diff options
Diffstat (limited to 'freebsd/sbin/dhclient/dhclient.c')
-rw-r--r-- | freebsd/sbin/dhclient/dhclient.c | 78 |
1 files changed, 43 insertions, 35 deletions
diff --git a/freebsd/sbin/dhclient/dhclient.c b/freebsd/sbin/dhclient/dhclient.c index e0af9431..d155d454 100644 --- a/freebsd/sbin/dhclient/dhclient.c +++ b/freebsd/sbin/dhclient/dhclient.c @@ -66,8 +66,12 @@ __FBSDID("$FreeBSD$"); #include <sys/capsicum.h> #include <sys/endian.h> +#include <capsicum_helpers.h> +#include <libgen.h> + #include <net80211/ieee80211_freebsd.h> + #ifndef _PATH_VAREMPTY #define _PATH_VAREMPTY "/var/empty" #endif @@ -91,21 +95,21 @@ __FBSDID("$FreeBSD$"); cap_channel_t *capsyslog; time_t cur_time; -time_t default_lease_time = 43200; /* 12 hours... */ +static time_t default_lease_time = 43200; /* 12 hours... */ const char *path_dhclient_conf = _PATH_DHCLIENT_CONF; char *path_dhclient_db = NULL; int log_perror = 1; -int privfd; -int nullfd = -1; +static int privfd; +static int nullfd = -1; -char hostname[_POSIX_HOST_NAME_MAX + 1]; +static char hostname[_POSIX_HOST_NAME_MAX + 1]; -struct iaddr iaddr_broadcast = { 4, { 255, 255, 255, 255 } }; -struct in_addr inaddr_any, inaddr_broadcast; +static struct iaddr iaddr_broadcast = { 4, { 255, 255, 255, 255 } }; +static struct in_addr inaddr_any, inaddr_broadcast; -char *path_dhclient_pidfile; +static char *path_dhclient_pidfile; struct pidfh *pidfile; /* @@ -121,9 +125,9 @@ struct pidfh *pidfile; #define TIME_MAX ((((time_t) 1 << (sizeof(time_t) * CHAR_BIT - 2)) - 1) * 2 + 1) int log_priority; -int no_daemon; -int unknown_ok = 1; -int routefd; +static int no_daemon; +static int unknown_ok = 1; +static int routefd; struct interface_info *ifi; @@ -197,8 +201,8 @@ get_ifa(char *cp, int n) return (NULL); } -struct iaddr defaddr = { .len = 4 }; -uint8_t curbssid[6]; +static struct iaddr defaddr = { .len = 4 }; +static uint8_t curbssid[6]; static void disassoc(void *arg) @@ -369,7 +373,7 @@ init_casper(void) int main(int argc, char *argv[]) { - extern char *__progname; + u_int capmode; int ch, fd, quiet = 0, i = 0; int pipe_fd[2]; int immediate_daemon = 0; @@ -380,7 +384,7 @@ main(int argc, char *argv[]) init_casper(); /* Initially, log errors to stderr as well as to syslogd. */ - cap_openlog(capsyslog, __progname, LOG_PID | LOG_NDELAY, DHCPD_LOG_FACILITY); + cap_openlog(capsyslog, getprogname(), LOG_PID | LOG_NDELAY, DHCPD_LOG_FACILITY); cap_setlogmask(capsyslog, LOG_UPTO(LOG_DEBUG)); while ((ch = getopt(argc, argv, "bc:dl:p:qu")) != -1) @@ -418,7 +422,7 @@ main(int argc, char *argv[]) if (path_dhclient_pidfile == NULL) { asprintf(&path_dhclient_pidfile, - "%sdhclient.%s.pid", _PATH_VARRUN, *argv); + "%s/dhclient/dhclient.%s.pid", _PATH_VARRUN, *argv); if (path_dhclient_pidfile == NULL) error("asprintf"); } @@ -527,23 +531,33 @@ main(int argc, char *argv[]) if (cap_rights_limit(routefd, &rights) < 0 && errno != ENOSYS) error("can't limit route socket: %m"); - if (chroot(_PATH_VAREMPTY) == -1) - error("chroot"); - if (chdir("/") == -1) - error("chdir(\"/\")"); - - if (setgroups(1, &pw->pw_gid) || - setegid(pw->pw_gid) || setgid(pw->pw_gid) || - seteuid(pw->pw_uid) || setuid(pw->pw_uid)) - error("can't drop privileges: %m"); - endpwent(); setproctitle("%s", ifi->name); - if (CASPER_SUPPORT && cap_enter() < 0 && errno != ENOSYS) + /* setgroups(2) is not permitted in capability mode. */ + if (setgroups(1, &pw->pw_gid) != 0) + error("can't restrict groups: %m"); + + if (caph_enter_casper() < 0) error("can't enter capability mode: %m"); + /* + * If we are not in capability mode (i.e., Capsicum or libcasper is + * disabled), try to restrict filesystem access. This will fail if + * kern.chroot_allow_open_directories is 0 or the process is jailed. + */ + if (cap_getmode(&capmode) < 0 || capmode == 0) { + if (chroot(_PATH_VAREMPTY) == -1) + error("chroot"); + if (chdir("/") == -1) + error("chdir(\"/\")"); + } + + if (setegid(pw->pw_gid) || setgid(pw->pw_gid) || + seteuid(pw->pw_uid) || setuid(pw->pw_uid)) + error("can't drop privileges: %m"); + if (immediate_daemon) go_daemon(); @@ -561,9 +575,8 @@ main(int argc, char *argv[]) void usage(void) { - extern char *__progname; - fprintf(stderr, "usage: %s [-bdqu] ", __progname); + fprintf(stderr, "usage: %s [-bdqu] ", getprogname()); fprintf(stderr, "[-c conffile] [-l leasefile] interface\n"); exit(1); } @@ -1903,7 +1916,7 @@ free_client_lease(struct client_lease *lease) free(lease); } -FILE *leaseFile; +static FILE *leaseFile; void rewrite_client_leases(void) @@ -2449,13 +2462,8 @@ go_daemon(void) cap_rights_init(&rights); - if (pidfile != NULL) { + if (pidfile != NULL) pidfile_write(pidfile); - if (cap_rights_limit(pidfile_fileno(pidfile), &rights) < 0 && - errno != ENOSYS) { - error("can't limit pidfile descriptor: %m"); - } - } if (nullfd != -1) { close(nullfd); |