-/* $OpenBSD: ca.c,v 1.38 2015/10/19 11:25:35 reyk Exp $ */
+/* $OpenBSD: ca.c,v 1.39 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
#include "iked.h"
#include "ikev2.h"
+void ca_run(struct privsep *, struct privsep_proc *, void *);
void ca_reset(struct privsep *, struct privsep_proc *, void *);
int ca_reload(struct iked *);
return (proc_run(ps, p, procs, nitems(procs), ca_reset, store));
}
+void
+ca_run(struct privsep *ps, struct privsep_proc *p, void *arg)
+{
+ /*
+ * pledge in the ca process:
+ * stdio - for malloc and basic I/O including events.
+ * rpath - for certificate files.
+ * recvfd - for ocsp sockets.
+ */
+ if (pledge("stdio rpath recvfd", NULL) == -1)
+ fatal("pledge");
+
+ ca_reset(ps, p, arg);
+}
+
void
ca_reset(struct privsep *ps, struct privsep_proc *p, void *arg)
{
-/* $OpenBSD: control.c,v 1.18 2015/10/19 11:27:35 reyk Exp $ */
+/* $OpenBSD: control.c,v 1.19 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
*control_connbyfd(int);
void control_close(int, struct control_sock *);
void control_dispatch_imsg(int, short, void *);
+void control_dispatch_parent(int, short, void *);
void control_imsg_forward(struct imsg *);
+void control_run(struct privsep *, struct privsep_proc *, void *);
+
+static struct privsep_proc procs[] = {
+ { "parent", PROC_PARENT, NULL }
+};
+
+pid_t
+control(struct privsep *ps, struct privsep_proc *p)
+{
+ return (proc_run(ps, p, procs, nitems(procs), control_run, NULL));
+}
+
+void
+control_run(struct privsep *ps, struct privsep_proc *p, void *arg)
+{
+ /*
+ * pledge in the control process:
+ * stdio - for malloc and basic I/O including events.
+ * cpath - for unlinking the control socket.
+ * unix - for the control socket.
+ */
+ if (pledge("stdio cpath unix", NULL) == -1)
+ fatal("pledge");
+}
int
control_init(struct privsep *ps, struct control_sock *cs)
-/* $OpenBSD: iked.c,v 1.27 2015/10/19 11:25:35 reyk Exp $ */
+/* $OpenBSD: iked.c,v 1.28 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
void parent_shutdown(struct iked *);
void parent_sig_handler(int, short, void *);
-int parent_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
int parent_dispatch_ca(int, struct privsep_proc *, struct imsg *);
+int parent_dispatch_control(int, struct privsep_proc *, struct imsg *);
int parent_configure(struct iked *);
static struct privsep_proc procs[] = {
- { "ikev2", PROC_IKEV2, parent_dispatch_ikev2, ikev2 },
- { "ca", PROC_CERT, parent_dispatch_ca, caproc, IKED_CA }
+ { "ca", PROC_CERT, parent_dispatch_ca, caproc, IKED_CA },
+ { "control", PROC_CONTROL, parent_dispatch_control, control },
+ { "ikev2", PROC_IKEV2, NULL, ikev2 }
};
__dead void
if ((env->sc_opts & IKED_OPT_NONATT) == 0)
config_setsocket(env, &ss, ntohs(IKED_NATT_PORT), PROC_IKEV2);
+ /*
+ * pledge in the parent process:
+ * It has to run fairly late to allow forking the processes and
+ * opening the PFKEY socket and the listening UDP sockets (once)
+ * that need the bypass ioctls that are never allowed by pledge.
+ *
+ * Other flags:
+ * stdio - for malloc and basic I/O including events.
+ * rpath - for reload to open and read the configuration files.
+ * proc - run kill to terminate its children safely.
+ * dns - for reload and ocsp connect.
+ * inet - for ocsp connect.
+ * route - for using interfaces in iked.conf (SIOCGIFGMEMB)
+ * sendfd - for ocsp sockets.
