From: Roy Marples <roy@marples.name>
Date: Sun, 4 Oct 2020 21:04:49 +0000 (+0100)
Subject: privsep: Remove capsicum specific hooks from BPF
X-Git-Tag: v9.3.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a916d82faf5282aedbb69402ef8ca7e940ae18f2;p=thirdparty%2Fdhcpcd.git

privsep: Remove capsicum specific hooks from BPF

We no longer change the filter as it's locked if the OS supports.
---

diff --git a/src/privsep-bpf.c b/src/privsep-bpf.c
index f8240f12..465bb57e 100644
--- a/src/privsep-bpf.c
+++ b/src/privsep-bpf.c
@@ -53,10 +53,6 @@
 #include "logerr.h"
 #include "privsep.h"
 
-#ifdef HAVE_CAPSICUM
-#include <sys/capsicum.h>
-#endif
-
 static void
 ps_bpf_recvbpf(void *arg)
 {
@@ -132,13 +128,6 @@ ps_bpf_start_bpf(void *arg)
 	struct dhcpcd_ctx *ctx = psp->psp_ctx;
 	char *addr;
 	struct in_addr *ia = &psp->psp_id.psi_addr.psa_in_addr;
-#ifdef HAVE_CAPSICUM
-	cap_rights_t rights;
-
-	/* We need CAP_IOCTL so we can change the BPF filter when we
-	 * need to. */
-	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_IOCTL);
-#endif
 
 	if (ia->s_addr == INADDR_ANY) {
 		ia = NULL;
@@ -152,10 +141,9 @@ ps_bpf_start_bpf(void *arg)
 	psp->psp_bpf = bpf_open(&psp->psp_ifp, psp->psp_filter, ia);
 	if (psp->psp_bpf == NULL)
 		logerr("%s: bpf_open",__func__);
-#ifdef HAVE_CAPSICUM
-	else if (cap_rights_limit(psp->psp_bpf->bpf_fd, &rights) == -1 &&
-	    errno != ENOSYS)
-		logerr("%s: cap_rights_limit", __func__);
+#ifdef PRIVSEP_RIGHTS
+	else if (ps_rights_limit_fd(psp->psp_bpf->bpf_fd) == -1)
+		logerr("%s: ps_rights_limit_fd", __func__);
 #endif
 	else if (eloop_event_add(ctx->eloop,
 	    psp->psp_bpf->bpf_fd, ps_bpf_recvbpf, psp) == -1)