1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Privilege Separation for dhcpcd 4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name> 5 * All rights reserved 6 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 /* 30 * The current design is this: 31 * Spawn a priv process to carry out privileged actions and 32 * spawning unpriv process to initate network connections such as BPF 33 * or address specific listener. 34 * Spawn an unpriv process to send/receive common network data. 35 * Then drop all privs and start running. 36 * Every process aside from the privileged actioneer is chrooted. 37 * 38 * dhcpcd will maintain the config file in the chroot, no need to handle 39 * this in a script or something. 40 */ 41 42 #include <sys/resource.h> 43 #include <sys/socket.h> 44 #include <sys/stat.h> 45 #include <sys/types.h> 46 #include <sys/wait.h> 47 48 #ifdef AF_LINK 49 #include <net/if_dl.h> 50 #endif 51 52 #include <assert.h> 53 #include <errno.h> 54 #include <fcntl.h> 55 #include <grp.h> 56 #include <paths.h> 57 #include <pwd.h> 58 #include <stddef.h> /* For offsetof, struct padding debug */ 59 #include <signal.h> 60 #include <stdlib.h> 61 #include <string.h> 62 #include <unistd.h> 63 64 #include "arp.h" 65 #include "common.h" 66 #include "control.h" 67 #include "dev.h" 68 #include "dhcp.h" 69 #include "dhcp6.h" 70 #include "eloop.h" 71 #include "ipv6nd.h" 72 #include "logerr.h" 73 #include "privsep.h" 74 75 #ifdef HAVE_CAPSICUM 76 #include <sys/capsicum.h> 77 #endif 78 #ifdef HAVE_UTIL_H 79 #include <util.h> 80 #endif 81 82 int 83 ps_init(struct dhcpcd_ctx *ctx) 84 { 85 struct passwd *pw; 86 struct stat st; 87 88 errno = 0; 89 if ((ctx->ps_user = pw = getpwnam(PRIVSEP_USER)) == NULL) { 90 ctx->options &= ~DHCPCD_PRIVSEP; 91 if (errno == 0) { 92 logerrx("no such user %s", PRIVSEP_USER); 93 /* Just incase logerrx caused an error... */ 94 errno = 0; 95 } else 96 logerr("getpwnam"); 97 return -1; 98 } 99 100 if (stat(pw->pw_dir, &st) == -1 || !S_ISDIR(st.st_mode)) { 101 ctx->options &= ~DHCPCD_PRIVSEP; 102 logerrx("refusing chroot: %s: %s", 103 PRIVSEP_USER, pw->pw_dir); 104 errno = 0; 105 return -1; 106 } 107 108 ctx->options |= DHCPCD_PRIVSEP; 109 return 0; 110 } 111 112 int 113 ps_dropprivs(struct dhcpcd_ctx *ctx) 114 { 115 struct passwd *pw = ctx->ps_user; 116 117 if (!(ctx->options & DHCPCD_FORKED)) 118 logdebugx("chrooting to `%s' as %s", pw->pw_dir, pw->pw_name); 119 if (chroot(pw->pw_dir) == -1) 120 logerr("%s: chroot `%s'", __func__, pw->pw_dir); 121 if (chdir("/") == -1) 122 logerr("%s: chdir `/'", __func__); 123 124 if (setgroups(1, &pw->pw_gid) == -1 || 125 setgid(pw->pw_gid) == -1 || 126 setuid(pw->pw_uid) == -1) 127 { 128 logerr("failed to drop privileges"); 129 return -1; 130 } 131 132 struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 }; 133 134 if (ctx->ps_control_pid != getpid()) { 135 /* Prohibit new files, sockets, etc */ 136 #if defined(__linux__) || defined(__sun) || defined(__OpenBSD__) 137 /* 138 * If poll(2) is called with nfds > RLIMIT_NOFILE 139 * then it returns EINVAL. 140 * This blows. 141 * Do the best we can and limit to what we need. 142 * An attacker could potentially close a file and 143 * open a new one still, but that cannot be helped. 144 */ 145 unsigned long maxfd; 146 maxfd = (unsigned long)eloop_event_count(ctx->eloop); 147 if (IN_PRIVSEP_SE(ctx)) 148 maxfd++; /* XXX why? */ 149 150 struct rlimit rmaxfd = { 151 .rlim_cur = maxfd, 152 .rlim_max = maxfd 153 }; 154 if (setrlimit(RLIMIT_NOFILE, &rmaxfd) == -1) 155 logerr("setrlimit RLIMIT_NOFILE"); 156 #else 157 if (setrlimit(RLIMIT_NOFILE, &rzero) == -1) 158 logerr("setrlimit RLIMIT_NOFILE"); 159 #endif 160 } 161 162 /* Prohibit writing to files. 163 * Obviously this won't work if we are using a logfile. */ 164 if (ctx->logfile == NULL) { 165 if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) 166 logerr("setrlimit RLIMIT_FSIZE"); 167 } 168 169 #ifdef RLIMIT_NPROC 170 /* Prohibit forks */ 171 if (setrlimit(RLIMIT_NPROC, &rzero) == -1) 172 logerr("setrlimit RLIMIT_NPROC"); 173 #endif 174 175 return 0; 176 } 177 178 static int 179 ps_setbuf0(int fd, int ctl, int minlen) 180 { 181 int len; 182 socklen_t slen; 183 184 slen = sizeof(len); 185 if (getsockopt(fd, SOL_SOCKET, ctl, &len, &slen) == -1) 186 return -1; 187 188 #ifdef __linux__ 189 len /= 2; 190 #endif 191 if (len >= minlen) 192 return 0; 193 194 return setsockopt(fd, SOL_SOCKET, ctl, &minlen, sizeof(minlen)); 195 } 196 197 static int 198 ps_setbuf(int fd) 199 { 200 /* Ensure we can receive a fully sized privsep message. 201 * Double the send buffer. */ 202 int minlen = (int)sizeof(struct ps_msg); 203 204 if (ps_setbuf0(fd, SO_RCVBUF, minlen) == -1 || 205 ps_setbuf0(fd, SO_SNDBUF, minlen * 2) == -1) 206 { 207 logerr(__func__); 208 return -1; 209 } 210 return 0; 211 } 212 213 int 214 ps_setbuf_fdpair(int fd[]) 215 { 216 217 if (ps_setbuf(fd[0]) == -1 || ps_setbuf(fd[1]) == -1) 218 return -1; 219 return 0; 220 } 221 222 #ifdef PRIVSEP_RIGHTS 223 int 224 ps_rights_limit_ioctl(int fd) 225 { 226 cap_rights_t rights; 227 228 cap_rights_init(&rights, CAP_IOCTL); 229 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) 230 return -1; 231 return 0; 232 } 233 234 int 235 ps_rights_limit_fd_fctnl(int fd) 236 { 237 cap_rights_t rights; 238 239 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, 240 CAP_ACCEPT, CAP_FCNTL); 241 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) 242 return -1; 243 return 0; 244 } 245 246 int 247 ps_rights_limit_fd(int fd) 248 { 249 cap_rights_t rights; 250 251 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT, CAP_SHUTDOWN); 252 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) 