1 /* SPDX-License-Identifier: BSD-2-Clause */
3 * Privilege Separation for dhcpcd
4 * Copyright (c) 2006-2023 Roy Marples <roy@marples.name>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * The current design is this:
31 * Spawn a priv process to carry out privileged actions and
32 * spawning unpriv process to initate network connections such as BPF
33 * or address specific listener.
34 * Spawn an unpriv process to send/receive common network data.
35 * Then drop all privs and start running.
36 * Every process aside from the privileged proxy is chrooted.
37 * All privsep processes ignore signals - only the manager process accepts them.
39 * dhcpcd will maintain the config file in the chroot, no need to handle
40 * this in a script or something.
43 #include <sys/resource.h>
44 #include <sys/socket.h>
46 #include <sys/types.h>
50 #include <net/if_dl.h>
59 #include <stddef.h> /* For offsetof, struct padding debug */
77 #include <sys/capsicum.h>
78 #include <sys/procdesc.h>
79 #include <capsicum_helpers.h>
85 /* CMSG_ALIGN is a Linux extension */
87 #define CMSG_ALIGN(n) (CMSG_SPACE((n)) - CMSG_SPACE(0))
90 /* Calculate number of padding bytes to achieve 'struct cmsghdr' alignment */
91 #define CALC_CMSG_PADLEN(has_cmsg, pos) \
92 ((has_cmsg) ? (socklen_t)(CMSG_ALIGN((pos)) - (pos)) : 0)
95 ps_init(struct dhcpcd_ctx
*ctx
)
101 if ((ctx
->ps_user
= pw
= getpwnam(PRIVSEP_USER
)) == NULL
) {
102 ctx
->options
&= ~DHCPCD_PRIVSEP
;
104 logerrx("no such user %s", PRIVSEP_USER
);
105 /* Just incase logerrx caused an error... */
112 if (stat(pw
->pw_dir
, &st
) == -1 || !S_ISDIR(st
.st_mode
)) {
113 ctx
->options
&= ~DHCPCD_PRIVSEP
;
114 logerrx("refusing chroot: %s: %s",
115 PRIVSEP_USER
, pw
->pw_dir
);
120 ctx
->options
|= DHCPCD_PRIVSEP
;
125 ps_dropprivs(struct dhcpcd_ctx
*ctx
)
127 struct passwd
*pw
= ctx
->ps_user
;
129 if (ctx
->options
& DHCPCD_LAUNCHER
)
130 logdebugx("chrooting as %s to %s", pw
->pw_name
, pw
->pw_dir
);
131 if (chroot(pw
->pw_dir
) == -1 &&
132 (errno
!= EPERM
|| ctx
->options
& DHCPCD_FORKED
))
133 logerr("%s: chroot: %s", __func__
, pw
->pw_dir
);
134 if (chdir("/") == -1)
135 logerr("%s: chdir: /", __func__
);
137 if ((setgroups(1, &pw
->pw_gid
) == -1 ||
138 setgid(pw
->pw_gid
) == -1 ||
139 setuid(pw
->pw_uid
) == -1) &&
140 (errno
!= EPERM
|| ctx
->options
& DHCPCD_FORKED
))
142 logerr("failed to drop privileges");
146 struct rlimit rzero
= { .rlim_cur
= 0, .rlim_max
= 0 };
148 /* Prohibit new files, sockets, etc */
150 * If poll(2) is called with nfds>RLIMIT_NOFILE then it returns EINVAL.
151 * We don't know the final value of nfds at this point *easily*.
152 * Sadly, this is a POSIX limitation and most platforms adhere to it.
153 * However, some are not that strict and are whitelisted below.
154 * Also, if we're not using poll then we can be restrictive.
156 * For the non whitelisted platforms there should be a sandbox to
157 * fallback to where we don't allow new files, etc:
158 * Linux:seccomp, FreeBSD:capsicum, OpenBSD:pledge
159 * Solaris users are sadly out of luck on both counts.
161 #if defined(__NetBSD__) || defined(__DragonFly__) || \
162 defined(HAVE_KQUEUE) || defined(HAVE_EPOLL)
163 /* The control proxy *does* need to create new fd's via accept(2). */
164 if (ctx
->ps_ctl
== NULL
|| ctx
->ps_ctl
->psp_pid
!= getpid()) {
165 if (setrlimit(RLIMIT_NOFILE
, &rzero
) == -1)
166 logerr("setrlimit RLIMIT_NOFILE");
170 #define DHC_NOCHKIO (DHCPCD_STARTED | DHCPCD_DAEMONISE)
171 /* Prohibit writing to files.
