emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ndhc/ndhc.c

591 lines
19 KiB
C
Raw Normal View History

Relicense as MIT. It's a lot more common than BSD 2-clause it is both compatible and nearly identical in effect.
2022-02-06 20:05:29 -05:00
// Copyright 2004-2022 Nicholas J. Kain <njkain at gmail dot com>
// SPDX-License-Identifier: MIT
Initial commit.
2010-11-12 04:02:18 -05:00
#include <stdio.h>
#include <sys/time.h>
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
#include <sys/stat.h>
Initial commit.
2010-11-12 04:02:18 -05:00
#include <sys/types.h>
#include <sys/file.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
Add clientid-mac option for sending a MAC address as a client identifier other than our own.
2011-07-03 05:36:47 -04:00
#include <ctype.h>
Centralize DHCP timeout, packet reciept, and user-demanded action handling into state.[ch]. Remove timeout.c.
2011-06-29 23:47:31 -04:00
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
#include <poll.h>
Change the thread name of the various ndhc processes so that they can be identified via ps/top.
2014-03-10 14:44:12 -04:00
#include <sys/prctl.h>
Initial commit.
2010-11-12 04:02:18 -05:00
#include <net/if.h>
#include <errno.h>
#include <pwd.h>
#include <grp.h>
Add support for setting the metric for the default GW route.
2014-03-19 01:13:11 -04:00
#include <limits.h>
Update to latest ncmlib changes.
2014-03-30 17:02:48 -04:00
#include "nk/log.h"
Don't depend on external ncmlib.
2020-10-20 06:44:31 -04:00
#include "nk/privs.h"
Update to latest ncmlib changes.
2014-03-30 17:02:48 -04:00
#include "nk/io.h"
Initial commit.
2010-11-12 04:02:18 -05:00
Use a unified epoll_(add|del)(). Also, background() and setup_signals_ndhc() are moved from sys.c to ndhc.c. background() also no longer attempts to re-configure signals; signals are always set up on initial ndhc initialization.
2014-03-12 16:51:10 -04:00
#include "ndhc.h"
Make write() and sendto() properly handle short writes and errors in ndhc. Make ndhc write a pidfile. Clean up defines.h and split out ifchd and ndhc specifics.
2010-11-12 18:44:49 -05:00
#include "ndhc-defines.h"
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
#include "cfg.h"
Centralize DHCP timeout, packet reciept, and user-demanded action handling into state.[ch]. Remove timeout.c.
2011-06-29 23:47:31 -04:00
#include "state.h"
Initial commit.
2010-11-12 04:02:18 -05:00
#include "options.h"
Rename packet.[ch] to dhcp.[ch].
2011-07-02 03:51:44 -04:00
#include "dhcp.h"
Move timeout and arp handling code out to arpping.c and timeout.c.
2010-12-24 09:32:58 -05:00
#include "sys.h"
Rename script.[ch] to ifchange.[ch].
2010-12-24 10:12:41 -05:00
#include "ifchange.h"
Rename arpping.[ch] to arp.[ch].
2010-12-24 09:58:47 -05:00
#include "arp.h"
Make sure that the netlink socket will never block after program initialization. Fetching if/address/index/mac mappings is done only once at program init, so it is done synchronously as an exception to this rule. Rewrite the netlink handling. Now uses NIH code that should be safe, small, and correct. No external deps FTW.
2011-07-03 17:30:55 -04:00
#include "nl.h"
Use netlink for getting interface mac and index in ndhc instead of ioctl.
2011-03-29 14:37:45 -04:00
#include "netlink.h"
Add support for writing lease files.
2011-04-19 16:37:43 -04:00
#include "leasefile.h"
Netlink is pickier than the ioctl interfaces and requires the link to manually be set to an 'up' state before much of anything can be changed. Ensure that this is done very early in ndhc's lifetime, and record the link status at startup time so that the hardware link status monitoring will not get confused. A perform_ifup() function is added to faciliate this need. Handle nl_getifdata() and get_if_index_and_mac() separately from the hardware link status monitoring; don't call get_if_index_and_mac() from nl_process_msgs(). Create the permanent ndhc-master cs.nlFd socket for hardware link status monitoring after forking subprocesses.
2014-03-17 05:56:30 -04:00
#include "ifset.h"
Move external definitions of functions in ifchd.c to ifchd.h instead of defining them manually in ndhc.c.
2014-03-12 16:13:47 -04:00
#include "ifchd.h"
Support RFC4361. RFC4361 requires clients to send a clientid, and specifies that by default that clientid should be a combination of a machine-static DUID and an interface-static IAID. There are several RFC-compliant DUIDs. ndhc uses RFC6355's DUID-UUID, but chooses not to follow RFC4122 for the UUID and instead simply uses random bytes from its combined Tausworthe PRNG. RFC4122 is excessively complex, and 128-bit random values are more than sufficiently collision-resistant on even large DHCP segments. ndhc requires a read/writable directory to store the DUID/IAID states. By default this directory is /etc/ndhc. It exists outside the chroot. The DUID will be stored in a single file, DUID. The IAIDs exist per-interface and are stored in files with names similar to IAID-xx:xx:xx:xx:xx:xx, where the xx values are replaced by the Ethernet hardware address of the interface. If it is impossible to read or store the DUIDs or IAIDs, ndhc will fail at start time before it performs any network activity or forks any subprocesses. If the host system lacks volatile storage, then a clientid should manually be specified using the -c or --clientid command arguments.
2014-03-19 00:42:32 -04:00
#include "duiaid.h"
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
#include "sockd.h"
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-13 16:25:36 -05:00
#include "rfkill.h"
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
#include "scriptd.h"
Initial commit.
2010-11-12 04:02:18 -05:00
Move dhcp client runtime global state into global struct client_state_t cs.
2010-12-24 07:00:42 -05:00
struct client_state_t cs = {
Rename client_state_t init variable to program_init. Easier to grep. No functional change.
2017-01-19 05:05:35 -05:00
.program_init = true,
Move dhcp client runtime global state into global struct client_state_t cs.