253 return -1; 254 return 0; 255 } 256 257 int 258 ps_rights_limit_fd_rdonly(int fd) 259 { 260 cap_rights_t rights; 261 262 cap_rights_init(&rights, CAP_READ, CAP_EVENT); 263 if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) 264 return -1; 265 return 0; 266 } 267 268 int 269 ps_rights_limit_fdpair(int fd[]) 270 { 271 272 if (ps_rights_limit_fd(fd[0]) == -1 || ps_rights_limit_fd(fd[1]) == -1) 273 return -1; 274 return 0; 275 } 276 #endif 277 278 pid_t 279 ps_dostart(struct dhcpcd_ctx *ctx, 280 pid_t *priv_pid, int *priv_fd, 281 void (*recv_msg)(void *), void (*recv_unpriv_msg), 282 void *recv_ctx, int (*callback)(void *), void (*signal_cb)(int, void *), 283 unsigned int flags) 284 { 285 int stype; 286 int fd[2]; 287 pid_t pid; 288 289 stype = SOCK_CLOEXEC | SOCK_NONBLOCK; 290 if (socketpair(AF_UNIX, SOCK_DGRAM | stype, 0, fd) == -1) { 291 logerr("%s: socketpair", __func__); 292 return -1; 293 } 294 if (ps_setbuf_fdpair(fd) == -1) { 295 logerr("%s: ps_setbuf_fdpair", __func__); 296 return -1; 297 } 298 #ifdef PRIVSEP_RIGHTS 299 if (ps_rights_limit_fdpair(fd) == -1) { 300 logerr("%s: ps_rights_limit_fdpair", __func__); 301 return -1; 302 } 303 #endif 304 305 switch (pid = fork()) { 306 case -1: 307 logerr("fork"); 308 return -1; 309 case 0: 310 *priv_fd = fd[1]; 311 close(fd[0]); 312 break; 313 default: 314 *priv_pid = pid; 315 *priv_fd = fd[0]; 316 close(fd[1]); 317 if (recv_unpriv_msg == NULL) 318 ; 319 else if (eloop_event_add(ctx->eloop, *priv_fd, 320 recv_unpriv_msg, recv_ctx) == -1) 321 { 322 logerr("%s: eloop_event_add", __func__); 323 return -1; 324 } 325 return pid; 326 } 327 328 ctx->options |= DHCPCD_UNPRIV | DHCPCD_FORKED; 329 if (ctx->fork_fd != -1) { 330 close(ctx->fork_fd); 331 ctx->fork_fd = -1; 332 } 333 pidfile_clean(); 334 eloop_clear(ctx->eloop); 335 336 /* We are not root */ 337 if (priv_fd != &ctx->ps_root_fd) { 338 ps_freeprocesses(ctx, recv_ctx); 339 if (ctx->ps_root_fd != -1) { 340 close(ctx->ps_root_fd); 341 ctx->ps_root_fd = -1; 342 } 343 } 344 345 if (priv_fd != &ctx->ps_inet_fd && ctx->ps_inet_fd != -1) { 346 close(ctx->ps_inet_fd); 347 ctx->ps_inet_fd = -1; 348 } 349 350 eloop_signal_set_cb(ctx->eloop, 351 dhcpcd_signals, dhcpcd_signals_len, signal_cb, ctx); 352 353 /* ctx->sigset aready has the initial sigmask set in main() */ 354 if (eloop_signal_mask(ctx->eloop, NULL) == -1) { 355 logerr("%s: eloop_signal_mask", __func__); 356 goto errexit; 357 } 358 359 if (eloop_event_add(ctx->eloop, *priv_fd, recv_msg, recv_ctx) == -1) 360 { 361 logerr("%s: eloop_event_add", __func__); 362 goto errexit; 363 } 364 365 if (callback(recv_ctx) == -1) 366 goto errexit; 367 368 if (!(ctx->options & DHCPCD_DEBUG) && 369 (!