172 * Obviously this won't work if we are using a logfile
173 * or redirecting stderr to a file. */
174 if ((ctx
->options
& DHC_NOCHKIO
) == DHC_NOCHKIO
||
175 (ctx
->logfile
== NULL
&&
176 (!ctx
->stderr_valid
|| isatty(STDERR_FILENO
) == 1)))
178 if (setrlimit(RLIMIT_FSIZE
, &rzero
) == -1)
179 logerr("setrlimit RLIMIT_FSIZE");
184 if (setrlimit(RLIMIT_NPROC
, &rzero
) == -1)
185 logerr("setrlimit RLIMIT_NPROC");
192 ps_setbuf0(int fd
, int ctl
, int minlen
)
198 if (getsockopt(fd
, SOL_SOCKET
, ctl
, &len
, &slen
) == -1)
207 return setsockopt(fd
, SOL_SOCKET
, ctl
, &minlen
, sizeof(minlen
));
213 /* Ensure we can receive a fully sized privsep message.
214 * Double the send buffer. */
215 int minlen
= (int)sizeof(struct ps_msg
);
217 if (ps_setbuf0(fd
, SO_RCVBUF
, minlen
) == -1 ||
218 ps_setbuf0(fd
, SO_SNDBUF
, minlen
* 2) == -1)
227 ps_setbuf_fdpair(int fd
[])
230 if (ps_setbuf(fd
[0]) == -1 || ps_setbuf(fd
[1]) == -1)
235 #ifdef PRIVSEP_RIGHTS
237 ps_rights_limit_ioctl(int fd
)
241 cap_rights_init(&rights
, CAP_IOCTL
);
242 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
248 ps_rights_limit_fd_fctnl(int fd
)
252 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
,
253 CAP_ACCEPT
, CAP_FCNTL
);
254 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
260 ps_rights_limit_fd(int fd
)
264 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
, CAP_SHUTDOWN
);
265 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
271 ps_rights_limit_fd_sockopt(int fd
)
275 cap_rights_init(&rights
, CAP_READ
, CAP_WRITE
, CAP_EVENT
,
276 CAP_GETSOCKOPT
, CAP_SETSOCKOPT
);
277 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
283 ps_rights_limit_fd_rdonly(int fd
)
287 cap_rights_init(&rights
, CAP_READ
, CAP_EVENT
);
288 if (cap_rights_limit(fd
, &rights
) == -1 && errno
!= ENOSYS
)
294 ps_rights_limit_fdpair(int fd
[])
297 if (ps_rights_limit_fd(fd
[0]) == -1 || ps_rights_limit_fd(fd
[1]) == -1)
303 ps_rights_limit_stdio(struct dhcpcd_ctx
*ctx
)
305 const int iebadf
= CAPH_IGNORE_EBADF
;
308 if (ctx
->stdin_valid
&&
309 caph_limit_stream(STDIN_FILENO
, CAPH_READ
| iebadf
) == -1)
311 if (ctx
->stdout_valid
&&
312 caph_limit_stream(STDOUT_FILENO
, CAPH_WRITE
| iebadf
) == -1)
314 if (ctx
->stderr_valid
&&
315 caph_limit_stream(STDERR_FILENO
, CAPH_WRITE
| iebadf
) == -1)
324 ps_processhangup(void *arg
, unsigned short events
)
326 struct ps_process
*psp
= arg
;
327 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
329 if (!(events
& ELE_HANGUP
))
330 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
332 logdebugx("%s%s%s exited from PID %d",
333 psp
->psp_ifname
, psp
->psp_ifname
[0] != '\0' ? ": " : "",
334 psp
->psp_name
, psp
->psp_pid
);
338 if (!(ctx
->options
& DHCPCD_EXITING