2010-12-24 07:00:42 -05:00
.listenFd = -1,
.arpFd = -1,
Wire up the netlink socket to the epoll handler. Still need to actually react to events in the processing function. Pass the client_state structure to the netlink code explicitly rather than making it a global variable.
2011-03-29 15:34:00 -04:00
.nlFd = -1,
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 02:39:46 -05:00
.nlPortId = 0,
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-13 16:25:36 -05:00
.rfkillFd = -1,
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
.dhcp_wake_ts = -1,
Fetch the gateway hardware address after receiving a router option in a DHCP lease. Be more aggressive about closing old arp file descriptors. Check the ARP headers to make sure that received ARP packets are addressed to our machine. Whatever bug may have existed before doesn't exist on modern Linux kernels, if it ever did. Use the stored gateway hardware address to validate a restored link in the DS_ARP_GW_CHECK state. If an ARP message is received while we are in a state that does not expect ARP messages, close the ARP socket and log a message.
2011-03-30 23:17:27 -04:00
.routerArp = "\0\0\0\0\0\0",
Record the MAC address of the DHCP server and use it to identify the network when the hardware link carrier is dropped and comes back. Also, don't assume that all networks have a default gateway. Guard against spurious arp defense attempts that might be triggered by packets that are still in the socket buffer from before the BPF was changed. Split apart the AS_GW_CHECK and AS_GW_QUERY timeout handlers. Cosmetic cleanups in state.c.
2011-07-11 13:24:59 -04:00
.serverArp = "\0\0\0\0\0\0",
Move dhcp client runtime global state into global struct client_state_t cs.
2010-12-24 07:00:42 -05:00
};
Initial commit.
2010-11-12 04:02:18 -05:00
struct client_config_t client_config = {
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
.interface = "eth0",
Fetch the gateway hardware address after receiving a router option in a DHCP lease. Be more aggressive about closing old arp file descriptors. Check the ARP headers to make sure that received ARP packets are addressed to our machine. Whatever bug may have existed before doesn't exist on modern Linux kernels, if it ever did. Use the stored gateway hardware address to validate a restored link in the DS_ARP_GW_CHECK state. If an ARP message is received while we are in a state that does not expect ARP messages, close the ARP socket and log a message.
2011-03-30 23:17:27 -04:00
.arp = "\0\0\0\0\0\0",
Support s6 service startup notification This can be enabled via the s6-notify configure option; see http://www.skarnet.org/software/s6/notifywhenup.html for details. ndhc will signal that it is ready when the first valid lease is obtained. Programs dependent on a working network interface can then simply use s6-wait on the associated ndhc service dir. A typical command line option assuming the s6 service directory notification-fd contains '3' would be '--s6-notify 3', and a typical configure file option would be 's6-notify 3'.
2022-02-12 16:31:39 -05:00
.s6_notify_fd = 3,
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
.clientid_len = 0,
Add support for setting the metric for the default GW route.
2014-03-19 01:13:11 -04:00
.metric = 0,
Initial commit.
2010-11-12 04:02:18 -05:00
};
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
static volatile sig_atomic_t l_signal_exit;
static volatile sig_atomic_t l_signal_renew;
static volatile sig_atomic_t l_signal_release;
// Intended to be called in a loop until SIGNAL_NONE is returned.
int signals_flagged(void)
{
if (l_signal_exit) {
l_signal_exit = 0;
return SIGNAL_EXIT;
}
if (l_signal_renew) {
l_signal_renew = 0;
return SIGNAL_RENEW;
}
if (l_signal_release) {
l_signal_release = 0;
return SIGNAL_RELEASE;
}
return SIGNAL_NONE;
}
Speed up interface carrier checking. This is done by performing one synchronous query for carrier state at the start of the program; after that, we just monitor the nlsocket for carrier state changes and update the cached state accordingly. The benefit is that ifchd needs to do a lot less work and this should reduce the CPU cycle consumption; prior to this commit, the CPU time ends up being a few CPU-minutes per month.
2021-04-25 05:26:19 -04:00
bool carrier_isup(void) { return cs.carrier_up; }
Replace mostly obsolete -[static 1] with reliable old *-. This notation originally had the sole advantage of implying that the pointer was non-NULL, but it has seen little use and now clang presents warnings about it in certain contexts.
2022-01-11 22:35:19 -05:00
void set_client_addr(const char *v) { cs.clientAddr = inet_addr(v); }
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
void print_version(void)
{
printf("ndhc %s, dhcp client.\n", NDHC_VERSION);
Relicense as MIT. It's a lot more common than BSD 2-clause it is both compatible and nearly identical in effect.
2022-02-06 20:05:29 -05:00
printf("Copyright 2004-2022 Nicholas J. Kain\n\n"
"Permission is hereby granted, free of charge, to any person obtaining\n"
"a copy of this software and associated documentation files (the\n"
"\"Software\"), to deal in the Software without restriction, including\n"
"without limitation the rights to use, copy, modify, merge, publish,\n"
"distribute, sublicense, and/or sell copies of the Software, and to\n"
"permit persons to whom the Software is furnished to do so, subject to\n"
"the following conditions:\n\n"
"The above copyright notice and this permission notice shall be\n"
"included in all copies or substantial portions of the Software.\n\n"
"THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\n"
"EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\n"
"MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\n"
"NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\n"
"LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\n"
"OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\n"
"WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n"
);
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
exit(EXIT_SUCCESS);
}
void show_usage(void)
Initial commit.
2010-11-12 04:02:18 -05:00
{
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
printf(
Relicense as MIT. It's a lot more common than BSD 2-clause it is both compatible and nearly identical in effect.
2022-02-06 20:05:29 -05:00
"ndhc " NDHC_VERSION ", dhcp client.\n"
"Copyright 2004-2022 Nicholas J. Kain\n"
Initial commit.
2010-11-12 04:02:18 -05:00
"Usage: ndhc [OPTIONS]\n\n"
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
" -c, --config=FILE Path to ndhc configuration file\n"
" -I, --clientid=CLIENTID Client identifier\n"
Remove the -H alias for --hostname.
2011-07-05 11:14:35 -04:00
" -h, --hostname=HOSTNAME Client hostname\n"
Document the --vendorid and --leasefile options in --help.