(ctx->options & DHCPCD_TEST) || loggetopts() & LOGERR_QUIET)) 370 { 371 (void)freopen(_PATH_DEVNULL, "w", stdout); 372 (void)freopen(_PATH_DEVNULL, "w", stderr); 373 } 374 375 if (flags & PSF_DROPPRIVS) 376 ps_dropprivs(ctx); 377 378 return 0; 379 380 errexit: 381 /* Failure to start root or inet processes is fatal. */ 382 if (priv_fd == &ctx->ps_root_fd || priv_fd == &ctx->ps_inet_fd) 383 (void)ps_sendcmd(ctx, *priv_fd, PS_STOP, 0, NULL, 0); 384 shutdown(*priv_fd, SHUT_RDWR); 385 *priv_fd = -1; 386 eloop_exit(ctx->eloop, EXIT_FAILURE); 387 return -1; 388 } 389 390 int 391 ps_dostop(struct dhcpcd_ctx *ctx, pid_t *pid, int *fd) 392 { 393 int err = 0; 394 395 #ifdef PRIVSEP_DEBUG 396 logdebugx("%s: pid=%d fd=%d", __func__, *pid, *fd); 397 #endif 398 399 if (*fd != -1) { 400 eloop_event_delete(ctx->eloop, *fd); 401 if (ps_sendcmd(ctx, *fd, PS_STOP, 0, NULL, 0) == -1) { 402 logerr(__func__); 403 err = -1; 404 } 405 (void)shutdown(*fd, SHUT_RDWR); 406 close(*fd); 407 *fd = -1; 408 } 409 410 /* Don't wait for the process as it may not respond to the shutdown 411 * request. We'll reap the process on receipt of SIGCHLD. */ 412 *pid = 0; 413 return err; 414 } 415 416 int 417 ps_start(struct dhcpcd_ctx *ctx) 418 { 419 pid_t pid; 420 421 TAILQ_INIT(&ctx->ps_processes); 422 423 switch (pid = ps_root_start(ctx)) { 424 case -1: 425 logerr("ps_root_start"); 426 return -1; 427 case 0: 428 return 0; 429 default: 430 logdebugx("spawned privileged actioneer on PID %d", pid); 431 } 432 433 /* No point in spawning the generic network listener if we're 434 * not going to use it. */ 435 if (!(ctx->options & (DHCPCD_MASTER | DHCPCD_IPV6))) 436 goto started_net; 437 438 switch (pid = ps_inet_start(ctx)) { 439 case -1: 440 if (errno == ENXIO) 441 return 0; 442 return -1; 443 case 0: 444 return 0; 445 default: 446 logdebugx("spawned network proxy on PID %d", pid); 447 } 448 449 started_net: 450 if (!(ctx->options & DHCPCD_TEST)) { 451 switch (pid = ps_ctl_start(ctx)) { 452 case -1: 453 return -1; 454 case 0: 455 return 0; 456 default: 457 logdebugx("spawned controller proxy on PID %d", pid); 458 } 459 } 460 461 #ifdef ARC4RANDOM_H 462 /* Seed the random number generator early incase it needs /dev/urandom 463 * which won't be available in the chroot. */ 464 arc4random(); 465 #endif 466 467 return 1; 468 } 469 470 int 471 ps_mastersandbox(struct dhcpcd_ctx *ctx) 472 { 473 474 if (ps_dropprivs(ctx) == -1) { 475 logerr("%s: ps_dropprivs", __func__); 476 return -1; 477 } 478 479 #ifdef PRIVSEP_RIGHTS 480 if ((ps_rights_limit_ioctl(ctx->pf_inet_fd) == -1 || 481 ps_rights_limit_fd(ctx->link_fd) == -1) && 482 errno != ENOSYS) 483 { 484 logerr("%s: cap_rights_limit", __func__); 485 return -1; 486 } 487 #endif 488 #ifdef HAVE_CAPSICUM 489 if (cap_enter() == -1 && errno != ENOSYS) { 490 logerr("%s: cap_enter", __func__); 491 return -1; 492 } 493 #endif 494 #ifdef HAVE_PLEDGE 495 if (pledge("stdio route", NULL) == -1) { 496 logerr("%s: pledge", __func__); 497 return -1; 498 } 499 #endif 500 501 return 0; 502 } 503 504 int 505 ps_stop(struct dhcpcd_ctx *ctx) 506 { 507 int r, ret = 0; 508 509 if (!