))
340 if (!(ps_waitforprocs(ctx
)))
341 eloop_exit(ctx
->ps_eloop
, EXIT_SUCCESS
);
346 ps_startprocess(struct ps_process
*psp
,
347 void (*recv_msg
)(void *, unsigned short),
348 void (*recv_unpriv_msg
)(void *, unsigned short),
349 int (*callback
)(struct ps_process
*), void (*signal_cb
)(int, void *),
352 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
356 if (xsocketpair(AF_UNIX
, SOCK_SEQPACKET
| SOCK_CXNB
, 0, fd
) == -1) {
357 logerr("%s: socketpair", __func__
);
360 if (ps_setbuf_fdpair(fd
) == -1) {
361 logerr("%s: ps_setbuf_fdpair", __func__
);
364 #ifdef PRIVSEP_RIGHTS
365 if (ps_rights_limit_fdpair(fd
) == -1) {
366 logerr("%s: ps_rights_limit_fdpair", __func__
);
372 pid
= pdfork(&psp
->psp_pfd
, PD_CLOEXEC
);
385 psp
->psp_pid
= getpid();
393 if (recv_unpriv_msg
== NULL
)
395 else if (eloop_event_add(ctx
->eloop
, psp
->psp_fd
, ELE_READ
,
396 recv_unpriv_msg
, psp
) == -1)
398 logerr("%s: eloop_event_add fd %d",
399 __func__
, psp
->psp_fd
);
403 if (eloop_event_add(ctx
->eloop
, psp
->psp_pfd
, ELE_HANGUP
,
404 ps_processhangup
, psp
) == -1)
406 logerr("%s: eloop_event_add pfd %d",
407 __func__
, psp
->psp_pfd
);
411 psp
->psp_started
= true;
417 /* If we are not the root process, stop listening to devices. */
418 if (ctx
->ps_root
!= psp
)
422 ctx
->options
|= DHCPCD_FORKED
;
423 if (ctx
->ps_log_fd
!= -1)
424 logsetfd(ctx
->ps_log_fd
);
425 eloop_clear(ctx
->eloop
, -1);
426 eloop_forked(ctx
->eloop
);
427 eloop_signal_set_cb(ctx
->eloop
,
428 dhcpcd_signals
, dhcpcd_signals_len
, signal_cb
, ctx
);
429 /* ctx->sigset aready has the initial sigmask set in main() */
430 if (eloop_signal_mask(ctx
->eloop
, NULL
) == -1) {
431 logerr("%s: eloop_signal_mask", __func__
);
435 if (ctx
->fork_fd
!= -1) {
436 /* Already removed from eloop thanks to above clear. */
441 /* This process has no need of the blocking inner eloop. */
442 if (!(flags
& PSF_ELOOP
)) {
443 eloop_free(ctx
->ps_eloop
);
444 ctx
->ps_eloop
= NULL
;
446 eloop_forked(ctx
->ps_eloop
);
449 ps_freeprocesses(ctx
, psp
);
451 if (ctx
->ps_root
!= psp
) {
452 ctx
->options
&= ~DHCPCD_PRIVSEPROOT
;
454 if (ctx
->ps_log_root_fd
!= -1) {
455 /* Already removed from eloop thanks to above clear. */
456 close(ctx
->ps_log_root_fd
);
457 ctx
->ps_log_root_fd
= -1;
459 #ifdef PRIVSEP_RIGHTS
460 if (ps_rights_limit_stdio(ctx
) == -1) {
461 logerr("ps_rights_limit_stdio");
467 if (ctx
->ps_inet
!= psp
)
469 if (ctx
->ps_ctl
!= psp
)
475 ssize_t xx
= recv(psp
->psp_fd
, buf
, sizeof(buf
), MSG_PEEK
);
476 logerr("pid %d test fd %d recv peek %zd", getpid(), psp
->psp_fd
, xx
);
479 if (eloop_event_add(ctx
->eloop
, psp
->psp_fd
, ELE_READ
,
480 recv_msg
, psp
) == -1)
482 logerr("%d %s: eloop_event_add XX fd %d", getpid(), __func__
