privsep: Fix prior for FreeBSD.

diff --git a/src/dhcpcd.c b/src/dhcpcd.c
index 86b994f8aa7df4ec9049899d62652a5492173e08..c8589fe308028e86b20c3457243a55cbaabf805c 100644 (file)
--- a/src/dhcpcd.c
+++ b/src/dhcpcd.c
@@ -2246,14 +2246,6 @@ printpidfile:
                logerr("socketpair");
                goto exit_failure;
        }
-#ifdef HAVE_CAPSICUM
-       if (ps_rights_limit_fdpair(fork_fd) == -1 ||
-           ps_rights_limit_fdpair(stderr_fd) == 1)
-       {
-               logerr("ps_rights_limit_fdpair");
-               goto exit_failure;
-       }
-#endif
        switch (pid = fork()) {
        case -1:
                logerr("fork");
@@ -2263,6 +2255,14 @@ printpidfile:
                close(fork_fd[0]);
                logseterrfd(stderr_fd[1]);
                close(stderr_fd[0]);
+#ifdef PRIVSEP_RIGHTS
+               if (ps_rights_limit_fd(fork_fd[1]) == -1 ||
+                   ps_rights_limit_fd(stderr_fd[1]) == 1)
+               {
+                       logerr("ps_rights_limit_fdpair");
+                       goto exit_failure;
+               }
+#endif
                if (freopen(_PATH_DEVNULL, "w", stdout) == NULL ||
                    freopen(_PATH_DEVNULL, "w", stderr) == NULL)
                        logerr("freopen");
@@ -2289,6 +2289,14 @@ printpidfile:
                close(fork_fd[1]);
                ctx.stderr_fd = stderr_fd[0];
                close(stderr_fd[1]);
+#ifdef PRIVSEP_RIGHTS
+               if (ps_rights_limit_fd(fork_fd[0]) == -1 ||
+                   ps_rights_limit_fd(stderr_fd[0]) == 1)
+               {
+                       logerr("ps_rights_limit_fdpair");
+                       goto exit_failure;
+               }
+#endif
                setproctitle("[launcher]");
                eloop_event_add(ctx.eloop, ctx.fork_fd, dhcpcd_fork_cb, &ctx);
                eloop_event_add(ctx.eloop, ctx.stderr_fd, dhcpcd_stderr_cb, &ctx);

diff --git a/src/if.c b/src/if.c
index 2e0920f9f60b4d5f67755263da5759cba389180a..40fdadcf0e1705e27c38fe51433249b5ab13a003 100644 (file)
--- a/src/if.c
+++ b/src/if.c
@@ -1016,10 +1016,6 @@ xsocketpair(int domain, int type, int protocol, int fd[2])
        if ((s = socketpair(domain, type, protocol, fd)) == -1)
                return -1;
 
-#ifdef PRIVSEP_RIGHTS
-       if (ps_rights_limit_fdpair(fd) == -1)
-               goto out;
-#endif
 #ifndef HAVE_SOCK_CLOEXEC
        if ((xtype & SOCK_CLOEXEC) && ((xflags = fcntl(fd[0], F_GETFD)) == -1 ||
            fcntl(fd[0], F_SETFD, xflags | FD_CLOEXEC) == -1))
@@ -1039,8 +1035,7 @@ xsocketpair(int domain, int type, int protocol, int fd[2])
 
        return s;
 
-#if defined(PRIVSEP_RIGHTS) || \
-       !defined(HAVE_SOCK_CLOEXEC) || !defined(HAVE_SOCK_NONBLOCK)
+#if !defined(HAVE_SOCK_CLOEXEC) || !defined(HAVE_SOCK_NONBLOCK)
 out:
        close(fd[0]);
        close(fd[1]);

diff --git a/src/privsep-control.c b/src/privsep-control.c
index 8d1ed506be4c58fbe4c60b319af12325ee8d25a4..01a8acd744dd588e3f65cab5fd6fcbde63aaa557 100644 (file)
--- a/src/privsep-control.c
+++ b/src/privsep-control.c
@@ -225,10 +225,14 @@ ps_ctl_start(struct dhcpcd_ctx *ctx)
        int data_fd[2], listen_fd[2];
        pid_t pid;
 
-       if (xsocketpair(AF_UNIX, SOCK_STREAM | SOCK_CXNB, 0, data_fd) == -1)
+       if (xsocketpair(AF_UNIX, SOCK_STREAM | SOCK_CXNB, 0, data_fd) == -1 ||
+           xsocketpair(AF_UNIX, SOCK_STREAM | SOCK_CXNB, 0, listen_fd) == -1)
                return -1;
-       if (xsocketpair(AF_UNIX, SOCK_STREAM | SOCK_CXNB, 0, listen_fd) == -1)
+#ifdef PRIVSEP_RIGHTS
+       if (ps_rights_limit_fdpair(data_fd) == -1 ||
+           ps_rights_limit_fdpair(listen_fd) == -1)
                return -1;
+#endif
 
        pid = ps_dostart(ctx, &ctx->ps_control_pid, &ctx->ps_control_fd,
            ps_ctl_recvmsg, ps_ctl_dodispatch, ctx,

diff --git a/src/privsep.c b/src/privsep.c
index 14760e6e2818ee6b2f3747aac7cb9c6085aeaf38..2319ac579f9835701dd7dc78b20f52f1de9ed75c 100644 (file)
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -295,6 +295,12 @@ ps_dostart(struct dhcpcd_ctx *ctx,
                logerr("%s: ps_setbuf_fdpair", __func__);
                return -1;
        }
+#ifdef PRIVSEP_RIGHTS
+       if (ps_rights_limit_fdpair(fd) == -1) {
+               logerr("%s: ps_rights_limit_fdpair", __func__);
+               return -1;
+       }
+#endif
 
        switch (pid = fork()) {
        case -1: