 #endif
921
922 if (len == -1 || len == 0)
923 stop = true;
924 else {
925 dlen = (size_t)len;
926 if (dlen < sizeof(psm.psm_hdr)) {
927 errno = EINVAL;
928 return -1;
929 }
930
931 if (psm.psm_hdr.ps_cmd == PS_STOP) {
932 stop = true;
933 len = 0;
934 }
935 }
936
937 if (stop) {
938 #ifdef PRIVSEP_DEBUG
939 logdebugx("process %d stopping", getpid());
940 #endif
941 ps_free(ctx);
942 #ifdef PLUGIN_DEV
943 dev_stop(ctx);
944 #endif
945 eloop_exit(ctx->eloop, len != -1 ? EXIT_SUCCESS : EXIT_FAILURE);
946 return len;
947 }
948 dlen -= sizeof(psm.psm_hdr);
949
950 if (ps_unrollmsg(&msg, &psm.psm_hdr, psm.psm_data, dlen) == -1)
951 return -1;
952
953 if (callback == NULL)
954 return 0;
955
956 errno = 0;
957 return callback(cbctx, &psm.psm_hdr, &msg);
958 }
959
960 struct ps_process *
961 ps_findprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid)
962 {
963 struct ps_process *psp;
964
965 TAILQ_FOREACH(psp, &ctx->ps_processes, next) {
966 if (memcmp(&psp->psp_id, psid, sizeof(psp->psp_id)) == 0)
967 return psp;
968 }
969 errno = ESRCH;
970 return NULL;
971 }
972
973 struct ps_process *
974 ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid)
975 {
976 struct ps_process *psp;
977
978 psp = calloc(1, sizeof(*psp));
979 if (psp == NULL)
980 return NULL;
981 psp->psp_ctx = ctx;
982 memcpy(&psp->psp_id, psid, sizeof(psp->psp_id));
983 psp->psp_work_fd = -1;
984 TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
985 return psp;
986 }
987
988 void
989 ps_freeprocesses(struct dhcpcd_ctx *ctx, struct ps_process *notthis)
990 {
991 struct ps_process *psp, *psn;
992
993 TAILQ_FOREACH_SAFE(psp, &ctx->ps_processes, next, psn) {
994 if (psp == notthis)
995 continue;
996 ps_freeprocess(psp);
997 }
998 }
DragonFly BSD