, psp
->psp_fd
);
486 if (callback(psp
) == -1)
489 if (flags
& PSF_DROPPRIVS
)
492 psp
->psp_started
= true;
496 if (psp
->psp_fd
!= -1) {
500 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
505 ps_process_timeout(void *arg
)
507 struct dhcpcd_ctx
*ctx
= arg
;
509 logerrx("%s: timed out", __func__
);
510 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
514 ps_stopprocess(struct ps_process
*psp
)
521 psp
->psp_started
= false;
524 logdebugx("%s: me=%d pid=%d fd=%d %s", __func__
,
525 getpid(), psp
->psp_pid
, psp
->psp_fd
, psp
->psp_name
);
528 if (psp
->psp_fd
!= -1) {
529 eloop_event_delete(psp
->psp_ctx
->eloop
, psp
->psp_fd
);
531 if (ps_sendcmd(psp
->psp_ctx
, psp
->psp_fd
, PS_STOP
, 0,
534 logerr("%d %d %s %s", getpid(), psp
->psp_pid
, psp
->psp_name
, __func__
);
537 shutdown(psp
->psp_fd
, SHUT_WR
);
539 if (shutdown(psp
->psp_fd
, SHUT_WR
) == -1) {
547 /* Don't wait for the process as it may not respond to the shutdown
548 * request. We'll reap the process on receipt of SIGCHLD. */
553 ps_start(struct dhcpcd_ctx
*ctx
)
557 TAILQ_INIT(&ctx
->ps_processes
);
559 /* We need an inner eloop to block with. */
560 if ((ctx
->ps_eloop
= eloop_new()) == NULL
)
562 eloop_signal_set_cb(ctx
->ps_eloop
,
563 dhcpcd_signals
, dhcpcd_signals_len
,
564 dhcpcd_signal_cb
, ctx
);
566 switch (pid
= ps_root_start(ctx
)) {
568 logerr("ps_root_start");
573 logdebugx("spawned privileged proxy on PID %d", pid
);
576 /* No point in spawning the generic network listener if we're
577 * not going to use it. */
578 if (!ps_inet_canstart(ctx
))
581 switch (pid
= ps_inet_start(ctx
)) {
587 logdebugx("spawned network proxy on PID %d", pid
);
591 if (!(ctx
->options
& DHCPCD_TEST
)) {
592 switch (pid
= ps_ctl_start(ctx
)) {
598 logdebugx("spawned controller proxy on PID %d", pid
);
603 /* Seed the random number generator early incase it needs /dev/urandom
604 * which won't be available in the chroot. */
612 ps_entersandbox(const char *_pledge
, const char **sandbox
)
615 #if !defined(HAVE_PLEDGE)
619 #if defined(HAVE_CAPSICUM)
621 *sandbox
= "capsicum";
623 #elif defined(HAVE_PLEDGE)
626 return pledge(_pledge
, NULL
);
627 #elif defined(HAVE_SECCOMP)
629 *sandbox
= "seccomp";
630 return ps_seccomp_enter();
633 *sandbox
= "posix resource limited";
639 ps_managersandbox(struct dhcpcd_ctx
*ctx
, const char *_pledge
)
641 const char *sandbox
= NULL
;
645 forked
= ctx
->options
& DHCPCD_FORKED
;
646 ctx
->options
&= ~DHCPCD_FORKED
;
647 dropped
= ps_dropprivs(ctx
);
649 ctx
->options
|= DHCPCD_FORKED
;
652 * If we don't have a root process, we cannot use syslog.
653 * If it cannot be opened before chrooting then syslog(3) will fail.
654 * openlog(3) does not return an error which doubly sucks.