+ */
+ if (pledge("stdio rpath proc dns inet route sendfd", NULL) == -1)
+ fatal("pledge");
+
config_setcoupled(env, env->sc_decoupled ? 0 : 1);
config_setmode(env, env->sc_passive ? 1 : 0);
config_setocsp(env);
}
int
-parent_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg)
+parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
{
+ struct iked *env = p->p_ps->ps_env;
+
switch (imsg->hdr.type) {
- default:
+ case IMSG_OCSP_FD:
+ ocsp_connect(env);
break;
+ default:
+ return (-1);
}
- return (-1);
+ return (0);
}
int
-parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
+parent_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg)
{
struct iked *env = p->p_ps->ps_env;
int v;
parent_reload(env, 0, str);
free(str);
break;
- case IMSG_OCSP_FD:
- ocsp_connect(env);
- break;
default:
return (-1);
}
-/* $OpenBSD: iked.h,v 1.90 2015/10/19 11:25:35 reyk Exp $ */
+/* $OpenBSD: iked.h,v 1.91 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
void parent_reload(struct iked *, int, const char *);
/* control.c */
+pid_t control(struct privsep *, struct privsep_proc *);
int control_init(struct privsep *, struct control_sock *);
int control_listen(struct control_sock *);
void control_cleanup(struct control_sock *);
-/* $OpenBSD: ikev2.c,v 1.127 2015/10/19 11:25:35 reyk Exp $ */
+/* $OpenBSD: ikev2.c,v 1.128 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
#include "eap.h"
#include "dh.h"
+void ikev2_run(struct privsep *, struct privsep_proc *, void *);
int ikev2_dispatch_parent(int, struct privsep_proc *, struct imsg *);
int ikev2_dispatch_cert(int, struct privsep_proc *, struct imsg *);
pid_t
ikev2(struct privsep *ps, struct privsep_proc *p)
{
- return (proc_run(ps, p, procs, nitems(procs), NULL, NULL));
+ return (proc_run(ps, p, procs, nitems(procs), ikev2_run, NULL));
+}
+
+void
+ikev2_run(struct privsep *ps, struct privsep_proc *p, void *arg)
+{
+ /*
+ * pledge in the ikev2 process:
+ * stdio - for malloc and basic I/O including events.
+ * inet - for sendto with specified peer address.
+ * recvfd - for PFKEYv2 and the listening UDP sockets.
+ * In theory, recvfd could be dropped after getting the fds once.
+ */
+ if (pledge("stdio inet recvfd", NULL) == -1)
+ fatal("pledge");
}
int
-/* $OpenBSD: proc.c,v 1.23 2015/08/21 11:59:28 reyk Exp $ */
+/* $OpenBSD: proc.c,v 1.24 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
void proc_shutdown(struct privsep_proc *);
void proc_sig_handler(int, short, void *);
void proc_range(struct privsep *, enum privsep_procid, int *, int *);
+int proc_dispatch_null(int, struct privsep_proc *, struct imsg *);
int
proc_ispeer(struct privsep_proc *procs, unsigned int nproc,
for (proc = 0; proc < nproc; proc++) {
procs[proc].p_ps = ps;
procs[proc].p_env = ps->ps_env;
+ if (procs[proc].p_cb == NULL)
+ procs[proc].p_cb = proc_dispatch_null;
for (i = 0; i < ps->ps_instances[src]; i++) {
for (j = 0; j < ps->ps_instances[procs[proc].p_id];
pid_t
proc_run(struct privsep *ps, struct privsep_proc *p,
struct privsep_proc *procs, unsigned int nproc,
- void (*init)(struct privsep *, struct privsep_proc *, void *), void *arg)
+ void (*run)(struct privsep *, struct privsep_proc *, void *), void *arg)
{
pid_t pid;
struct passwd *pw;
fatalx(p->p_title);
}
- if (init != NULL)
- init(ps, p, arg);
+ if (run != NULL)
+ run(ps, p, arg);
event_dispatch();
imsg_event_add(iev);
}
+int
+proc_dispatch_null(int fd, struct privsep_proc *p, struct imsg *imsg)
+{
+ return (-1);
+}
+
/*
* imsg helper functions
*/
-/* $OpenBSD: types.h,v 1.22 2015/10/19 11:25:35 reyk Exp $ */
+/* $OpenBSD: types.h,v 1.23 2015/10/22 15:55:18 reyk Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
enum privsep_procid {
PROC_PARENT = 0,
- PROC_IKEV2,
+ PROC_CONTROL,
PROC_CERT,
+ PROC_IKEV2,
PROC_MAX
};
-/* Attach the control socket to the following process */
-#define PROC_CONTROL PROC_CERT
-
enum blockmodes {
BM_NORMAL,
BM_NONBLOCK
projects / openbsd / commitdiff