(ctx->options & DHCPCD_PRIVSEP) || 510 ctx->options & DHCPCD_FORKED || 511 ctx->eloop == NULL) 512 return 0; 513 514 r = ps_ctl_stop(ctx); 515 if (r != 0) 516 ret = r; 517 518 r = ps_inet_stop(ctx); 519 if (r != 0) 520 ret = r; 521 522 /* We've been chrooted, so we need to tell the 523 * privileged actioneer to remove the pidfile. */ 524 ps_root_unlink(ctx, ctx->pidfile); 525 526 r = ps_root_stop(ctx); 527 if (r != 0) 528 ret = r; 529 530 ctx->options &= ~DHCPCD_PRIVSEP; 531 return ret; 532 } 533 534 void 535 ps_freeprocess(struct ps_process *psp) 536 { 537 538 TAILQ_REMOVE(&psp->psp_ctx->ps_processes, psp, next); 539 if (psp->psp_fd != -1) { 540 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_fd); 541 close(psp->psp_fd); 542 } 543 if (psp->psp_work_fd != -1) { 544 eloop_event_delete(psp->psp_ctx->eloop, psp->psp_work_fd); 545 close(psp->psp_work_fd); 546 } 547 #ifdef INET 548 if (psp->psp_bpf != NULL) 549 bpf_close(psp->psp_bpf); 550 #endif 551 free(psp); 552 } 553 554 static void 555 ps_free(struct dhcpcd_ctx *ctx) 556 { 557 struct ps_process *psp; 558 bool stop = ctx->ps_root_pid == getpid(); 559 560 while ((psp = TAILQ_FIRST(&ctx->ps_processes)) != NULL) { 561 if (stop) 562 ps_dostop(ctx, &psp->psp_pid, &psp->psp_fd); 563 ps_freeprocess(psp); 564 } 565 } 566 567 int 568 ps_unrollmsg(struct msghdr *msg, struct ps_msghdr *psm, 569 const void *data, size_t len) 570 { 571 uint8_t *datap, *namep, *controlp; 572 573 namep = UNCONST(data); 574 controlp = namep + psm->ps_namelen; 575 datap = controlp + psm->ps_controllen; 576 577 if (psm->ps_namelen != 0) { 578 if (psm->ps_namelen > len) { 579 errno = EINVAL; 580 return -1; 581 } 582 msg->msg_name = namep; 583 len -= psm->ps_namelen; 584 } else 585 msg->msg_name = NULL; 586 msg->msg_namelen = psm->ps_namelen; 587 588 if (psm->ps_controllen != 0) { 589 if (psm->ps_controllen > len) { 590 errno = EINVAL; 591 return -1; 592 } 593 msg->msg_control = controlp; 594 len -= psm->ps_controllen; 595 } else 596 msg->msg_control = NULL; 597 msg->msg_controllen = psm->ps_controllen; 598 599 if (len != 0) { 600 msg->msg_iovlen = 1; 601 msg->msg_iov[0].iov_base = datap; 602 msg->msg_iov[0].iov_len = len; 603 } else { 604 msg->msg_iovlen = 0; 605 msg->msg_iov[0].iov_base = NULL; 606 msg->msg_iov[0].iov_len = 0; 607 } 608 return 0; 609 } 610 611 ssize_t 612 ps_sendpsmmsg(struct dhcpcd_ctx *ctx, int fd, 613 struct ps_msghdr *psm, const struct msghdr *msg) 614 { 615 struct iovec iov[] = { 616 { .iov_base = UNCONST(psm), .iov_len = sizeof(*psm) }, 617 { .iov_base = NULL, }, /* name */ 618 { .iov_base = NULL, }, /* control */ 619 { .iov_base = NULL, }, /* payload 1 */ 620 { .iov_base = NULL, }, /* payload 2 */ 621 { .iov_base = NULL, }, /* payload 