diff options
Diffstat (limited to 'src/daemon/priv.c')
| -rw-r--r-- | src/daemon/priv.c | 761 |
1 files changed, 761 insertions, 0 deletions
diff --git a/src/daemon/priv.c b/src/daemon/priv.c new file mode 100644 index 0000000..d642328 --- /dev/null +++ b/src/daemon/priv.c @@ -0,0 +1,761 @@ +/* -*- mode: c; c-file-style: "openbsd" -*- */ +/* + * Copyright (c) 2008 Vincent Bernat <bernat@luffy.cx> + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* This file contains code for privilege separation. When an error arises in + * monitor (which is running as root), it just stops instead of trying to + * recover. This module also contains proxies to privileged operations. In this + * case, error can be non fatal. */ + +#include "lldpd.h" +#include "trace.h" + +#include <stdio.h> +#include <unistd.h> +#include <signal.h> +#include <errno.h> +#include <limits.h> +#include <sys/wait.h> +#include <sys/stat.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <fcntl.h> +#include <grp.h> +#include <sys/utsname.h> +#include <sys/ioctl.h> +#include <netinet/if_ether.h> + +#ifdef HAVE_LINUX_CAPABILITIES +# include <sys/capability.h> +# include <sys/prctl.h> +#endif + +#if defined HOST_OS_FREEBSD || defined HOST_OS_OSX || defined HOST_OS_DRAGONFLY +# include <net/if_dl.h> +#endif +#if defined HOST_OS_SOLARIS +# include <sys/sockio.h> +#endif + +/* Use resolv.h */ +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +#ifdef HAVE_NETINET_IN_H +# include <netinet/in.h> +#endif +#ifdef HAVE_ARPA_NAMESER_H +# include <arpa/nameser.h> /* DNS HEADER struct */ +#endif +#ifdef HAVE_NETDB_H +# include <netdb.h> +#endif +#ifdef HAVE_RESOLV_H +# include <resolv.h> +#endif + +/* Bionic has res_init() but it's not in any header */ +#if defined HAVE_RES_INIT && defined __BIONIC__ +int res_init(void); +#endif + +#ifdef ENABLE_PRIVSEP +static int monitored = -1; /* Child */ +#endif + +/* Proxies */ +static void +priv_ping() +{ + int rc; + enum priv_cmd cmd = PRIV_PING; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + log_debug("privsep", "monitor ready"); +} + +/* Proxy for ctl_cleanup */ +void +priv_ctl_cleanup(const char *ctlname) +{ + int rc, len = strlen(ctlname); + enum priv_cmd cmd = PRIV_DELETE_CTL_SOCKET; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, &len, sizeof(int)); + must_write(PRIV_UNPRIVILEGED, ctlname, len); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); +} + +/* Proxy for gethostname */ +char * +priv_gethostname() +{ + static char *buf = NULL; + int len; + enum priv_cmd cmd = PRIV_GET_HOSTNAME; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > 255) fatalx("privsep", "too large value requested"); + if ((buf = (char *)realloc(buf, len + 1)) == NULL) fatal("privsep", NULL); + must_read(PRIV_UNPRIVILEGED, buf, len); + buf[len] = '\0'; + return buf; +} + +int +priv_iface_init(int index, char *iface) +{ + int rc; + char dev[IFNAMSIZ] = {}; + enum priv_cmd cmd = PRIV_IFACE_INIT; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, &index, sizeof(int)); + strlcpy(dev, iface, IFNAMSIZ); + must_write(PRIV_UNPRIVILEGED, dev, IFNAMSIZ); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + if (rc != 0) return -1; + return receive_fd(PRIV_UNPRIVILEGED); +} + +int +priv_iface_multicast(const char *name, const u_int8_t *mac, int add) +{ + int rc; + enum priv_cmd cmd = PRIV_IFACE_MULTICAST; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, name, IFNAMSIZ); + must_write(PRIV_UNPRIVILEGED, mac, ETHER_ADDR_LEN); + must_write(PRIV_UNPRIVILEGED, &add, sizeof(int)); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + return rc; +} + +int +priv_iface_description(const char *name, const char *description) +{ + int rc, len = strlen(description); + enum priv_cmd cmd = PRIV_IFACE_DESCRIPTION; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, name, IFNAMSIZ); + must_write(PRIV_UNPRIVILEGED, &len, sizeof(int)); + must_write(PRIV_UNPRIVILEGED, description, len); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + return rc; +} + +/* Proxy to set interface in promiscuous mode */ +int +priv_iface_promisc(const char *ifname) +{ + int rc; + enum priv_cmd cmd = PRIV_IFACE_PROMISC; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, ifname, IFNAMSIZ); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + return rc; +} + +int +priv_snmp_socket(struct sockaddr_un *addr) +{ + int rc; + enum priv_cmd cmd = PRIV_SNMP_SOCKET; + must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); + must_write(PRIV_UNPRIVILEGED, addr, sizeof(struct sockaddr_un)); + priv_wait(); + must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); + if (rc < 0) return rc; + return receive_fd(PRIV_UNPRIVILEGED); +} + +static void +asroot_ping() +{ + int rc = 1; + must_write(PRIV_PRIVILEGED, &rc, sizeof(int)); +} + +static void +asroot_ctl_cleanup() +{ + int len; + char *ctlname; + int rc = 0; + + must_read(PRIV_PRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > PATH_MAX) fatalx("privsep", "too large value requested"); + if ((ctlname = (char *)malloc(len + 1)) == NULL) fatal("privsep", NULL); + + must_read(PRIV_PRIVILEGED, ctlname, len); + ctlname[len] = 0; + + ctl_cleanup(ctlname); + free(ctlname); + + /* Ack */ + must_write(PRIV_PRIVILEGED, &rc, sizeof(int)); +} + +static void +asroot_gethostname() +{ + struct utsname un; + struct addrinfo hints = { .ai_flags = AI_CANONNAME }; + struct addrinfo *res; + int len; + if (uname(&un) < 0) fatal("privsep", "failed to get system information"); + if (getaddrinfo(un.nodename, NULL, &hints, &res) != 0) { + log_info("privsep", "unable to get system name"); +#ifdef HAVE_RES_INIT + res_init(); +#endif + len = strlen(un.nodename); + must_write(PRIV_PRIVILEGED, &len, sizeof(int)); + must_write(PRIV_PRIVILEGED, un.nodename, len); + } else { + len = strlen(res->ai_canonname); + must_write(PRIV_PRIVILEGED, &len, sizeof(int)); + must_write(PRIV_PRIVILEGED, res->ai_canonname, len); + freeaddrinfo(res); + } +} + +static void +asroot_iface_init() +{ + int rc = -1, fd = -1; + int ifindex; + char name[IFNAMSIZ]; + must_read(PRIV_PRIVILEGED, &ifindex, sizeof(ifindex)); + must_read(PRIV_PRIVILEGED, &name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + + TRACE(LLDPD_PRIV_INTERFACE_INIT(name)); + rc = asroot_iface_init_os(ifindex, name, &fd); + must_write(PRIV_PRIVILEGED, &rc, sizeof(rc)); + if (rc == 0 && fd >= 0) send_fd(PRIV_PRIVILEGED, fd); + if (fd >= 0) close(fd); +} + +static void +asroot_iface_multicast() +{ + int sock = -1, add, rc = 0; + struct ifreq ifr = { .ifr_name = {} }; + must_read(PRIV_PRIVILEGED, ifr.ifr_name, IFNAMSIZ); +#if defined HOST_OS_LINUX + must_read(PRIV_PRIVILEGED, ifr.ifr_hwaddr.sa_data, ETHER_ADDR_LEN); +#elif