* [PR PATCH] dhcpcd: make privsep a build option and disable it
@ 2020-11-17 3:36 CameronNemo
2020-11-17 3:59 ` [PR REVIEW] " ericonr
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: CameronNemo @ 2020-11-17 3:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 684 bytes --]
There is a new pull request by CameronNemo against master on the void-packages repository
https://github.com/CameronNemo/void-packages dhcpcd-privsep-option-2
https://github.com/void-linux/void-packages/pull/26451
dhcpcd: make privsep a build option and disable it
dhcpcd's privsep is seccomp based and thus shits the bed on a whim (e.g.
different CPU architectures or upstream libc changes).
Disable it by default, but leave the option around if somebody really
needs it (hint: they can probably just use the AppArmor profile).
@Skirmisher care to test if this fixes the fork bomb?
@sgn
A patch file from https://github.com/void-linux/void-packages/pull/26451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-dhcpcd-privsep-option-2-26451.patch --]
[-- Type: text/x-diff, Size: 1696 bytes --]
From 9349cd8f33f2dedfaa0099c40a743bc5e7cc76ca Mon Sep 17 00:00:00 2001
From: Cameron Nemo <cnemo@tutanota.com>
Date: Sat, 12 Sep 2020 11:38:57 -0700
Subject: [PATCH] dhcpcd: make privsep a build option and disable it
dhcpcd's privsep is seccomp based and thus shits the bed on a whim (e.g.
different CPU architectures or upstream libc changes).
Disable it by default, but leave the option around if somebody really
needs it (hint: they can probably just use the AppArmor profile).
---
srcpkgs/dhcpcd/template | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/dhcpcd/template b/srcpkgs/dhcpcd/template
index 34cab48e07b..ecc5dfd72df 100644
--- a/srcpkgs/dhcpcd/template
+++ b/srcpkgs/dhcpcd/template
@@ -1,10 +1,12 @@
# Template file for 'dhcpcd'
pkgname=dhcpcd
version=9.3.2
-revision=1
+revision=2
build_style=configure
make_check_target=test
-configure_args="--prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc --rundir=/run/dhcpcd --privsepuser=_dhcpcd"
+configure_args="
+ --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc --rundir=/run/dhcpcd
+ $(vopt_if privsep --privsepuser=_dhcpcd)"
hostmakedepends="ntp pkg-config"
makedepends="eudev-libudev-devel"
short_desc="RFC2131 compliant DHCP client"
@@ -15,10 +17,13 @@ distfiles="https://roy.marples.name/downloads/dhcpcd/dhcpcd-${version}.tar.xz"
checksum=6d49af5e766a2515e6366e4f669663df04ecdf90a1a60ddb1d7a2feb4b5d2566
lib32disabled=yes
conf_files=/etc/dhcpcd.conf
-# privsep
+
system_accounts="_dhcpcd"
_dhcpcd_homedir="/var/db/dhcpcd"
+build_options="privsep"
+desc_option_privsep="Enable privilege separation mode for the daemon"
+
post_install() {
vsv dhcpcd
vsv dhcpcd-eth0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR REVIEW] dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
@ 2020-11-17 3:59 ` ericonr
2020-11-17 4:18 ` Skirmisher
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: ericonr @ 2020-11-17 3:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 202 bytes --]
New review comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/26451#discussion_r524869507
Comment:
Want to make these conditional on the `privsep` option?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
2020-11-17 3:59 ` [PR REVIEW] " ericonr
@ 2020-11-17 4:18 ` Skirmisher
2020-11-17 4:20 ` Skirmisher
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Skirmisher @ 2020-11-17 4:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 233 bytes --]
New comment by Skirmisher on void-packages repository
https://github.com/void-linux/void-packages/pull/26451#issuecomment-728676044
Comment:
> @Skirmisher care to test if this fixes the fork bomb?
Confirmed, no longer explodes.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
2020-11-17 3:59 ` [PR REVIEW] " ericonr
2020-11-17 4:18 ` Skirmisher
@ 2020-11-17 4:20 ` Skirmisher
2020-11-17 11:11 ` [PR REVIEW] " q66
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Skirmisher @ 2020-11-17 4:20 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 244 bytes --]
New comment by Skirmisher on void-packages repository
https://github.com/void-linux/void-packages/pull/26451#issuecomment-728676044
Comment:
> @Skirmisher care to test if this fixes the fork bomb?
Confirmed, no longer explodes on ppc64le.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR REVIEW] dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
` (2 preceding siblings ...)
2020-11-17 4:20 ` Skirmisher
@ 2020-11-17 11:11 ` q66
2020-11-17 11:34 ` [PR PATCH] [Merged]: " q66
2020-11-17 12:49 ` Duncaen
5 siblings, 0 replies; 7+ messages in thread
From: q66 @ 2020-11-17 11:11 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 160 bytes --]
New review comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/pull/26451#discussion_r525072871
Comment:
let's not do that
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Merged]: dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
` (3 preceding siblings ...)
2020-11-17 11:11 ` [PR REVIEW] " q66
@ 2020-11-17 11:34 ` q66
2020-11-17 12:49 ` Duncaen
5 siblings, 0 replies; 7+ messages in thread
From: q66 @ 2020-11-17 11:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 509 bytes --]
There's a merged pull request on the void-packages repository
dhcpcd: make privsep a build option and disable it
https://github.com/void-linux/void-packages/pull/26451
Description:
dhcpcd's privsep is seccomp based and thus shits the bed on a whim (e.g.
different CPU architectures or upstream libc changes).
Disable it by default, but leave the option around if somebody really
needs it (hint: they can probably just use the AppArmor profile).
@Skirmisher care to test if this fixes the fork bomb?
@sgn
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: dhcpcd: make privsep a build option and disable it
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
` (4 preceding siblings ...)
2020-11-17 11:34 ` [PR PATCH] [Merged]: " q66
@ 2020-11-17 12:49 ` Duncaen
5 siblings, 0 replies; 7+ messages in thread
From: Duncaen @ 2020-11-17 12:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 173 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/pull/26451#issuecomment-728905907
Comment:
Why not disable seccomp instead?
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-11-17 12:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-17 3:36 [PR PATCH] dhcpcd: make privsep a build option and disable it CameronNemo
2020-11-17 3:59 ` [PR REVIEW] " ericonr
2020-11-17 4:18 ` Skirmisher
2020-11-17 4:20 ` Skirmisher
2020-11-17 11:11 ` [PR REVIEW] " q66
2020-11-17 11:34 ` [PR PATCH] [Merged]: " q66
2020-11-17 12:49 ` Duncaen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).