3 */ 622 }; 623 int iovlen; 624 ssize_t len; 625 626 if (msg != NULL) { 627 struct iovec *iovp = &iov[1]; 628 int i; 629 630 psm->ps_namelen = msg->msg_namelen; 631 psm->ps_controllen = (socklen_t)msg->msg_controllen; 632 633 iovp->iov_base = msg->msg_name; 634 iovp->iov_len = msg->msg_namelen; 635 iovp++; 636 iovp->iov_base = msg->msg_control; 637 iovp->iov_len = msg->msg_controllen; 638 iovlen = 3; 639 640 for (i = 0; i < (int)msg->msg_iovlen; i++) { 641 if ((size_t)(iovlen + i) > __arraycount(iov)) { 642 errno = ENOBUFS; 643 return -1; 644 } 645 iovp++; 646 iovp->iov_base = msg->msg_iov[i].iov_base; 647 iovp->iov_len = msg->msg_iov[i].iov_len; 648 } 649 iovlen += i; 650 } else 651 iovlen = 1; 652 653 len = writev(fd, iov, iovlen); 654 #ifdef PRIVSEP_DEBUG 655 logdebugx("%s: %zd", __func__, len); 656 #endif 657 if ((len == -1 || len == 0) && ctx->options & DHCPCD_FORKED && 658 !(ctx->options & DHCPCD_PRIVSEPROOT)) 659 eloop_exit(ctx->eloop, len == 0 ? EXIT_SUCCESS : EXIT_FAILURE); 660 return len; 661 } 662 663 ssize_t 664 ps_sendpsmdata(struct dhcpcd_ctx *ctx, int fd, 665 struct ps_msghdr *psm, const void *data, size_t len) 666 { 667 struct iovec iov[] = { 668 { .iov_base = UNCONST(data), .iov_len = len }, 669 }; 670 struct msghdr msg = { 671 .msg_iov = iov, .msg_iovlen = 1, 672 }; 673 674 return ps_sendpsmmsg(ctx, fd, psm, &msg); 675 } 676 677 678 ssize_t 679 ps_sendmsg(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags, 680 const struct msghdr *msg) 681 { 682 struct ps_msghdr psm = { 683 .ps_cmd = cmd, 684 .ps_flags = flags, 685 .ps_namelen = msg->msg_namelen, 686 .ps_controllen = (socklen_t)msg->msg_controllen, 687 }; 688 size_t i; 689 690 for (i = 0; i < (size_t)msg->msg_iovlen; i++) 691 psm.ps_datalen += msg->msg_iov[i].iov_len; 692 693 #if 0 /* For debugging structure padding. */ 694 logerrx("psa.family %lu %zu", offsetof(struct ps_addr, psa_family), sizeof(psm.ps_id.psi_addr.psa_family)); 695 logerrx("psa.pad %lu %zu", offsetof(struct ps_addr, psa_pad), sizeof(psm.ps_id.psi_addr.psa_pad)); 696 logerrx("psa.psa_u %lu %zu", offsetof(struct ps_addr, psa_u), sizeof(psm.ps_id.psi_addr.psa_u)); 697 logerrx("psa %zu", sizeof(psm.ps_id.psi_addr)); 698 699 logerrx("psi.addr %lu %zu", offsetof(struct ps_id, psi_addr), sizeof(psm.ps_id.psi_addr)); 700 logerrx("psi.index %lu %zu", offsetof(struct ps_id, psi_ifindex), sizeof(psm.ps_id.psi_ifindex)); 701 logerrx("psi.cmd %lu %zu", offsetof(struct ps_id, psi_cmd), sizeof(psm.ps_id.psi_cmd)); 702 logerrx("psi.pad %lu %zu", offsetof(struct ps_id, psi_pad), sizeof(psm.ps_id.psi_pad)); 703 logerrx("psi %zu", sizeof(struct ps_id)); 704 705 logerrx("ps_cmd %lu", offsetof(struct ps_msghdr, ps_cmd)); 706 logerrx("ps_pad %lu %zu", offsetof(struct ps_msghdr, ps_pad), sizeof(psm.ps_pad)); 707 logerrx("ps_flags %lu %zu", offsetof(struct