Commit Graph

24 Commits

Author SHA1 Message Date
Mariusz Zaborski
377421df96 capsicum: use a new capsicum helpers in tools
Use caph_{rights,ioctls,fcntls}_limit to simplify the code.
2018-11-04 19:24:49 +00:00
Eitan Adler
71c6c44d8d dhclient: build with WARNS=6
- add static in a number of places
- initialize __progname rather than rely on magical extern values
- use nitems() instead of manually spelling it out
- unshadow 'idi'
- teach 'error' that it is '__dead2'
- add missing 'break'
2018-06-24 13:23:27 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Pawel Jakub Dawidek
e16406c7ba Remove duplicated includes.
Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
2014-06-26 13:57:44 +00:00
Robert Watson
b881b8be1d Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.

MFC after:	3 weeks
2014-03-16 11:04:44 +00:00
Christian Brueffer
bb7a82ac0d Use CAP_EVENT instead of the deprecated CAP_POLL_EVENT.
PR:		185382 (based on)
Submitted by:	Loganaden Velvindron
Reviewed by:	pjd
MFC after:	1 week
2014-02-06 21:36:14 +00:00
Pawel Jakub Dawidek
7008be5bd7 Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.

The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.

The structure definition looks like this:

	struct cap_rights {
		uint64_t	cr_rights[CAP_RIGHTS_VERSION + 2];
	};

The initial CAP_RIGHTS_VERSION is 0.

The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.

The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.

To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.

	#define	CAP_PDKILL	CAPRIGHT(1, 0x0000000000000800ULL)

We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:

	#define	CAP_LOOKUP	CAPRIGHT(0, 0x0000000000000400ULL)
	#define	CAP_FCHMOD	CAPRIGHT(0, 0x0000000000002000ULL)

	#define	CAP_FCHMODAT	(CAP_FCHMOD | CAP_LOOKUP)

There is new API to manage the new cap_rights_t structure:

	cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
	void cap_rights_set(cap_rights_t *rights, ...);
	void cap_rights_clear(cap_rights_t *rights, ...);
	bool cap_rights_is_set(const cap_rights_t *rights, ...);

	bool cap_rights_is_valid(const cap_rights_t *rights);
	void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
	void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
	bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);

Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:

	cap_rights_t rights;

	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);

There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:

	#define	cap_rights_set(rights, ...)				\
		__cap_rights_set((rights), __VA_ARGS__, 0ULL)
	void __cap_rights_set(cap_rights_t *rights, ...);

Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:

	cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);

Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.

This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.

Sponsored by:	The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
Pawel Jakub Dawidek
3b2ed0659c MFp4 @229482:
- Limit bpf descriptor in unprivileged process to CAP_POLL_EVENT, CAP_READ and
  allow for SIOCGIFFLAGS, SIOCGIFMEDIA ioctls.
- While here limit bpf descriptor in privileged process to only CAP_WRITE.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 22:16:02 +00:00
Pawel Jakub Dawidek
235eb53002 MFp4 @229481:
Currently it was allowed to send any UDP packets from unprivileged process and
possibly any packets because /dev/bpf was open for writing.

Move sending packets to privileged process. Unprivileged process has no longer
access to not connected UDP socket and has only access to /dev/bpf in read-only
mode.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 22:12:54 +00:00
Pawel Jakub Dawidek
b0f1b32afb MFp4 @229476,229478:
Make use of two fields: rfdesc and wfdesc to keep bpf descriptor open for
reading only in rfdesc and bpf descriptor open for writing only in wfdesc.
In the end they will be used by two different processes.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 22:01:52 +00:00
Pawel Jakub Dawidek
3a0fc7d8a9 MFp4 @229474:
iov_base field is 'void *' in FreeBSD, no need to cast.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 21:58:26 +00:00
Pawel Jakub Dawidek
e8da500388 MFp4 @229473:
No caller checks send_packet() return value, so make it void.

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 21:57:24 +00:00
Pawel Jakub Dawidek
ba019ae51f MFp4 @229472:
Use the same type for 'from' and 'to' argument in send_packet().

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 21:53:54 +00:00
Pawel Jakub Dawidek
d1f4d85494 MFp4 @229471:
Remove unused argument from assemble_hw_header().

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 21:49:10 +00:00
Pawel Jakub Dawidek
592291c1e7 MFp4 @229470:
Remove unused argument from send_packet().

Reviewed by:	brooks
Sponsored by:	The FreeBSD Foundation
2013-07-03 21:45:29 +00:00
Philip Paeps
9b683f8da6 Make dhclient use bootpc (68) as the source port for unicast DHCPREQUEST
packets instead of allowing the protocol stack to pick a random source port.

This fixes the behaviour where dhclient would never transition from RENEWING
to BOUND without going through REBINDING in networks which are paranoid about
DHCP spoofing, such as most mainstream cable-broadband ISP networks.

Reviewed by:	brooks
Obtained from:	OpenBSD (partly - I'm not convinced their solution can work)
MFC after:	1 week (pending re approval)
2009-10-21 23:50:35 +00:00
Brooks Davis
8ca3089abc When sending packets directly to the DHCP server, use a socket and send
directly rather than bogusly sending it out as a link layer broadcast
(which fails to be received on some networks).

PR:		bin/96018
MFC after:	2 weeks
2008-04-15 22:48:56 +00:00
Brooks Davis
ebe609b4a2 It is possible for bpf to return a length such that:
length != BPF_WORDALIGN(length)

This meeans that it is possible for this to be true:

	interface->rbuf_offset > interface->rbuf_len

Handle this case in the test for running out of packets.  While
OpenBSD's solution of setting interface->rbuf_len to
BPF_WORDALIGN(length) is safe due to the size of the buffer, I think
this solution results in less hidden assumptions.

This should fix the problem of dhclient running away and consuming 100%
CPU.

PR:		bin/102226
Submitted by:	Joost Bekkers <joost at jodocus.org>
MFC after:	3 days
2006-09-26 01:02:02 +00:00
Brooks Davis
8794fdbb48 Add __FBSDID to all .c files in dhclient to aid in determining file
versions when dealing with user problems.
2005-08-23 23:59:55 +00:00
Christian S.J. Peron
4d3d08301e FreeBSD unconditionally supports write filters now. 2005-08-23 01:35:38 +00:00
Brooks Davis
289d89d80f Further fix receive_packet() by using BPF_WORDALIGN to insure the offset
is properly aligned when we move to the next packet.

Obtained from:	ISC dhclient via krw at OpenBSD
2005-07-28 15:30:19 +00:00
Brooks Davis
4eae015de1 Fix a bug in the handling of cases where we got a short (or zero)
capture.  Zero length captures caused an infinte loop and short captures
probably caused memory corruption and a crash.

Reported by:	many
MFC After:	3 days
2005-07-27 19:25:46 +00:00
Brooks Davis
1b3bb962f9 We don't support BPF write filters at this time.
Submitted by:	sam
2005-06-07 04:13:52 +00:00
Brooks Davis
47c0859616 Import the OpenBSD dhclient as shipped with OpenBSD-3.7 (the tag
OPENBSD_3_7).
2005-06-07 04:05:09 +00:00