privsep: allow CAP_SETSOCKOPT for route(4) fd.

author Roy Marples <roy@marples.name>

Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)

committer Roy Marples <roy@marples.name>

Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)
author Roy Marples <roy@marples.name>
Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)
committer Roy Marples <roy@marples.name>
Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)
diff --git a/src/if-bsd.c b/src/if-bsd.c

index 3eb78045577761dc28985087643776da0d653e83..75b7e62aa4c9695adcec2aaf46d38b842a58012a 100644 (file)
--- a/src/if-bsd.c
+++ b/src/if-bsd.c
@@ -215,6 +215,11 @@ if_opensockets_os(struct dhcpcd_ctx *ctx)
  #warning kernel does not support route message filtering
  #endif
  
+#ifdef PRIVSEP_RIGHTS
+       if (IN_PRIVSEP(ctx))
+               ps_rights_limit_fd_setsockopt(ctx->link_fd);
+#endif
+
         return 0;
  }
  
diff --git a/src/privsep.c b/src/privsep.c

index a7a17e929abb4faa63abf47a1859506bf267dc78..693a87f559ae826615b232e09f61e01e8757af90 100644 (file)
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -259,6 +259,17 @@ ps_rights_limit_fd(int fd)
         return 0;
  }
  
+int
+ps_rights_limit_fd_setsockopt(int fd)
+{
+       cap_rights_t rights;
+
+       cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SETSOCKOPT);
+       if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+               return -1;
+       return 0;
+}
+
  int
  ps_rights_limit_fd_rdonly(int fd)
  {
@@ -537,7 +548,6 @@ ps_mastersandbox(struct dhcpcd_ctx *ctx, const char *_pledge)
  #ifdef PRIVSEP_RIGHTS
         if ((ctx->pf_inet_fd != -1 &&
             ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1) ||
-           (ctx->link_fd != -1 && ps_rights_limit_fd(ctx->link_fd) == -1) ||
              ps_rights_limit_stdio(ctx) == -1)
         {
                 logerr("%s: cap_rights_limit", __func__);
diff --git a/src/privsep.h b/src/privsep.h

index 93f7965e10b988468a5b885b046e38dc97b395fd..cd26a84201ff47f128cd88434b93ebcef419b725 100644 (file)
--- a/src/privsep.h
+++ b/src/privsep.h
@@ -197,6 +197,7 @@ int ps_setbuf_fdpair(int []);
  int ps_rights_limit_ioctl(int);
  int ps_rights_limit_fd_fctnl(int);
  int ps_rights_limit_fd_rdonly(int);
+int ps_rights_limit_fd_setsockopt(int);
  int ps_rights_limit_fd(int);
  int ps_rights_limit_fdpair(int []);
  #endif
author	Roy Marples <roy@marples.name>
	Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)
committer	Roy Marples <roy@marples.name>
	Fri, 2 Oct 2020 14:57:01 +0000 (15:57 +0100)
src/if-bsd.c		patch \| blob \| blame \| history
src/privsep.c		patch \| blob \| blame \| history
src/privsep.h		patch \| blob \| blame \| history