ps_msghdr, ps_flags), sizeof(psm.ps_flags)); 708 709 logerrx("ps_id %lu %zu", offsetof(struct ps_msghdr, ps_id), sizeof(psm.ps_id)); 710 711 logerrx("ps_namelen %lu %zu", offsetof(struct ps_msghdr, ps_namelen), sizeof(psm.ps_namelen)); 712 logerrx("ps_controllen %lu %zu", offsetof(struct ps_msghdr, ps_controllen), sizeof(psm.ps_controllen)); 713 logerrx("ps_pad2 %lu %zu", offsetof(struct ps_msghdr, ps_pad2), sizeof(psm.ps_pad2)); 714 logerrx("ps_datalen %lu %zu", offsetof(struct ps_msghdr, ps_datalen), sizeof(psm.ps_datalen)); 715 logerrx("psm %zu", sizeof(psm)); 716 #endif 717 718 return ps_sendpsmmsg(ctx, fd, &psm, msg); 719 } 720 721 ssize_t 722 ps_sendcmd(struct dhcpcd_ctx *ctx, int fd, uint16_t cmd, unsigned long flags, 723 const void *data, size_t len) 724 { 725 struct ps_msghdr psm = { 726 .ps_cmd = cmd, 727 .ps_flags = flags, 728 }; 729 struct iovec iov[] = { 730 { .iov_base = UNCONST(data), .iov_len = len } 731 }; 732 struct msghdr msg = { 733 .msg_iov = iov, .msg_iovlen = 1, 734 }; 735 736 return ps_sendpsmmsg(ctx, fd, &psm, &msg); 737 } 738 739 static ssize_t 740 ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr *msg) 741 { 742 struct ps_msghdr psm = { .ps_cmd = cmd }; 743 uint8_t data[PS_BUFLEN], *p = data; 744 struct iovec iov[] = { 745 { .iov_base = &psm, .iov_len = sizeof(psm) }, 746 { .iov_base = data, .iov_len = 0 }, 747 }; 748 size_t dl = sizeof(data); 749 750 if (msg->msg_namelen != 0) { 751 if (msg->msg_namelen > dl) 752 goto nobufs; 753 psm.ps_namelen = msg->msg_namelen; 754 memcpy(p, msg->msg_name, msg->msg_namelen); 755 p += msg->msg_namelen; 756 dl -= msg->msg_namelen; 757 } 758 759 if (msg->msg_controllen != 0) { 760 if (msg->msg_controllen > dl) 761 goto nobufs; 762 psm.ps_controllen = (socklen_t)msg->msg_controllen; 763 memcpy(p, msg->msg_control, msg->msg_controllen); 764 p += msg->msg_controllen; 765 dl -= msg->msg_controllen; 766 } 767 768 psm.ps_datalen = msg->msg_iov[0].iov_len; 769 if (psm.ps_datalen > dl) 770 goto nobufs; 771 772 iov[1].iov_len = psm.ps_namelen + psm.ps_controllen + psm.ps_datalen; 773 if (psm.ps_datalen != 0) 774 memcpy(p, msg->msg_iov[0].iov_base, psm.ps_datalen); 775 return writev(fd, iov, __arraycount(iov)); 776 777 nobufs: 778 errno = ENOBUFS; 779 return -1; 780 } 781 782 ssize_t 783 ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd) 784 { 785 struct sockaddr_storage ss = { .ss_family = AF_UNSPEC }; 786 uint8_t controlbuf[sizeof(struct sockaddr_storage)] = { 0 }; 787 uint8_t databuf[64 * 1024]; 788 struct iovec iov[] = { 789 { .iov_base = databuf, .iov_len = sizeof(databuf) } 790 }; 791 struct msghdr msg = { 792 .msg_name = &ss, .msg_namelen = sizeof(ss), 793 .msg_control = controlbuf, .msg_controllen = sizeof(controlbuf), 794 .msg_iov = iov, .msg_iovlen = 1, 795 }; 796 797 ssize_t len = recvmsg(rfd, &msg, 0); 798 #ifdef PRIVSEP_DEBUG 799 logdebugx("%s: recv fd %d, %zd bytes", __func__, rfd, len); 800 #endif 801 802 if (len == -1 || len == 0) { 803 if (ctx->options & DHCPCD_FORKED && 804 !