2011-07-05 11:18:28 -04:00
" -V, --vendorid=VENDORID Client vendor identification string\n"
Initial commit.
2010-11-12 04:02:18 -05:00
" -i, --interface=INTERFACE Interface to use (default: eth0)\n"
" -n, --now Exit with failure if lease cannot be\n"
" immediately negotiated.\n"
" -r, --request=IP IP address to request (default: none)\n"
Don't depend on external ncmlib.
2020-10-20 06:44:31 -04:00
" -u, --user=USER ndhc runs as this user\n"
" -U, --ifch-user=USER ndhc-ifch runs as this user\n"
" -D, --sockd-user=USER ndhc-sockd runs as this user\n"
Document the --vendorid and --leasefile options in --help.
2011-07-05 11:18:28 -04:00
" -C, --chroot=DIR Chroot to this directory\n"
Update documentation and add '-s' switch to change the state directory.
2014-03-19 00:46:54 -04:00
" -s, --state-dir=DIR State storage dir (default: /etc/ndhc)\n"
Enable active defense of IP address / lease, as described in RFC5227.
2011-07-05 13:03:55 -04:00
" -d, --relentless-defense Never back off in defending IP against\n"
" conflicting hosts (servers only)\n"
Make the ARP-based lease address collision checks configurable in delay times and number of probes.
2013-02-09 00:30:19 -05:00
" -w, --arp-probe-wait Time to delay before first ARP probe\n"
" -W, --arp-probe-num Number of ARP probes before lease is ok\n"
" -m, --arp-probe-min Min ms to wait for ARP response\n"
" -M, --arp-probe-max Max ms to wait for ARP response\n"
Add support for setting the metric for the default GW route.
2014-03-19 01:13:11 -04:00
" -t, --gw-metric Route metric for default gw (default: 0)\n"
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
" -R, --resolve-conf=FILE Path to resolv.conf or equivalent\n"
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
" -H, --dhcp-set-hostname Allow DHCP to set machine hostname\n"
Initial commit.
2010-11-12 04:02:18 -05:00
" -v, --version Display version\n"
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
);
exit(EXIT_SUCCESS);
Initial commit.
2010-11-12 04:02:18 -05:00
}
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
static void signal_handler(int signo)
{
Preserve errno across signals.
2022-02-24 05:06:12 -05:00
int serrno = errno;
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
switch (signo) {
case SIGCHLD: {
Add a missing newline to an error message. I'm almost certain I remember adding this before, but I guess it somehow got lost.
2020-10-20 07:53:23 -04:00
static const char errstr[] = "ndhc-master: Subprocess terminated unexpectedly. Exiting.\n";
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
safe_write(STDOUT_FILENO, errstr, sizeof errstr - 1);
Minor signal handling fixes.
2020-10-21 09:49:22 -04:00
_exit(EXIT_FAILURE);
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
}
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
case SIGINT:
case SIGTERM: l_signal_exit = 1; break;
case SIGUSR1: l_signal_renew = 1; break;
case SIGUSR2: l_signal_release = 1; break;
default: break;
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
}
Preserve errno across signals.
2022-02-24 05:06:12 -05:00
errno = serrno;
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
}
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
void signal_exit(int status)
{
log_line("Received terminal signal. Exiting.");
exit(status);
}
Use a unified epoll_(add|del)(). Also, background() and setup_signals_ndhc() are moved from sys.c to ndhc.c. background() also no longer attempts to re-configure signals; signals are always set up on initial ndhc initialization.
2014-03-12 16:51:10 -04:00
static void setup_signals_ndhc(void)
{
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
static const int ss[] = {
SIGCHLD, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGKILL
};
Use a unified epoll_(add|del)(). Also, background() and setup_signals_ndhc() are moved from sys.c to ndhc.c. background() also no longer attempts to re-configure signals; signals are always set up on initial ndhc initialization.
2014-03-12 16:51:10 -04:00
sigset_t mask;
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
if (sigprocmask(0, 0, &mask) < 0)
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
suicide("sigprocmask failed");
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
for (int i = 0; ss[i] != SIGKILL; ++i)
if (sigdelset(&mask, ss[i]))
suicide("sigdelset failed");
if (sigaddset(&mask, SIGPIPE))
suicide("sigaddset failed");
if (sigprocmask(SIG_SETMASK, &mask, (sigset_t *)0) < 0)
suicide("sigprocmask failed");
Reliably force restart when a subprocess has a fatal error. Suppose a system call such as bind() fails in the sockd subprocess in request_sockd_fd(). sockd will suicide(). This will send a SIGCHLD to the master process, which the master process should respond to by calling suicide(), forcing a process supervisor to respawn the entire ndhc program. But, this doesn't reliably happen prior to this commit because of the interaction between request_sock_fd() and signalfd() [or equivalently self-pipe-trick] signal handling. request_sock_fd() makes ndhc-master synchronously wait for a response from sockd via safe_recvmsg(). The normal goto-like signal handling path is suppressed when using signalfd() , so when SIGCHLD is received, it will not be handled until io is dispatched for the signalfd or pipe. But such code will never be reached because ndhc-master is waiting in safe_recvmsg() and thus never polls signal fd status. So, revert to using traditional POSIX sigaction() for SIGCHLD, which provides exactly the required behavior for proper functioning.
2020-10-20 01:12:59 -04:00
struct sigaction sa = {
.sa_handler = signal_handler,
.sa_flags = SA_RESTART,
};
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
if (sigemptyset(&sa.sa_mask))
suicide("sigemptyset failed");
for (int i = 0; ss[i] != SIGKILL; ++i)
if (sigaction(ss[i], &sa, NULL))
suicide("sigaction failed");
Use signalfd() in ndhc.
2010-12-01 12:35:13 -05:00
}
Replace mostly obsolete -[static 1] with reliable old *-. This notation originally had the sole advantage of implying that the pointer was non-NULL, but it has seen little use and now clang presents warnings about it in certain contexts.
2022-01-11 22:35:19 -05:00
static int is_string_hwaddr(const char *str, size_t slen)
Add clientid-mac option for sending a MAC address as a client identifier other than our own.