656 if (ctx
->ps_root
== NULL
) {
657 unsigned int logopts
= loggetopts();
659 logopts
&= ~LOGERR_LOG
;
664 logerr("%s: ps_dropprivs", __func__
);
668 #ifdef PRIVSEP_RIGHTS
669 if ((ctx
->pf_inet_fd
!= -1 &&
670 ps_rights_limit_ioctl(ctx
->pf_inet_fd
) == -1) ||
671 ps_rights_limit_stdio(ctx
) == -1)
673 logerr("%s: cap_rights_limit", __func__
);
680 if (ps_entersandbox(_pledge
, &sandbox
) == -1) {
681 if (errno
== ENOSYS
) {
683 logwarnx("sandbox unavailable: %s", sandbox
);
686 logerr("%s: %s", __func__
, sandbox
);
688 } else if (ctx
->options
& DHCPCD_LAUNCHER
||
689 ((!(ctx
->options
& DHCPCD_DAEMONISE
)) &&
690 ctx
->options
& DHCPCD_MANAGER
))
691 logdebugx("sandbox: %s", sandbox
);
696 ps_stop(struct dhcpcd_ctx
*ctx
)
700 if (!(ctx
->options
& DHCPCD_PRIVSEP
) ||
701 ctx
->options
& DHCPCD_FORKED
||
705 if (ctx
->ps_ctl
!= NULL
) {
706 r
= ps_ctl_stop(ctx
);
711 if (ctx
->ps_inet
!= NULL
) {
712 r
= ps_inet_stop(ctx
);
717 if (ctx
->ps_root
!= NULL
) {
718 if (ps_root_stopprocesses(ctx
) == -1)
726 ps_waitforprocs(struct dhcpcd_ctx
*ctx
)
728 struct ps_process
*psp
= TAILQ_FIRST(&ctx
->ps_processes
);
733 /* Different processes */
734 if (psp
!= TAILQ_LAST(&ctx
->ps_processes
, ps_process_head
))
737 return !psp
->psp_started
;
741 ps_stopwait(struct dhcpcd_ctx
*ctx
)
743 int error
= EXIT_SUCCESS
;
745 if (ctx
->ps_eloop
== NULL
|| !ps_waitforprocs(ctx
))
748 ctx
->options
|= DHCPCD_EXITING
;
749 if (eloop_timeout_add_sec(ctx
->ps_eloop
, PS_PROCESS_TIMEOUT
,
750 ps_process_timeout
, ctx
) == -1)
751 logerr("%s: eloop_timeout_add_sec", __func__
);
752 eloop_enter(ctx
->ps_eloop
);
755 struct ps_process
*psp
;
757 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
758 if (psp
->psp_pfd
== -1)
760 if (eloop_event_add(ctx
->ps_eloop
, psp
->psp_pfd
,
761 ELE_HANGUP
, ps_processhangup
, psp
) == -1)
762 logerr("%s: eloop_event_add pfd %d",
763 __func__
, psp
->psp_pfd
);
767 error
= eloop_start(ctx
->ps_eloop
, &ctx
->sigset
);
768 if (error
!= EXIT_SUCCESS
)
769 logerr("%s: eloop_start", __func__
);
771 eloop_timeout_delete(ctx
->ps_eloop
, ps_process_timeout
, ctx
);
777 ps_freeprocess(struct ps_process
*psp
)
779 struct dhcpcd_ctx
*ctx
= psp
->psp_ctx
;
781 TAILQ_REMOVE(&ctx
->ps_processes
, psp
, next
);
783 if (psp
->psp_fd
!= -1) {
784 eloop_event_delete(ctx
->eloop
, psp
->psp_fd
);
787 if (psp
->psp_work_fd
!= -1) {
788 eloop_event_delete(ctx
->eloop
, psp
->psp_work_fd
);
789 close(psp
->psp_work_fd
);
792 if (psp
->psp_pfd
!= -1) {
793 eloop_event_delete(ctx
->eloop
, psp
->psp_pfd
);
794 if (ctx
->ps_eloop
!= NULL
)
795 eloop_event_delete(ctx
->ps_eloop
, psp
->psp_pfd
);
799 if (ctx
->ps_root
== psp
)
801 if (ctx
->ps_inet
== psp
)
803 if (ctx
->ps_ctl
== psp
)
806 if (psp
->psp_bpf
!= NULL
)
807 bpf_close(psp
->psp_bpf
);
813 ps_free(struct dhcpcd_ctx
*ctx
)
815 struct ps_process
*ppsp
, *psp
;
818 if (ctx
->ps_root
!= NULL
)
820 else if (ctx
->ps_ctl
!= NULL
)
825 stop
= ppsp
->psp_pid
== getpid();
829 while ((psp
= TAILQ_FIRST(&ctx
->ps_processes
)) != NULL
) {
830 if (stop
&& psp
!= ppsp
)