(ctx->options & DHCPCD_PRIVSEPROOT)) 805 eloop_exit(ctx->eloop, 806 len == 0 ? EXIT_SUCCESS : EXIT_FAILURE); 807 return len; 808 } 809 810 iov[0].iov_len = (size_t)len; 811 len = ps_sendcmdmsg(wfd, cmd, &msg); 812 #ifdef PRIVSEP_DEBUG 813 logdebugx("%s: send fd %d, %zu bytes", __func__, wfd, len); 814 #endif 815 if ((len == -1 || len == 0) && ctx->options & DHCPCD_FORKED && 816 !(ctx->options & DHCPCD_PRIVSEPROOT)) 817 eloop_exit(ctx->eloop, len == 0 ? EXIT_SUCCESS : EXIT_FAILURE); 818 return len; 819 } 820 821 ssize_t 822 ps_recvpsmsg(struct dhcpcd_ctx *ctx, int fd, 823 ssize_t (*callback)(void *, struct ps_msghdr *, struct msghdr *), 824 void *cbctx) 825 { 826 struct ps_msg psm; 827 ssize_t len; 828 size_t dlen; 829 struct iovec iov[1]; 830 struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1 }; 831 bool stop = false; 832 833 len = read(fd, &psm, sizeof(psm)); 834 #ifdef PRIVSEP_DEBUG 835 logdebugx("%s: %zd", __func__, len); 836 #endif 837 838 if (len == -1 || len == 0) 839 stop = true; 840 else { 841 dlen = (size_t)len; 842 if (dlen < sizeof(psm.psm_hdr)) { 843 errno = EINVAL; 844 return -1; 845 } 846 847 if (psm.psm_hdr.ps_cmd == PS_STOP) { 848 stop = true; 849 len = 0; 850 } 851 } 852 853 if (stop) { 854 #ifdef PRIVSEP_DEBUG 855 logdebugx("process %d stopping", getpid()); 856 #endif 857 ps_free(ctx); 858 #ifdef PLUGIN_DEV 859 dev_stop(ctx); 860 #endif 861 eloop_exit(ctx->eloop, len != -1 ? EXIT_SUCCESS : EXIT_FAILURE); 862 return len; 863 } 864 dlen -= sizeof(psm.psm_hdr); 865 866 if (ps_unrollmsg(&msg, &psm.psm_hdr, psm.psm_data, dlen) == -1) 867 return -1; 868 869 if (callback == NULL) 870 return 0; 871 872 errno = 0; 873 return callback(cbctx, &psm.psm_hdr, &msg); 874 } 875 876 struct ps_process * 877 ps_findprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid) 878 { 879 struct ps_process *psp; 880 881 TAILQ_FOREACH(psp, &ctx->ps_processes, next) { 882 if (memcmp(&psp->psp_id, psid, sizeof(psp->psp_id)) == 0) 883 return psp; 884 } 885 errno = ESRCH; 886 return NULL; 887 } 888 889 struct ps_process * 890 ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid) 891 { 892 struct ps_process *psp; 893 894 psp = calloc(1, sizeof(*psp)); 895 if (psp == NULL) 896 return NULL; 897 psp->psp_ctx = ctx; 898 memcpy(&psp->psp_id, psid, sizeof(psp->psp_id)); 899 psp->psp_work_fd = -1; 900 TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next); 901 return psp; 902 } 903 904 void 905 ps_freeprocesses(struct dhcpcd_ctx *ctx, struct ps_process *notthis) 906 { 907 struct ps_process *psp, *psn; 908 909 TAILQ_FOREACH_SAFE(psp, &ctx->ps_processes, next, psn) { 910 if (psp == notthis) 911 continue; 912 ps_freeprocess(psp); 913 } 914 } 915