2011-07-03 05:36:47 -04:00
{
Autodetect if the clientid parameter is a valid mac address and treat it accordingly. Don't require an explicit parameter for it.
2011-07-03 05:45:05 -04:00
if (slen == 17 && str[2] == ':' && str[5] == ':' && str[8] == ':' &&
str[11] == ':' && str[14] == ':' &&
Add clientid-mac option for sending a MAC address as a client identifier other than our own.
2011-07-03 05:36:47 -04:00
isxdigit(str[0]) && isxdigit(str[1]) && isxdigit(str[3]) &&
isxdigit(str[4]) && isxdigit(str[6]) && isxdigit(str[7]) &&
isxdigit(str[9]) && isxdigit(str[10]) && isxdigit(str[12]) &&
Autodetect if the clientid parameter is a valid mac address and treat it accordingly. Don't require an explicit parameter for it.
2011-07-03 05:45:05 -04:00
isxdigit(str[13]) && isxdigit(str[15]) && isxdigit(str[16])
)
Add clientid-mac option for sending a MAC address as a client identifier other than our own.
2011-07-03 05:36:47 -04:00
return 1;
return 0;
}
Replace mostly obsolete -[static 1] with reliable old *-. This notation originally had the sole advantage of implying that the pointer was non-NULL, but it has seen little use and now clang presents warnings about it in certain contexts.
2022-01-11 22:35:19 -05:00
int get_clientid_string(const char *str, size_t slen)
Autodetect if the clientid parameter is a valid mac address and treat it accordingly. Don't require an explicit parameter for it.
2011-07-03 05:45:05 -04:00
{
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
if (!slen)
return -1;
if (!is_string_hwaddr(str, slen)) {
client_config.clientid[0] = 0;
Fix stupid typo in ndhc.c that would cause the clientid option to corrupt the start of the hostname option if both were specified.
2014-04-15 14:55:50 -04:00
memcpy(client_config.clientid + 1, str,
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
min_size_t(slen, sizeof client_config.clientid - 1));
client_config.clientid_len = slen + 1;
Autodetect if the clientid parameter is a valid mac address and treat it accordingly. Don't require an explicit parameter for it.
2011-07-03 05:45:05 -04:00
return 0;
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
}
uint8_t mac[6];
for (size_t i = 0; i < sizeof mac; ++i)
Quit using NULL macro.
2018-10-26 07:17:39 -04:00
mac[i] = strtol(str+i*3, (char **)0, 16);
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
client_config.clientid[0] = 1; // Ethernet MAC type
Fix stupid typo in ndhc.c that would cause the clientid option to corrupt the start of the hostname option if both were specified.
2014-04-15 14:55:50 -04:00
memcpy(client_config.clientid + 1, mac,
min_size_t(sizeof mac, sizeof client_config.clientid - 1));
Make ndhc RFC6842-compliant. All this entails is that ndhc needs to check to make sure that if the remote server sends a dhcp packet with a client identifier, the client identifier of that packet matches the client identifier that ndhc uses to identify itself. If the remote server does not attach a client identifier to its dhcp packets, then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
client_config.clientid_len = 7;
Autodetect if the clientid parameter is a valid mac address and treat it accordingly. Don't require an explicit parameter for it.
2011-07-03 05:45:05 -04:00
return 1;
}
Store the leasefile in the state directory by default, since a state directory is now the normal mode of operation because of RFC4361.
2014-03-19 04:12:24 -04:00
static void fail_if_state_dir_dne(void)
{
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
if (strlen(state_dir) == 0)
suicide("state_dir path is empty; it must be specified");
Store the leasefile in the state directory by default, since a state directory is now the normal mode of operation because of RFC4361.
2014-03-19 04:12:24 -04:00
struct stat st;
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
if (stat(state_dir, &st) < 0)
suicide("failed to stat state_dir path '%s': %s",
state_dir, strerror(errno));
if (!S_ISDIR(st.st_mode))
suicide("state_dir path '%s' does not specify a directory", state_dir);
Store the leasefile in the state directory by default, since a state directory is now the normal mode of operation because of RFC4361.
2014-03-19 04:12:24 -04:00
}
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
static void do_ndhc_work(void)
Use signalfd() in ndhc.
2010-12-01 12:35:13 -05:00
{
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
static bool rfkill_set; // Is the rfkill switch set?
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
static bool rfkill_nl_carrier_wentup; // iface carrier changed to up during rfkill
Separate event state gathering from action dispatch in main epoll loop. This is the first step towards using coroutines.
2015-02-15 06:38:03 -05:00
struct dhcpmsg dhcp_packet;
Track pending events in time by using absolute times rather than relative timeouts.
2011-07-11 11:31:27 -04:00
long long nowts;
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
int timeout = 0;
bool had_event;
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
Use a unified epoll_(add|del)(). Also, background() and setup_signals_ndhc() are moved from sys.c to ndhc.c. background() also no longer attempts to re-configure signals; signals are always set up on initial ndhc initialization.
2014-03-12 16:51:10 -04:00
setup_signals_ndhc();
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
start_dhcp_listen(&cs);
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
struct pollfd pfds[6] = {0};
pfds[0].fd = cs.nlFd;
pfds[0].events = POLLIN|POLLHUP|POLLERR|POLLRDHUP;
pfds[1].fd = ifchStream[0];
pfds[1].events = POLLHUP|POLLERR|POLLRDHUP;
pfds[2].fd = sockdStream[0];
pfds[2].events = POLLHUP|POLLERR|POLLRDHUP;
pfds[3].fd = cs.rfkillFd;
pfds[3].events = POLLIN|POLLHUP|POLLERR|POLLRDHUP;
// These can change on the fly.
pfds[4].events = POLLIN|POLLHUP|POLLERR|POLLRDHUP;
pfds[5].events = POLLIN|POLLHUP|POLLERR|POLLRDHUP;
Use epoll() in ndhc.
2010-12-01 13:11:09 -05:00
for (;;) {
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
pfds[4].fd = cs.arpFd;
pfds[5].fd = cs.listenFd;
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
had_event = false;
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
if (poll(pfds, 6, timeout) < 0) {
Check and clear events from poll() even if interrupted by signal.
