privsep: Log if the platform sandbox is unavailable or available

This is kinda important.

diff --git a/src/privsep-bpf.c b/src/privsep-bpf.c
index 9009083e5c01d261e2af864c3a2438ca8e6413e0..6607267a639194bd384559e27b713e213714d90b 100644 (file)
--- a/src/privsep-bpf.c
+++ b/src/privsep-bpf.c
@@ -240,7 +240,7 @@ ps_bpf_cmd(struct dhcpcd_ctx *ctx, struct ps_msghdr *psm, struct msghdr *msg)
                ps_freeprocess(psp);
                return -1;
        case 0:
-               ps_entersandbox("stdio");
+               ps_entersandbox("stdio", NULL);
                break;
        default:
 #ifdef PRIVSEP_DEBUG

diff --git a/src/privsep-control.c b/src/privsep-control.c
index 8d8534dcb15c59d53f3122c367187e6b91dded1f..52b3342e49a10361f24adb5b534016263f428c99 100644 (file)
--- a/src/privsep-control.c
+++ b/src/privsep-control.c
@@ -263,7 +263,7 @@ ps_ctl_start(struct dhcpcd_ctx *ctx)
            ps_ctl_listen, ctx) == -1)
                return -1;
 
-       ps_entersandbox("stdio inet");
+       ps_entersandbox("stdio inet", NULL);
        return 0;
 }
 

diff --git a/src/privsep-inet.c b/src/privsep-inet.c
index bac3a7b11f0335f615a139938279d74487c4e921..81487f6319ce3897060501e6c814f1e22f1c115a 100644 (file)
--- a/src/privsep-inet.c
+++ b/src/privsep-inet.c
@@ -334,7 +334,7 @@ ps_inet_start(struct dhcpcd_ctx *ctx)
            PSF_DROPPRIVS);
 
        if (pid == 0)
-               ps_entersandbox("stdio");
+               ps_entersandbox("stdio", NULL);
 
        return pid;
 }
@@ -560,7 +560,7 @@ ps_inet_cmd(struct dhcpcd_ctx *ctx, struct ps_msghdr *psm, struct msghdr *msg)
                ps_freeprocess(psp);
                return -1;
        case 0:
-               ps_entersandbox("stdio");
+               ps_entersandbox("stdio", NULL);
                break;
        default:
                break;

diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index 20579769b3f1cb966bc1e38ecdab602a88baf14a..837ad281b4076c01a879ad31620522edee4710f6 100644 (file)
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -256,9 +256,12 @@ int
 ps_seccomp_enter(void)
 {
 
-       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
-               return errno == EINVAL ? 0 : -1;
-       if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1)
-               return errno == EINVAL ? 0 : -1;
+       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 ||
+           prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1)
+       {
+               if (errno == EINVAL)
+                       errno = ENOSYS;
+               return -1;
+       }
        return 0;
 }

diff --git a/src/privsep.c b/src/privsep.c
index 2cc61a88633b10e4bdb2a042cd38150d877d9186..ca92c781e49502c74987e0a302c6923c7d374a49 100644 (file)
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -490,36 +490,36 @@ started_net:
 }
 
 int
-ps_entersandbox(const char *_pledge)
+ps_entersandbox(const char *_pledge, const char **sandbox)
 {
 
 #ifdef HAVE_CAPSICUM
-       if (cap_enter() == -1 && errno != ENOSYS) {
-               logerr("%s: cap_enter", __func__);
-               return -1;
-       }
+       if (sandbox != NULL)
+               *sandbox = "capsicum";
+       return cap_enter();
 #endif
 #ifdef HAVE_PLEDGE
-       if (pledge(_pledge, NULL) == -1) {
-               logerr("%s: pledge", __func__);
-               return -1;
-       }
+       if (sandbox != NULL)
+               *sandbox = "pledge";
+       return pledge(_pledge, NULL);
 #else
        UNUSED(_pledge);
 #endif
 #ifdef HAVE_SECCOMP
-       if (ps_seccomp_enter() == -1) {
-               logerr("%s: ps_seccomp_enter", __func__);
-               return -1;
-       }
+       if (sandbox != NULL)
+               *sandbox = "seccomp";
+       return ps_seccomp_enter();
 #endif
 
+       if (sandbox != NULL)
+               *sandbox = NULL;
        return 0;
 }
 
 int
 ps_mastersandbox(struct dhcpcd_ctx *ctx)
 {
+       const char *sandbox = NULL;
 
        if (ps_dropprivs(ctx) == -1) {
                logerr("%s: ps_dropprivs", __func__);
@@ -537,7 +537,17 @@ ps_mastersandbox(struct dhcpcd_ctx *ctx)
        }
 #endif
 
-       return ps_entersandbox("stdio route");
+       if (ps_entersandbox("stdio route", &sandbox) == -1) {
+               if (errno == ENOSYS) {
+                       if (sandbox != NULL)
+                               logwarnx("sandbox unavailable: %s", sandbox);
+                       return 0;
+               }
+               logerr("%s: %s", __func__, sandbox);
+               return -1;
+       } else if (sandbox != NULL)
+               loginfox("sandbox: %s", sandbox);
+       return 0;
 }
 
 int

diff --git a/src/privsep.h b/src/privsep.h
index d8c3dc8adcbf3cee997b11fe6bfdf9137c83ea0b..260c3fdabcadf73dde251715d0473ba6172769e2 100644 (file)
--- a/src/privsep.h
+++ b/src/privsep.h
@@ -174,7 +174,7 @@ TAILQ_HEAD(ps_process_head, ps_process);
 int ps_init(struct dhcpcd_ctx *);
 int ps_start(struct dhcpcd_ctx *);
 int ps_stop(struct dhcpcd_ctx *);
-int ps_entersandbox(const char *);
+int ps_entersandbox(const char *, const char **);
 int ps_mastersandbox(struct dhcpcd_ctx *);
 
 int ps_unrollmsg(struct msghdr *, struct ps_msghdr *, const void *, size_t);