defined HOST_OS_FREEBSD || defined HOST_OS_OSX || defined HOST_OS_DRAGONFLY + /* Black magic from mtest.c */ + struct sockaddr_dl *dlp = ALIGNED_CAST(struct sockaddr_dl *, &ifr.ifr_addr); + dlp->sdl_len = sizeof(struct sockaddr_dl); + dlp->sdl_family = AF_LINK; + dlp->sdl_index = 0; + dlp->sdl_nlen = 0; + dlp->sdl_alen = ETHER_ADDR_LEN; + dlp->sdl_slen = 0; + must_read(PRIV_PRIVILEGED, LLADDR(dlp), ETHER_ADDR_LEN); +#elif defined HOST_OS_OPENBSD || defined HOST_OS_NETBSD || defined HOST_OS_SOLARIS + struct sockaddr *sap = (struct sockaddr *)&ifr.ifr_addr; +# if !defined HOST_OS_SOLARIS + sap->sa_len = sizeof(struct sockaddr); +# endif + sap->sa_family = AF_UNSPEC; + must_read(PRIV_PRIVILEGED, sap->sa_data, ETHER_ADDR_LEN); +#else +# error Unsupported OS +#endif + + must_read(PRIV_PRIVILEGED, &add, sizeof(int)); + if (((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) || + ((ioctl(sock, (add) ? SIOCADDMULTI : SIOCDELMULTI, &ifr) < 0) && + (errno != EADDRINUSE))) + rc = errno; + + if (sock != -1) close(sock); + must_write(PRIV_PRIVILEGED, &rc, sizeof(rc)); +} + +static void +asroot_iface_description() +{ + char name[IFNAMSIZ]; + char *description; + int len, rc; + must_read(PRIV_PRIVILEGED, &name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + must_read(PRIV_PRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > PATH_MAX) fatalx("privsep", "too large value requested"); + if ((description = (char *)malloc(len + 1)) == NULL) fatal("privsep", NULL); + + must_read(PRIV_PRIVILEGED, description, len); + description[len] = 0; + TRACE(LLDPD_PRIV_INTERFACE_DESCRIPTION(name, description)); + rc = asroot_iface_description_os(name, description); + must_write(PRIV_PRIVILEGED, &rc, sizeof(rc)); + free(description); +} + +static void +asroot_iface_promisc() +{ + char name[IFNAMSIZ]; + int rc; + must_read(PRIV_PRIVILEGED, &name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + rc = asroot_iface_promisc_os(name); + must_write(PRIV_PRIVILEGED, &rc, sizeof(rc)); +} + +static void +asroot_snmp_socket() +{ + int sock, rc; + static struct sockaddr_un *addr = NULL; + struct sockaddr_un bogus; + + if (!addr) { + addr = (struct sockaddr_un *)malloc(sizeof(struct sockaddr_un)); + if (!addr) fatal("privsep", NULL); + must_read(PRIV_PRIVILEGED, addr, sizeof(struct sockaddr_un)); + } else + /* We have already been asked to connect to a socket. We will + * connect to the same socket. */ + must_read(PRIV_PRIVILEGED, &bogus, sizeof(struct sockaddr_un)); + if (addr->sun_family != AF_UNIX) + fatal("privsep", "someone is trying to trick me"); + addr->sun_path[sizeof(addr->sun_path) - 1] = '\0'; + + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { + log_warn("privsep", "cannot open socket"); + must_write(PRIV_PRIVILEGED, &sock, sizeof(int)); + return; + } + if ((rc = connect(sock, (struct sockaddr *)addr, sizeof(struct sockaddr_un))) != + 0) { + log_info("privsep", "cannot connect to %s: %s", addr->sun_path, + strerror(errno)); + close(sock); + rc = -1; + must_write(PRIV_PRIVILEGED, &rc, sizeof(int)); + return; + } + + int flags; + if ((flags = fcntl(sock, F_GETFL, NULL)) < 0 || + fcntl(sock, F_SETFL, flags | O_NONBLOCK) < 0) { + log_warn("privsep", "cannot set sock %s to non-block : %s", + addr->sun_path, strerror(errno)); + + close(sock); + rc = -1; + must_write(PRIV_PRIVILEGED, &rc, sizeof(int)); + return; + } + + must_write(PRIV_PRIVILEGED, &rc, sizeof(int)); + send_fd(PRIV_PRIVILEGED, sock); + close(sock); +} + +struct dispatch_actions { + enum priv_cmd msg; + void (*function)(void); +}; + +static struct dispatch_actions actions[] = { { PRIV_PING, asroot_ping }, + { PRIV_DELETE_CTL_SOCKET, asroot_ctl_cleanup }, + { PRIV_GET_HOSTNAME, asroot_gethostname }, +#ifdef HOST_OS_LINUX + { PRIV_OPEN, asroot_open }, +#endif + { PRIV_IFACE_INIT, asroot_iface_init }, + { PRIV_IFACE_MULTICAST, asroot_iface_multicast }, + { PRIV_IFACE_DESCRIPTION, asroot_iface_description }, + { PRIV_IFACE_PROMISC, asroot_iface_promisc }, + { PRIV_SNMP_SOCKET, asroot_snmp_socket }, { -1, NULL } }; + +/* Main loop, run as root */ +static void +priv_loop(int privileged, int once) +{ + enum priv_cmd cmd; + struct dispatch_actions *a; + +#ifdef ENABLE_PRIVSEP + setproctitle("monitor."); +# ifdef USE_SECCOMP + if (priv_seccomp_init(privileged, monitored) != 0) + fatal("privsep", "cannot continue without seccomp setup"); +# endif +#endif + while (!may_read(PRIV_PRIVILEGED, &cmd, sizeof(enum priv_cmd))) { + log_debug("privsep", "received command %d", cmd); + for (a = actions; a->function != NULL; a++) { + if (cmd == a->msg) { + a->function(); + break; + } + } + if (a->function == NULL) fatalx("privsep", "bogus message received"); + if (once) break; + } +} + +/* This function is a NOOP when privilege separation is enabled. In + * the other case, it should be called when we wait an action from the + * privileged side. */ +void +priv_wait() +{ +#ifndef ENABLE_PRIVSEP + /* We have no remote process on the other side. Let's emulate it. */ + priv_loop(0, 1); +#endif +} + +#ifdef ENABLE_PRIVSEP +static void +priv_exit_rc_status(int rc, int status) +{ + switch (rc) { + case 0: + /* kill child */ + kill(monitored, SIGTERM); + /* we will receive a sigchld in the future */ + return; + case -1: + /* child doesn't exist anymore, we consider this is an error to + * be here */ + _exit(1); + break; + default: + /* Monitored child has terminated */ + /* Mimic the exit state of the child */ + if (WIFEXITED(status)) { + /* Normal exit */ + _exit(WEXITSTATUS(status)); + } + if (WIFSIGNALED(status)) { + /* Terminated with signal */ + signal(WTERMSIG(status), SIG_DFL); + raise(WTERMSIG(status)); + _exit(1); /* We consider that not being killed is an error. */ + } + /* Other cases, consider this as an error. */ + _exit(1); + break; + } +} + +static void +priv_exit() +{ + int status; + int rc; + rc = waitpid(monitored, &status, WNOHANG); + priv_exit_rc_status(rc, status); +} + +/* If priv parent gets a TERM or HUP, pass it through to child instead */ +static void +sig_pass_to_chld(int sig) +{ + int oerrno = errno; + if (monitored != -1) kill(monitored, sig); + errno = oerrno; +} + +/* If priv parent gets a SIGCHLD, it will exit if this is the monitored + * process. Other processes (including lldpcli)) are just reaped without + * consequences. */ +static void +sig_chld(int sig) +{ + int status; + int rc = waitpid(monitored, &status, WNOHANG); + if (rc == 0) { + while ((rc = waitpid(-1, &status, WNOHANG)) > 0) { + if (rc == monitored) priv_exit_rc_status(rc, status); + } + return; + } + priv_exit_rc_status(rc, status); +} + +/* Create a subdirectory and check if it's here. */ +static int +_mkdir(const