2020-11-06 18:32:38 -05:00
if (errno != EINTR) suicide("poll failed");
Use epoll() in ndhc.
2010-12-01 13:11:09 -05:00
}
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
Fix the return values of dhcp_packet_get and arp_packet_get. This corrects a bug where stale dhcp packets would get reprocessed, causing very bad behavior; an issue that was introduced in the coroutine conversion.
2015-02-18 11:02:13 -05:00
bool sev_dhcp = false;
Move action dispatch out of main epoll loop.
2015-02-15 06:48:49 -05:00
uint32_t dhcp_srcaddr;
uint8_t dhcp_msgtype;
Fix the return values of dhcp_packet_get and arp_packet_get. This corrects a bug where stale dhcp packets would get reprocessed, causing very bad behavior; an issue that was introduced in the coroutine conversion.
2015-02-18 11:02:13 -05:00
bool sev_arp = false;
Move action dispatch out of main epoll loop.
2015-02-15 06:48:49 -05:00
int sev_nl = IFS_NONE;
int sev_rfk = RFK_NONE;
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
bool force_fingerprint = false;
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
if (pfds[0].revents & POLLIN) {
had_event = true;
sev_nl = nl_event_get(&cs);
Guard against carrier being spuriously set down. Corrects a possible regression introduced by the previous patch.
2022-01-11 22:16:44 -05:00
if (!cs.carrier_up)
cs.carrier_up = (sev_nl == IFS_UP);
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
}
if (pfds[0].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
suicide("nlfd closed unexpectedly");
}
if (pfds[1].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
exit(EXIT_FAILURE);
}
if (pfds[2].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
exit(EXIT_FAILURE);
}
if (pfds[3].revents & POLLIN) {
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
had_event = true;
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
sev_rfk = rfkill_get(&cs, 1, client_config.rfkillIdx);
}
if (pfds[3].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
suicide("rfkillfd closed unexpectedly");
}
if (pfds[4].revents & POLLIN) {
had_event = true;
// Make sure the fd is still the same.
if (pfds[4].fd == cs.arpFd)
sev_arp = arp_packet_get(&cs);
}
if (pfds[4].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
suicide("arpfd closed unexpectedly");
}
if (pfds[5].revents & POLLIN) {
had_event = true;
// Make sure the fd is still the same.
if (pfds[5].fd == cs.listenFd)
Move action dispatch out of main epoll loop.
2015-02-15 06:48:49 -05:00
sev_dhcp = dhcp_packet_get(&cs, &dhcp_packet, &dhcp_msgtype,
&dhcp_srcaddr);
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
}
if (pfds[5].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
suicide("listenfd closed unexpectedly");
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
}
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
if (sev_rfk == RFK_ENABLED) {
rfkill_set = 1;
rfkill_nl_carrier_wentup = false;
log_line("rfkill: radio now blocked");
} else if (sev_rfk == RFK_DISABLED) {
rfkill_set = 0;
log_line("rfkill: radio now unblocked");
When rfkill is disabled, resync the carrier state to be safe. This change guards against possible regressions introduced by f3766990f99ccaacb5d676cb59c9133e56d0ed6d if rfkill were to prevent netlink carrier up events from being delivered while rfkill is in effect for the interface.
2022-03-07 13:59:52 -05:00
cs.carrier_up = ifchange_carrier_isup();
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
if (rfkill_nl_carrier_wentup && carrier_isup()) {
// We might have changed networks while the radio was down.
force_fingerprint = true;
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
}
}
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
if (sev_nl != IFS_NONE && nl_event_carrier_wentup(sev_nl)) {
if (!rfkill_set)
force_fingerprint = true;
else
rfkill_nl_carrier_wentup = true;
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
}
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
if (rfkill_set || !carrier_isup()) {
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
// We can't do anything while the iface is disabled, anyway.
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
// Suspend might cause link state change notifications to be
// missed, so we use a non-infinite timeout.
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 02:39:46 -05:00
timeout = 2000 + (int)(nk_random_u32(&cs.rnd_state) % 3000);
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
continue;
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
}
timeout values now have millisecond precision.
2010-12-02 00:15:03 -05:00
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
// These two can change on the fly; make sure the event is current.
if (pfds[4].fd != cs.arpFd) sev_arp = false;
if (pfds[5].fd != cs.listenFd) sev_dhcp = false;
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
nowts = curms();
long long arp_wake_ts = arp_get_wake_ts();
int dhcp_ok = dhcp_handle(&cs, nowts, sev_dhcp, &dhcp_packet,
dhcp_msgtype, dhcp_srcaddr,
sev_arp, force_fingerprint,
cs.dhcp_wake_ts <= nowts,
Stop using signalfd and audit signal handling code. There's really no advantage to using signalfd in ndhc, particularly since the normal POSIX signal API is now used for handling SIGCHLD in ndhc-master. So just use the tried and true volatile sig_atomic_t set and check approach. The only intended behavior change is in the dhcp RELEASE state -- before there would be a spurious attempt at renewing a nonexistent lease when the RENEW signal was received.
2020-10-20 04:23:55 -04:00
arp_wake_ts <= nowts);
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
if (dhcp_ok == COR_ERROR) {
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 02:39:46 -05:00
timeout = 2000 + (int)(nk_random_u32(&cs.rnd_state) % 3000);
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
continue;
Move action dispatch out of main epoll loop.
2015-02-15 06:48:49 -05:00
}
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
int prev_timeout = timeout;
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
long long tt;
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
arp_wake_ts = arp_get_wake_ts();
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
if (arp_wake_ts < 0 && cs.dhcp_wake_ts < 0) {
timeout = -1;
continue;
} else if (arp_wake_ts < 0) {
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
tt = cs.dhcp_wake_ts - nowts;
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
} else if (cs.dhcp_wake_ts < 0) {
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
tt = arp_wake_ts - nowts;
Use a coroutine instead of several callback state machines. This change makes it much easier to reason about ndhc's behavior and properly handle errors. It is a very large changeset, but there is no way to make this sort of change incrementally. Lease acquisition is tested to work. It is highly likely that some bugs were both introduced and squashed here. Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
} else {
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
tt = (arp_wake_ts < cs.dhcp_wake_ts ?
arp_wake_ts : cs.dhcp_wake_ts) - nowts;
Async arp ping now works properly: arp_success() should be called on timeout Timeout delta now properly uses signed operators. listenFd properly initialized to -1.
