diff options
| author |   krw <krw@openbsd.org> | 2015-12-14 01:08:50 +0000 |
|---|---|---|
| committer | krw <krw@openbsd.org> | 2015-12-14 01:08:50 +0000 |
| commit | 46823010ebd2165dfa141a9a3c0ffdb4004461d7 (patch) | |
| tree | 74de8abdedbface128102e16b68fc75f406faa5b | |
| parent | Remove some stray debug code. (diff) | |
| download | wireguard-openbsd-46823010ebd2165dfa141a9a3c0ffdb4004461d7.tar.xz wireguard-openbsd-46823010ebd2165dfa141a9a3c0ffdb4004461d7.zip | |
pledge.
Diff from Ricardo Mestre. Test report from sthen@.
| -rw-r--r-- | usr.sbin/dhcpd/dhcpd.c | 33 | ||||
| -rw-r--r-- | usr.sbin/dhcpd/udpsock.c | 5 |
2 files changed, 27 insertions, 11 deletions
diff --git a/usr.sbin/dhcpd/dhcpd.c b/usr.sbin/dhcpd/dhcpd.c index 4a0abd60a0f..074706c0b2e 100644 --- a/usr.sbin/dhcpd/dhcpd.c +++ b/usr.sbin/dhcpd/dhcpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcpd.c,v 1.48 2015/02/10 23:06:13 krw Exp $ */ +/* $OpenBSD: dhcpd.c,v 1.49 2015/12/14 01:08:50 krw Exp $ */ /* * Copyright (c) 2004 Henning Brauer <henning@cvs.openbsd.org> @@ -45,7 +45,7 @@ #include <err.h> #include <pwd.h> -void usage(void); +__dead void usage(void); time_t cur_time, last_scan; struct group root_group; @@ -187,22 +187,18 @@ main(int argc, char *argv[]) if (setrtable(rdomain) == -1) error("setrtable (%m)"); - if (udpsockmode) - udpsock_startup(udpaddr); - icmp_startup(1, lease_pinged); - if (syncsend || syncrecv) { syncfd = sync_init(sync_iface, sync_baddr, sync_port); if (syncfd == -1) err(1, "sync init"); } - if ((pw = getpwnam("_dhcp")) == NULL) - error("user \"_dhcp\" not found"); - if (daemonize) daemon(0, 0); + if ((pw = getpwnam("_dhcp")) == NULL) + error("user \"_dhcp\" not found"); + /* don't go near /dev/pf unless we actually intend to use it */ if ((abandoned_tab != NULL) || (changedmac_tab != NULL) || @@ -227,6 +223,15 @@ main(int argc, char *argv[]) } } + if (udpsockmode) { + udpsock_startup(udpaddr); + } else { + if (pledge("stdio rpath inet sendfd proc id", NULL) == -1) + err(1, "pledge"); + } + + icmp_startup(1, lease_pinged); + if (chroot(_PATH_VAREMPTY) == -1) error("chroot %s: %m", _PATH_VAREMPTY); if (chdir("/") == -1) @@ -236,6 +241,14 @@ main(int argc, char *argv[]) setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) error("can't drop privileges: %m"); + if (udpsockmode) { + if (pledge("stdio inet route sendfd", NULL) == -1) + err(1, "pledge"); + } else { + if (pledge("stdio inet sendfd", NULL) == -1) + err(1, "pledge"); + } + add_timeout(cur_time + 5, periodic_scan, NULL); dispatch(); @@ -243,7 +256,7 @@ main(int argc, char *argv[]) exit(0); } -void +__dead void usage(void) { extern char *__progname; diff --git a/usr.sbin/dhcpd/udpsock.c b/usr.sbin/dhcpd/udpsock.c index 182887ff17c..235299452cf 100644 --- a/usr.sbin/dhcpd/udpsock.c +++ b/usr.sbin/dhcpd/udpsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udpsock.c,v 1.2 2015/01/16 06:40:16 deraadt Exp $ */ +/* $OpenBSD: udpsock.c,v 1.3 2015/12/14 01:08:50 krw Exp $ */ /* * Copyright (c) 2014 YASUOKA Masahiko <yasuoka@openbsd.org> @@ -56,6 +56,9 @@ udpsock_startup(struct in_addr bindaddr) error("setsocketopt IP_RECVIF failed for udp: %s", strerror(errno)); + if (pledge("stdio rpath inet sendfd proc id", NULL) == -1) + error("pledge: %s", strerror(errno)); + sin4.sin_family = AF_INET; sin4.sin_len = sizeof(sin4); sin4.sin_addr = bindaddr; |