#include "logerr.h"
#include "privsep.h"
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
static void
ps_bpf_recvbpf(void *arg)
{
ps_freeprocess(psp);
return -1;
case 0:
-#ifdef HAVE_CAPSICUM
- if (cap_enter() == -1 && errno != ENOSYS)
- logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
- if (pledge("stdio", NULL) == -1)
- logerr("%s: pledge", __func__);
-#endif
+ ps_entersandbox("stdio");
break;
default:
#ifdef PRIVSEP_DEBUG
#include "logerr.h"
#include "privsep.h"
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
static int
ps_ctl_startcb(void *arg)
{
ps_ctl_listen, ctx) == -1)
return -1;
-#ifdef HAVE_CAPSICUM
- if (cap_enter() == -1 && errno != ENOSYS)
- logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
- if (pledge("stdio inet", NULL) == -1)
- logerr("%s: pledge", __func__);
-#endif
+ ps_entersandbox("stdio inet");
return 0;
}
#include "logerr.h"
#include "privsep.h"
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
#ifdef INET
static void
ps_inet_recvbootp(void *arg)
ps_inet_startcb, NULL,
PSF_DROPPRIVS);
-#ifdef HAVE_CAPSICUM
- if (pid == 0 && cap_enter() == -1 && errno != ENOSYS)
- logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
- if (pid == 0 && pledge("stdio", NULL) == -1)
- logerr("%s: pledge", __func__);
-#endif
+ if (pid == 0)
+ ps_entersandbox("stdio");
return pid;
}
ps_freeprocess(psp);
return -1;
case 0:
-#ifdef HAVE_CAPSICUM
- if (cap_enter() == -1 && errno != ENOSYS)
- logerr("%s: cap_enter", __func__);
-#endif
-#ifdef HAVE_PLEDGE
- if (pledge("stdio", NULL) == -1)
- logerr("%s: pledge", __func__);
-#endif
+ ps_entersandbox("stdio");
break;
default:
break;
return 1;
}
+int
+ps_entersandbox(const char *_pledge)
+{
+
+#ifdef HAVE_CAPSICUM
+ if (cap_enter() == -1 && errno != ENOSYS) {
+ logerr("%s: cap_enter", __func__);
+ return -1;
+ }
+#endif
+#ifdef HAVE_PLEDGE
+ if (pledge(_pledge, NULL) == -1) {
+ logerr("%s: pledge", __func__);
+ return -1;
+ }
+#else
+ UNUSED(_pledge);
+#endif
+
+ return 0;
+}
+
int
ps_mastersandbox(struct dhcpcd_ctx *ctx)
{
return -1;
}
#endif
-#ifdef HAVE_CAPSICUM
- if (cap_enter() == -1 && errno != ENOSYS) {
- logerr("%s: cap_enter", __func__);
- return -1;
- }
-#endif
-#ifdef HAVE_PLEDGE
- if (pledge("stdio route", NULL) == -1) {
- logerr("%s: pledge", __func__);
- return -1;
- }
-#endif
- return 0;
+ return ps_entersandbox("stdio route");
}
int
#define IN_PRIVSEP_SE(ctx) \
(((ctx)->options & (DHCPCD_PRIVSEP | DHCPCD_FORKED)) == DHCPCD_PRIVSEP)
-
#if defined(PRIVSEP) && defined(HAVE_CAPSICUM)
#define PRIVSEP_RIGHTS
#endif
int ps_init(struct dhcpcd_ctx *);
int ps_start(struct dhcpcd_ctx *);
int ps_stop(struct dhcpcd_ctx *);
+int ps_entersandbox(const char *);
int ps_mastersandbox(struct dhcpcd_ctx *);
int ps_unrollmsg(struct msghdr *, struct ps_msghdr *, const void *, size_t);
/* Internal privsep functions. */
int ps_setbuf_fdpair(int []);
+
#ifdef PRIVSEP_RIGHTS
int ps_rights_limit_ioctl(int);
int ps_rights_limit_fd_fctnl(int);
int ps_rights_limit_fd(int);
int ps_rights_limit_fdpair(int []);
#endif
+
pid_t ps_dostart(struct dhcpcd_ctx * ctx,
pid_t *priv_pid, int *priv_fd,
void (*recv_msg)(void *), void (*recv_unpriv_msg),
projects / people / ms / dhcpcd.git / commitdiff