2010-12-23 11:34:57 -05:00
}
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
if (tt > INT_MAX) tt = INT_MAX;
When converting timeout from ll to int, also guard against underflow.
2015-05-27 15:00:02 -04:00
if (tt < INT_MIN) tt = INT_MIN;
Fix an overflow that can cause spuriously short epoll timeouts. Lease times and arp timeouts are all calculated using long long, but epoll takes its timeout argument as an int. Guard against timeouts > INT_MAX but < UINT_MAX wrapping and causing spuriously short timeouts when converted to a signed int. This problem has been observed in the wild. Thanks to thypon for a detailed strace that pointed me towards this issue.
2015-05-27 12:58:42 -04:00
timeout = tt;
Add a failsafe to prevent epoll busy-spin.
2015-05-27 12:23:16 -04:00
if (timeout < 0)
timeout = 0;
// Failsafe to prevent busy-spin.
Failsafe should only trigger is the new timeout is also zero. This is what I get for rushing!
2015-05-27 12:35:16 -04:00
if (timeout == 0 && prev_timeout == 0 && !had_event)
Fix dumb mistake in patch before last; epoll timeout is in ms, not s.
2015-05-27 12:29:46 -04:00
timeout = 10000;
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
}
Initial commit.
2010-11-12 04:02:18 -05:00
}
Update to latest ncmlib changes.
2014-03-30 17:02:48 -04:00
char state_dir[PATH_MAX] = "/etc/ndhc";
char chroot_dir[PATH_MAX] = "";
char resolv_conf_d[PATH_MAX] = "";
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
char script_file[PATH_MAX] = "";
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
uid_t ndhc_uid = 0;
gid_t ndhc_gid = 0;
Use a socketpair rather than a pair of pipes for communication between ndhc and ifch, similar to sockd. A single pipe is also maintained so that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
int ifchSock[2];
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
int ifchStream[2];
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
int sockdSock[2];
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
int sockdStream[2];
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
int scriptdSock[2];
int scriptdStream[2];
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
Bound the subprocess lifetime using prctl(PR_SET_PDEATHSIG, ...). The pipes wouldn't do this job anymore because they were unused and thus never performed writes that would generate SIGPIPEs, so the pipes are removed, too.
2014-04-15 18:01:01 -04:00
static void create_ifch_ipc_sockets(void) {
Use a socketpair rather than a pair of pipes for communication between ndhc and ifch, similar to sockd. A single pipe is also maintained so that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, ifchSock) < 0)
suicide("FATAL - can't create ndhc/ifch socket: %s", strerror(errno));
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
if (socketpair(AF_UNIX, SOCK_STREAM, 0, ifchStream) < 0)
suicide("FATAL - can't create ndhc/ifch socket: %s", strerror(errno));
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
}
Bound the subprocess lifetime using prctl(PR_SET_PDEATHSIG, ...). The pipes wouldn't do this job anymore because they were unused and thus never performed writes that would generate SIGPIPEs, so the pipes are removed, too.
2014-04-15 18:01:01 -04:00
static void create_sockd_ipc_sockets(void) {
Switch to using a socket for ndhc/sockd IPC so that fd passing works.
2014-04-05 05:25:56 -04:00
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockdSock) < 0)
suicide("FATAL - can't create ndhc/sockd socket: %s", strerror(errno));
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockdStream) < 0)
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
suicide("FATAL - can't create ndhc/sockd socket: %s", strerror(errno));
}
static void create_scriptd_ipc_sockets(void) {
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, scriptdSock) < 0)
suicide("FATAL - can't create ndhc/scriptd socket: %s", strerror(errno));
if (socketpair(AF_UNIX, SOCK_STREAM, 0, scriptdStream) < 0)
suicide("FATAL - can't create ndhc/scriptd socket: %s", strerror(errno));
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
}
static void spawn_ifch(void)
{
Bound the subprocess lifetime using prctl(PR_SET_PDEATHSIG, ...). The pipes wouldn't do this job anymore because they were unused and thus never performed writes that would generate SIGPIPEs, so the pipes are removed, too.
2014-04-15 18:01:01 -04:00
create_ifch_ipc_sockets();
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
pid_t ifch_pid = fork();
if (ifch_pid == 0) {
Use a socketpair rather than a pair of pipes for communication between ndhc and ifch, similar to sockd. A single pipe is also maintained so that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
close(ifchSock[0]);
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
close(ifchStream[0]);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
// Don't share the RNG state with the master process.
Update to the new ncmlib random API.
2017-08-24 02:36:31 -04:00
nk_random_init(&cs.rnd_state);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
ifch_main();
} else if (ifch_pid > 0) {
Use a socketpair rather than a pair of pipes for communication between ndhc and ifch, similar to sockd. A single pipe is also maintained so that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
close(ifchSock[1]);
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
close(ifchStream[1]);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
} else
suicide("failed to fork ndhc-ifch: %s", strerror(errno));
}
static void spawn_sockd(void)
{
Bound the subprocess lifetime using prctl(PR_SET_PDEATHSIG, ...). The pipes wouldn't do this job anymore because they were unused and thus never performed writes that would generate SIGPIPEs, so the pipes are removed, too.
2014-04-15 18:01:01 -04:00
create_sockd_ipc_sockets();
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
pid_t sockd_pid = fork();
if (sockd_pid == 0) {
Switch to using a socket for ndhc/sockd IPC so that fd passing works.
2014-04-05 05:25:56 -04:00
close(sockdSock[0]);
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
close(sockdStream[0]);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
// Don't share the RNG state with the master process.
Update to the new ncmlib random API.
2017-08-24 02:36:31 -04:00
nk_random_init(&cs.rnd_state);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
sockd_main();
} else if (sockd_pid > 0) {
Switch to using a socket for ndhc/sockd IPC so that fd passing works.
2014-04-05 05:25:56 -04:00
close(sockdSock[1]);
PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess, and poll for the HUP event. At the same time, be specific about the events that are checked in epoll when dispatching on an event.