837 ps_unrollmsg(struct msghdr
*msg
, struct ps_msghdr
*psm
,
838 const void *data
, size_t len
)
840 uint8_t *datap
, *namep
, *controlp
;
841 socklen_t cmsg_padlen
=
842 CALC_CMSG_PADLEN(psm
->ps_controllen
, psm
->ps_namelen
);
844 namep
= UNCONST(data
);
845 controlp
= namep
+ psm
->ps_namelen
+ cmsg_padlen
;
846 datap
= controlp
+ psm
->ps_controllen
;
848 if (psm
->ps_namelen
!= 0) {
849 if (psm
->ps_namelen
> len
) {
853 msg
->msg_name
= namep
;
854 len
-= psm
->ps_namelen
;
856 msg
->msg_name
= NULL
;
857 msg
->msg_namelen
= psm
->ps_namelen
;
859 if (psm
->ps_controllen
!= 0) {
860 if (psm
->ps_controllen
> len
) {
864 msg
->msg_control
= controlp
;
865 len
-= psm
->ps_controllen
+ cmsg_padlen
;
867 msg
->msg_control
= NULL
;
868 msg
->msg_controllen
= psm
->ps_controllen
;
872 msg
->msg_iov
[0].iov_base
= datap
;
873 msg
->msg_iov
[0].iov_len
= len
;
876 msg
->msg_iov
[0].iov_base
= NULL
;
877 msg
->msg_iov
[0].iov_len
= 0;
883 ps_sendpsmmsg(struct dhcpcd_ctx
*ctx
, int fd
,
884 struct ps_msghdr
*psm
, const struct msghdr
*msg
)
886 long padding
[1] = { 0 };
887 struct iovec iov
[] = {
888 { .iov_base
= UNCONST(psm
), .iov_len
= sizeof(*psm
) },
889 { .iov_base
= NULL
, }, /* name */
890 { .iov_base
= NULL
, }, /* control padding */
891 { .iov_base
= NULL
, }, /* control */
892 { .iov_base
= NULL
, }, /* payload 1 */
893 { .iov_base
= NULL
, }, /* payload 2 */
894 { .iov_base
= NULL
, }, /* payload 3 */
900 struct iovec
*iovp
= &iov
[1];
902 socklen_t cmsg_padlen
;
904 psm
->ps_namelen
= msg
->msg_namelen
;
905 psm
->ps_controllen
= (socklen_t
)msg
->msg_controllen
;
907 iovp
->iov_base
= msg
->msg_name
;
908 iovp
->iov_len
= msg
->msg_namelen
;
912 CALC_CMSG_PADLEN(msg
->msg_controllen
, msg
->msg_namelen
);
913 assert(cmsg_padlen
<= sizeof(padding
));
914 iovp
->iov_len
= cmsg_padlen
;
915 iovp
->iov_base
= cmsg_padlen
!= 0 ? padding
: NULL
;
918 iovp
->iov_base
= msg
->msg_control
;
919 iovp
->iov_len
= msg
->msg_controllen
;
922 for (i
= 0; i
< (int)msg
->msg_iovlen
; i
++) {
923 if ((size_t)(iovlen
+ i
) > __arraycount(iov
)) {
928 iovp
->iov_base
= msg
->msg_iov
[i
].iov_base
;
929 iovp
->iov_len
= msg
->msg_iov
[i
].iov_len
;
935 len
= writev(fd
, iov
, iovlen
);
937 if (ctx
->options
& DHCPCD_FORKED
&&
938 !(ctx
->options
& DHCPCD_PRIVSEPROOT
))
939 eloop_exit(ctx
->eloop
, EXIT_FAILURE
);
945 ps_sendpsmdata(struct dhcpcd_ctx
*ctx
, int fd
,
946 struct ps_msghdr
*psm
, const void *data
, size_t len
)
948 struct iovec iov
[] = {
949 { .iov_base
= UNCONST(data
), .iov_len
= len
},
951 struct msghdr msg
= {
952 .msg_iov
= iov
, .msg_iovlen
= 1,
955 return ps_sendpsmmsg(ctx
, fd
, psm
, &msg
);
960 ps_sendmsg(struct dhcpcd_ctx
*ctx
, int fd
, uint16_t cmd
, unsigned long flags
,
961 const struct msghdr
*msg
)
963 struct ps_msghdr psm
= {
966 .ps_namelen
= msg
->msg_namelen
,
967 .ps_controllen
= (socklen_t
)msg
->msg_controllen
,
971 for (i
= 0; i
< (size_t)msg
->msg_iovlen
; i
++)
972 psm
.ps_datalen
+= msg
->msg_iov
[i
].iov_len
;
974 #if 0 /* For debugging structure padding. */