char *pathname, mode_t mode) +{ + int save_errno; + if (mkdir(pathname, mode) == 0 || errno == EEXIST) { + errno = 0; + return 0; + } + + /* We can get EROFS on some platforms. Let's check if the directory exists. */ + save_errno = errno; + if (chdir(pathname) == -1) { + errno = save_errno; + return -1; + } + + /* We should restore current directory, but in the context we are + * running, we do not care. */ + return 0; +} + +/* Create a directory recursively. */ +static int +mkdir_p(const char *pathname, mode_t mode) +{ + char path[PATH_MAX + 1]; + char *current; + + if (strlcpy(path, pathname, sizeof(path)) >= sizeof(path)) { + errno = ENAMETOOLONG; + return -1; + } + + /* Use strtok which will provides non-empty tokens only. */ + for (current = path + 1; *current; current++) { + if (*current != '/') continue; + *current = '\0'; + if (_mkdir(path, mode) != 0) return -1; + *current = '/'; + } + if (_mkdir(path, mode) != 0) return -1; + + return 0; +} + +/* Initialization */ +# define LOCALTIME "/etc/localtime" +static void +priv_setup_chroot(const char *chrootdir) +{ + /* Create chroot if it does not exist */ + if (mkdir_p(chrootdir, 0755) == -1) { + fatal("privsep", "unable to create chroot directory"); + } + + /* Check if /etc/localtime exists in chroot or outside chroot */ + char path[1024]; + int source = -1, destination = -1; + if (snprintf(path, sizeof(path), "%s" LOCALTIME, chrootdir) >= sizeof(path)) + return; + if ((source = open(LOCALTIME, O_RDONLY)) == -1) { + if (errno == ENOENT) return; + log_warn("privsep", "cannot read " LOCALTIME); + return; + } + + /* Prepare copy of /etc/localtime */ + path[strlen(chrootdir) + 4] = '\0'; + if (mkdir(path, 0755) == -1) { + if (errno != EEXIST) { + log_warn("privsep", "unable to create %s directory", path); + close(source); + return; + } + } + path[strlen(chrootdir) + 4] = '/'; + + /* Do copy */ + char buffer[1024]; + ssize_t n; + mode_t old = umask(S_IWGRP | S_IWOTH); + if ((destination = open(path, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0666)) == + -1) { + if (errno != EEXIST) log_warn("privsep", "cannot create %s", path); + close(source); + umask(old); + return; + } + umask(old); + while ((n = read(source, buffer, sizeof(buffer))) > 0) { + ssize_t nw, left = n; + char *p = buffer; + while (left > 0) { + if ((nw = write(destination, p, left)) == -1) { + if (errno == EINTR) continue; + log_warn("privsep", "cannot write to %s", path); + close(source); + close(destination); + unlink(path); + return; + } + left -= nw; + p += nw; + } + } + if (n == -1) { + log_warn("privsep", "cannot read " LOCALTIME); + unlink(path); + } else { + log_info("privsep", LOCALTIME " copied to chroot"); + } + close(source); + close(destination); +} +#else /* !ENABLE_PRIVSEP */ + +/* Reap any children. It should only be lldpcli since there is not monitored + * process. */ +static void +sig_chld(int sig) +{ + int status = 0; + while (waitpid(-1, &status, WNOHANG) > 0) + ; +} + +#endif + +#ifdef ENABLE_PRIVSEP +static void +priv_drop(uid_t uid, gid_t gid) +{ + gid_t gidset[1]; + gidset[0] = gid; + log_debug("privsep", "dropping privileges"); +# ifdef HAVE_SETRESGID + if (setresgid(gid, gid, gid) == -1) fatal("privsep", "setresgid() failed"); +# else + if (setregid(gid, gid) == -1) fatal("privsep", "setregid() failed"); +# endif + if (setgroups(1, gidset) == -1) fatal("privsep", "setgroups() failed"); +# ifdef HAVE_SETRESUID + if (setresuid(uid, uid, uid) == -1) fatal("privsep", "setresuid() failed"); +# else + if (setreuid(uid, uid) == -1) fatal("privsep", "setreuid() failed"); +# endif +} + +static void +priv_caps(uid_t uid, gid_t gid) +{ +# ifdef HAVE_LINUX_CAPABILITIES + cap_t caps; + const char *caps_strings[2] = { + "cap_dac_override,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", + "cap_dac_override,cap_net_raw,cap_net_admin=pe" + }; + log_debug("privsep", + "getting CAP_NET_RAW/ADMIN and CAP_DAC_OVERRIDE privilege"); + if (!(caps = cap_from_text(caps_strings[0]))) + fatal("privsep", "unable to convert caps"); + if (cap_set_proc(caps) == -1) { + log_warn("privsep", + "unable to drop privileges, monitor running as root"); + cap_free(caps); + return; + } + cap_free(caps); + + if (prctl(PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L) == -1) + fatal("privsep", "cannot keep capabilities"); + priv_drop(uid, gid); + + log_debug("privsep", "dropping extra capabilities"); + if (!(caps = cap_from_text(caps_strings[1]))) + fatal("privsep", "unable to convert caps"); + if (cap_set_proc(caps) == -1) + fatal("privsep", "unable to drop extra privileges"); + cap_free(caps); +# else + log_info("privsep", "no libcap support, running monitor as root"); +# endif +} +#endif + +void +#ifdef ENABLE_PRIVSEP +priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid) +#else +priv_init(void) +#endif +{ + + int pair[2]; + + /* Create socket pair */ + if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pair) < 0) { + fatal("privsep", + "unable to create socket pair for privilege separation"); + } + + priv_unprivileged_fd(pair[0]); + priv_privileged_fd(pair[1]); + +#ifdef ENABLE_PRIVSEP + /* Spawn off monitor */ + if ((monitored = fork()) < 0) fatal("privsep", "unable to fork monitor"); + switch (monitored) { + case 0: + /* We are in the children, drop privileges */ + if (RUNNING_ON_VALGRIND) + log_warnx("privsep", "running on valgrind, keep privileges"); + else { + priv_setup_chroot(chrootdir); + if (chroot(chrootdir) == -1) + fatal("privsep", "unable to chroot"); + if (chdir("/") != 0) fatal("privsep", "unable to chdir"); + priv_drop(uid, gid); + } + close(pair[1]); + priv_ping(); + break; + default: + /* We are in the monitor */ + if (ctl != -1) close(ctl); + close(pair[0]); + if (atexit(priv_exit) != 0) + fatal("privsep", "unable to set exit function"); + + priv_caps(uid, gid); + + /* Install signal handlers */ + const struct sigaction pass_to_child = { .sa_handler = sig_pass_to_chld, + .sa_flags = SA_RESTART }; + sigaction(SIGALRM, &pass_to_child, NULL); + sigaction(SIGTERM, &pass_to_child, NULL); + sigaction(SIGHUP, &pass_to_child, NULL); + sigaction(SIGINT, &pass_to_child, NULL); + sigaction(SIGQUIT, &pass_to_child, NULL); + const struct sigaction child = { .sa_handler = sig_chld, + .sa_flags = SA_RESTART }; + sigaction(SIGCHLD, &child, NULL); + sig_chld(0); /* Reap already dead children */ + priv_loop(pair[1], 0); + exit(0); + } +#else + const struct sigaction child = { .sa_handler = sig_chld, + .sa_flags = SA_RESTART }; + sigaction(SIGCHLD, &child, NULL); + sig_chld(0); /* Reap already dead children */ + log_warnx("priv", "no privilege separation available"); + priv_ping(); +#endif +} |