All fd's in network facing processes are fully limited.
Capability mode is only enabled for BPF processes because
it's too restrictive otherwise - the reasons are noted
in the commit.
System users generally have _ preceeding their username.
Only use this user if it exists and their home dir is not /var/empty.
Otherwise default to using dhcpcd.
_dhcp home dir defaults to /var/empty.
System integrators can and should be in charge of changing it when needed.
Packagers on the other hand don't have such a luxury and so should not
use _dhcp by default.
As recent production kernels ship with ASLR by default which
stops dhcpcd running dead when this is enabled.
We dont want to break a systems boot, so force it via configure.
BSD and glibc have the signature for request as unsigned long.
musl and Solaris have a signed int.
As such, we need to detect this at compile time and adjust the
signature of our internal ioctl functions to match.
To keep the onwire format the same, memcpy the request to the
unsigned long request and back again, thus preserving the signedness.
Not enabled by default - enable with ./configure --enable-privsep
Requires a user added to the system - default _dhcpcd
Several processes will be spawned off the main state engine:
a privileged actioneer and a generic network proxy.
Only the privileged actioneer process will retain root permissions.
When required, the privileged actioneer will also spawn
BPF listeners for BOOTP (DHCP) and ARP.
The BOOTP BPF listener should be a short lived process.
On kernels with RFC 5227 support, the ARP BPF listener will only
be used for ARPing and announcing a preferred address and will
also be a short lived process.
When not running in master mode, an address listener will be
spawned for each address (with the exception of RA dervived addresses)
dhcpcd cares about.
TODO:
* Solaris support.
* ARP BPF address filtering.
This will allow dhcpcd to create and unlink pidfiles and sockets
which it could otherwise not if dropped priviledges.
Downstream packages such as dhcpcd-ui will need to be adjusted.
Each variable is NULL terminated inside the file just like the
control stream which saves us from having to flatten it when
writing to the control stream.
Once written, create env pointers to the start of each string
just after the NULL terminator.
This also means that we just need to free two buffers when
dhcpcd exits (FILE buffer and env buffer) rather than each variable
individually.
If open_memstream(3) is not supported by libc then dhcpcd will
write to a file in /tmp instead.