2014-04-15 23:19:24 -04:00
close(sockdStream[1]);
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
} else
suicide("failed to fork ndhc-sockd: %s", strerror(errno));
}
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
static void spawn_scriptd(void)
{
valid_script_file = access(script_file, R_OK | X_OK) == 0;
if (!valid_script_file) return;
log_line("Found script file: '%s'", script_file);
create_scriptd_ipc_sockets();
pid_t scriptd_pid = fork();
if (scriptd_pid == 0) {
close(scriptdSock[0]);
close(scriptdStream[0]);
// Don't share the RNG state with the master process.
nk_random_init(&cs.rnd_state);
scriptd_main();
} else if (scriptd_pid > 0) {
close(scriptdSock[1]);
close(scriptdStream[1]);
} else
suicide("failed to fork ndhc-scriptd: %s", strerror(errno));
}
Silence the last few new warnings.
2014-03-10 23:00:57 -04:00
static void ndhc_main(void) {
Change the thread name of the various ndhc processes so that they can be identified via ps/top.
2014-03-10 14:44:12 -04:00
prctl(PR_SET_NAME, "ndhc: master");
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
log_line("ndhc client " NDHC_VERSION " started on interface [%s].",
client_config.interface);
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
if ((cs.nlFd = nl_open(NETLINK_ROUTE, RTMGRP_LINK, &cs.nlPortId)) < 0)
suicide("%s: failed to open netlink socket", __func__);
Netlink is pickier than the ioctl interfaces and requires the link to manually be set to an 'up' state before much of anything can be changed. Ensure that this is done very early in ndhc's lifetime, and record the link status at startup time so that the hardware link status monitoring will not get confused. A perform_ifup() function is added to faciliate this need. Handle nl_getifdata() and get_if_index_and_mac() separately from the hardware link status monitoring; don't call get_if_index_and_mac() from nl_process_msgs(). Create the permanent ndhc-master cs.nlFd socket for hardware link status monitoring after forking subprocesses.
2014-03-17 05:56:30 -04:00
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-13 16:25:36 -05:00
cs.rfkillFd = rfkill_open(&client_config.enable_rfkill);
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
open_leasefile();
Update to latest ncmlib changes.
2014-03-30 17:02:48 -04:00
nk_set_chroot(chroot_dir);
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
memset(chroot_dir, '\0', sizeof chroot_dir);
Quit using NULL macro.
2018-10-26 07:17:39 -04:00
nk_set_uidgid(ndhc_uid, ndhc_gid, (const unsigned char *)0, 0);
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
Speed up interface carrier checking. This is done by performing one synchronous query for carrier state at the start of the program; after that, we just monitor the nlsocket for carrier state changes and update the cached state accordingly. The benefit is that ifchd needs to do a lot less work and this should reduce the CPU cycle consumption; prior to this commit, the CPU time ends up being a few CPU-minutes per month.
2021-04-25 05:26:19 -04:00
cs.carrier_up = ifchange_carrier_isup();
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
if (!carrier_isup()) {
If ifchd interactions fail, terminate. Ideally we would pause and resume state, but for now just bail out. If ndhc is process-supervised, it will recover to the proper state quickly.
2015-02-14 20:47:14 -05:00
if (ifchange_deconfig(&cs) < 0)
suicide("%s: can't deconfigure interface settings", __func__);
}
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
do_ndhc_work();
}
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
static void wait_for_rfkill()
{
Fix the rfkill waiting.
2015-02-14 15:33:02 -05:00
cs.rfkillFd = rfkill_open(&client_config.enable_rfkill);
if (cs.rfkillFd < 0)
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
suicide("can't wait for rfkill to end if /dev/rfkill can't be opened");
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
struct pollfd pfds[1] = {0};
pfds[0].events = POLLIN|POLLHUP|POLLERR|POLLRDHUP;
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
for (;;) {
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
pfds[0].fd = cs.rfkillFd;
if (poll(pfds, 1, -1) < 0) {
Check and clear events from poll() even if interrupted by signal.
2020-11-06 18:32:38 -05:00
if (errno != EINTR) suicide("poll failed");
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
}
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
if (pfds[0].revents & POLLIN) {
if (rfkill_get(&cs, 0, 0) == RFK_DISABLED) {
switch (perform_ifup()) {
case 1:
case 0: goto rfkill_gone;
case -3:
log_line("rfkill: radio immediately blocked again; spurious?");
break;
default: suicide("failed to set the interface to up state");
Separate event state gathering from action dispatch in main epoll loop. This is the first step towards using coroutines.
2015-02-15 06:38:03 -05:00
}
}
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
}
Use poll() instead of epoll() for ndhc-master.
2020-10-20 05:54:00 -04:00
if (pfds[0].revents & (POLLHUP|POLLERR|POLLRDHUP)) {
suicide("rfkillFd closed unexpectedly");
}
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
}
rfkill_gone:
Fix the rfkill waiting.
2015-02-14 15:33:02 -05:00
// We always close because ifchd and sockd shouldn't keep
// an rfkill fd open.
close(cs.rfkillFd);
cs.rfkillFd = -1;
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
}
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
int main(int argc, char *argv[])
{
Parse config options with ragel and support a configuration file.
2014-04-14 15:06:31 -04:00
parse_cmdline(argc, argv);
Whitespace and indentation normalization.
2010-11-12 14:33:17 -05:00
Update to the new ncmlib random API.
2017-08-24 02:36:31 -04:00
nk_random_init(&cs.rnd_state);
Make sure xids in packets sent conform to RFC2131 pg36 table5.