975 logerrx("psa.family %lu %zu", offsetof(struct ps_addr
, psa_family
), sizeof(psm
.ps_id
.psi_addr
.psa_family
));
976 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr
, psa_pad
), sizeof(psm
.ps_id
.psi_addr
.psa_pad
));
977 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr
, psa_u
), sizeof(psm
.ps_id
.psi_addr
.psa_u
));
978 logerrx("psa %zu", sizeof(psm
.ps_id
.psi_addr
));
980 logerrx("psi.addr %lu %zu", offsetof(struct ps_id
, psi_addr
), sizeof(psm
.ps_id
.psi_addr
));
981 logerrx("psi.index %lu %zu", offsetof(struct ps_id
, psi_ifindex
), sizeof(psm
.ps_id
.psi_ifindex
));
982 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id
, psi_cmd
), sizeof(psm
.ps_id
.psi_cmd
));
983 logerrx("psi.pad %lu %zu", offsetof(struct ps_id
, psi_pad
), sizeof(psm
.ps_id
.psi_pad
));
984 logerrx("psi %zu", sizeof(struct ps_id
));
986 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr
, ps_cmd
));
987 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr
, ps_pad
), sizeof(psm
.ps_pad
));
988 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr
, ps_flags
), sizeof(psm
.ps_flags
));
990 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr
, ps_id
), sizeof(psm
.ps_id
));
992 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr
, ps_namelen
), sizeof(psm
.ps_namelen
));
993 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr
, ps_controllen
), sizeof(psm
.ps_controllen
));
994 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr
, ps_pad2
), sizeof(psm
.ps_pad2
));
995 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr
, ps_datalen
), sizeof(psm
.ps_datalen
));
996 logerrx("psm %zu", sizeof(psm
));
999 return ps_sendpsmmsg(ctx
, fd
, &psm
, msg
);
1003 ps_sendcmd(struct dhcpcd_ctx
*ctx
, int fd
, uint16_t cmd
, unsigned long flags
,
1004 const void *data
, size_t len
)
1006 struct ps_msghdr psm
= {
1010 struct iovec iov
[] = {
1011 { .iov_base
= UNCONST(data
), .iov_len
= len
}
1013 struct msghdr msg
= {
1014 .msg_iov
= iov
, .msg_iovlen
= 1,
1017 return ps_sendpsmmsg(ctx
, fd
, &psm
, &msg
);
1021 ps_sendcmdmsg(int fd
, uint16_t cmd
, const struct msghdr
*msg
)
1023 struct ps_msghdr psm
= { .ps_cmd
= cmd
};
1024 uint8_t data
[PS_BUFLEN
], *p
= data
;
1025 struct iovec iov
[] = {
1026 { .iov_base
= &psm
, .iov_len
= sizeof(psm
) },
1027 { .iov_base
= data
, .iov_len
= 0 },
1029 size_t dl
= sizeof(data
);
1030 socklen_t cmsg_padlen
=
1031 CALC_CMSG_PADLEN(msg
->msg_controllen
, msg
->msg_namelen
);
1033 if (msg
->msg_namelen
!= 0) {
1034 if (msg
->msg_namelen
> dl
)
1036 psm
.ps_namelen
= msg
->msg_namelen
;
1037 memcpy(p
, msg
->msg_name
, msg
->msg_namelen
);
1038 p
+= msg
->msg_namelen
;
1039 dl
-= msg
->msg_namelen
;
1042 if (msg
->msg_controllen
!= 0) {
1043 if (msg
->msg_controllen
+ cmsg_padlen
> dl
)
1045 if (cmsg_padlen
!= 0) {
1046 memset(p
, 0, cmsg_padlen
);
1050 psm
.ps_controllen
= (socklen_t
)msg
->msg_controllen
;
1051 memcpy(p
, msg
->msg_control
, msg
->msg_controllen
);
1052 p
+= msg
->msg_controllen
;
1053 dl
-= msg
->msg_controllen
;
1056 psm
.ps_datalen
= msg
->msg_iov
[0].iov_len
;