2020-10-19 05:39:08 -04:00
cs.xid = nk_random_u32(&cs.rnd_state);
Support RFC4361. RFC4361 requires clients to send a clientid, and specifies that by default that clientid should be a combination of a machine-static DUID and an interface-static IAID. There are several RFC-compliant DUIDs. ndhc uses RFC6355's DUID-UUID, but chooses not to follow RFC4122 for the UUID and instead simply uses random bytes from its combined Tausworthe PRNG. RFC4122 is excessively complex, and 128-bit random values are more than sufficiently collision-resistant on even large DHCP segments. ndhc requires a read/writable directory to store the DUID/IAID states. By default this directory is /etc/ndhc. It exists outside the chroot. The DUID will be stored in a single file, DUID. The IAIDs exist per-interface and are stored in files with names similar to IAID-xx:xx:xx:xx:xx:xx, where the xx values are replaced by the Ethernet hardware address of the interface. If it is impossible to read or store the DUIDs or IAIDs, ndhc will fail at start time before it performs any network activity or forks any subprocesses. If the host system lacks volatile storage, then a clientid should manually be specified using the -c or --clientid command arguments.
2014-03-19 00:42:32 -04:00
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
if (getuid())
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
suicide("I need to be started as root.");
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
if (!strncmp(chroot_dir, "", sizeof chroot_dir))
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
suicide("No chroot path is specified. Refusing to run.");
Store the leasefile in the state directory by default, since a state directory is now the normal mode of operation because of RFC4361.
2014-03-19 04:12:24 -04:00
fail_if_state_dir_dne();
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
Convert logging messages to suicide() where appropriate and clean up the logging messages a bit.
2014-03-30 17:21:27 -04:00
if (nl_getifdata() < 0)
suicide("failed to get interface MAC or index");
Netlink is pickier than the ioctl interfaces and requires the link to manually be set to an 'up' state before much of anything can be changed. Ensure that this is done very early in ndhc's lifetime, and record the link status at startup time so that the hardware link status monitoring will not get confused. A perform_ifup() function is added to faciliate this need. Handle nl_getifdata() and get_if_index_and_mac() separately from the hardware link status monitoring; don't call get_if_index_and_mac() from nl_process_msgs(). Create the permanent ndhc-master cs.nlFd socket for hardware link status monitoring after forking subprocesses.
2014-03-17 05:56:30 -04:00
Support RFC4361. RFC4361 requires clients to send a clientid, and specifies that by default that clientid should be a combination of a machine-static DUID and an interface-static IAID. There are several RFC-compliant DUIDs. ndhc uses RFC6355's DUID-UUID, but chooses not to follow RFC4122 for the UUID and instead simply uses random bytes from its combined Tausworthe PRNG. RFC4122 is excessively complex, and 128-bit random values are more than sufficiently collision-resistant on even large DHCP segments. ndhc requires a read/writable directory to store the DUID/IAID states. By default this directory is /etc/ndhc. It exists outside the chroot. The DUID will be stored in a single file, DUID. The IAIDs exist per-interface and are stored in files with names similar to IAID-xx:xx:xx:xx:xx:xx, where the xx values are replaced by the Ethernet hardware address of the interface. If it is impossible to read or store the DUIDs or IAIDs, ndhc will fail at start time before it performs any network activity or forks any subprocesses. If the host system lacks volatile storage, then a clientid should manually be specified using the -c or --clientid command arguments.
2014-03-19 00:42:32 -04:00
get_clientid(&cs, &client_config);
Netlink is pickier than the ioctl interfaces and requires the link to manually be set to an 'up' state before much of anything can be changed. Ensure that this is done very early in ndhc's lifetime, and record the link status at startup time so that the hardware link status monitoring will not get confused. A perform_ifup() function is added to faciliate this need. Handle nl_getifdata() and get_if_index_and_mac() separately from the hardware link status monitoring; don't call get_if_index_and_mac() from nl_process_msgs(). Create the permanent ndhc-master cs.nlFd socket for hardware link status monitoring after forking subprocesses.
2014-03-17 05:56:30 -04:00
switch (perform_ifup()) {
Remove ifsPrevState and set non-infinite timeout on a send error. We instead check carrier status as needed. This approach is more robust. For a simple example, imagine link state changes that happen while the machine is suspended.
2017-01-12 06:05:00 -05:00
case 1: case 0: break;
Fix the dhcp state bootstrapping when rfkill is set #3.
2015-02-13 19:08:50 -05:00
case -3: wait_for_rfkill(); break;
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
default: suicide("failed to set the interface to up state");
Store the interface index in the client_config before forking off the subprocesses. ndhc-ifch can then use the stored interface index when setting the interface ip/subnet/broadcast via netlink instead of having to use ioctl to re-fetch the interface index.
2014-03-12 15:07:37 -04:00
}
setpgid() can return EPERM if we are already a process group leader.
2014-04-15 15:02:20 -04:00
if (setpgid(0, 0) < 0) {
// EPERM is returned if we are already a process group leader.
if (errno != EPERM)
suicide("setpgid failed: %s", strerror(errno));
}
Create a new process ID group for ndhc.
2014-04-06 22:07:12 -04:00
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
spawn_ifch();
spawn_sockd();
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 00:52:26 -05:00
spawn_scriptd();
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
ndhc_main();
Merge ifchd into ndhc. Rather than function as entirely separate daemons, ndhc will fork off an ifchd child that it will communicate with via pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket. The advantages include: 1. Simpler configuration. Much easier for users and packagers to set up. 2. Drastically less complex code for the ifch functionality. More code is removed than added, and the result is a lot less complex. 3. Potentially better security. The ifch can only service the parent ndhc process, and it is restricted to issuing modifications to the single interface that ndhc manages. 4. Less memory used on systems that allow overcommit. The downsides: 1. Possibly more memory used on systems that run multiple ndhcs and use strict commit limits. At the same time, use netlink rather than ioctls so that the interface ip, subnet, and broadcast address can be set simultaneously. This change reduces the netlink notification spam greatly. The current code builds but isn't yet complete. Subsequent commits will flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00
exit(EXIT_SUCCESS);
Initial commit.
2010-11-12 04:02:18 -05:00
}
Introduce a ndhc-sockd daemon that separates out the remaining elevated capabilities from the ndhc master process. Privsep is now complete. The only notable improvement from before is that exploitation of ndhc would only allow an attacker to open raw sockets, bind sockets to ports < port 1024, and create broadcast sockets on the interface that ndhc is performing dhcp on rather than on all interfaces. However, this seems like a worthwhile change; note that it was already impossible for an attacker to sniff packets on any interfaces (as that requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
Reference in New Issue Copy Permalink