1057 if (psm
.ps_datalen
> dl
)
1061 psm
.ps_namelen
+ psm
.ps_controllen
+ psm
.ps_datalen
+ cmsg_padlen
;
1062 if (psm
.ps_datalen
!= 0)
1063 memcpy(p
, msg
->msg_iov
[0].iov_base
, psm
.ps_datalen
);
1064 return writev(fd
, iov
, __arraycount(iov
));
1072 ps_recvmsg(int rfd
, unsigned short events
, uint16_t cmd
, int wfd
)
1074 struct sockaddr_storage ss
= { .ss_family
= AF_UNSPEC
};
1075 uint8_t controlbuf
[sizeof(struct sockaddr_storage
)] = { 0 };
1076 uint8_t databuf
[64 * 1024];
1077 struct iovec iov
[] = {
1078 { .iov_base
= databuf
, .iov_len
= sizeof(databuf
) }
1080 struct msghdr msg
= {
1081 .msg_name
= &ss
, .msg_namelen
= sizeof(ss
),
1082 .msg_control
= controlbuf
, .msg_controllen
= sizeof(controlbuf
),
1083 .msg_iov
= iov
, .msg_iovlen
= 1,
1087 if (!(events
& ELE_READ
))
1088 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
1090 len
= recvmsg(rfd
, &msg
, 0);
1092 logerr("%s: recvmsg", __func__
);
1096 iov
[0].iov_len
= (size_t)len
;
1097 len
= ps_sendcmdmsg(wfd
, cmd
, &msg
);
1099 logerr("%s: ps_sendcmdmsg", __func__
);
1104 ps_recvpsmsg(struct dhcpcd_ctx
*ctx
, int fd
, unsigned short events
,
1105 ssize_t (*callback
)(void *, struct ps_msghdr
*, struct msghdr
*),
1111 struct iovec iov
[1];
1112 struct msghdr msg
= { .msg_iov
= iov
, .msg_iovlen
= 1 };
1115 if (!(events
& ELE_READ
))
1116 logerrx("%s: unexpected event 0x%04x", __func__
, events
);
1118 len
= read(fd
, &psm
, sizeof(psm
));
1119 #ifdef PRIVSEP_DEBUG
1120 logdebugx("%s: %zd", __func__
, len
);
1123 if (len
== -1 || len
== 0)
1127 if (dlen
< sizeof(psm
.psm_hdr
)) {
1132 if (psm
.psm_hdr
.ps_cmd
== PS_STOP
) {
1139 ctx
->options
|= DHCPCD_EXITING
;
1140 #ifdef PRIVSEP_DEBUG
1141 logdebugx("process %d stopping", getpid());
1144 eloop_exit(ctx
->eloop
, len
!= -1 ? EXIT_SUCCESS
: EXIT_FAILURE
);
1147 dlen
-= sizeof(psm
.psm_hdr
);
1149 if (ps_unrollmsg(&msg
, &psm
.psm_hdr
, psm
.psm_data
, dlen
) == -1)
1152 if (callback
== NULL
)
1156 return callback(cbctx
, &psm
.psm_hdr
, &msg
);
1160 ps_findprocess(struct dhcpcd_ctx
*ctx
, struct ps_id
*psid
)
1162 struct ps_process
*psp
;
1164 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
1165 if (!(psp
->psp_started
))
1167 if (memcmp(&psp
->psp_id
, psid
, sizeof(psp
->psp_id
)) == 0)
1175 ps_findprocesspid(struct dhcpcd_ctx
*ctx
, pid_t pid
)
1177 struct ps_process
*psp
;
1179 TAILQ_FOREACH(psp
, &ctx
->ps_processes
, next
) {
1180 if (psp
->psp_pid
== pid
)
1188 ps_newprocess(struct dhcpcd_ctx
*ctx
, struct ps_id
*psid
)
1190 struct ps_process
*psp
;
1192 psp
= calloc(1, sizeof(*psp
));
1196 memcpy(&psp
->psp_id
, psid
, sizeof(psp
->psp_id
));
1197 psp
->psp_work_fd
= -1;
1198 #ifdef HAVE_CAPSICUM
1202 if (!(ctx
->options
& DHCPCD_MANAGER
))
1203 strlcpy(psp
->psp_ifname
, ctx
->ifv
[0], sizeof(psp
->psp_name
));
1204 TAILQ_INSERT_TAIL(&ctx
->ps_processes
, psp
, next
);
1209 ps_freeprocesses(struct dhcpcd_ctx
*ctx
, struct ps_process
*notthis
)
1211 struct ps_process
*psp
, *psn
;
1213 TAILQ_FOREACH_SAFE(psp
, &ctx
->ps_processes
, next
, psn
) {
1216 ps_freeprocess(psp
);