diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2016-07-20 21:01:07 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2016-07-20 21:01:07 +0000 |
| commit | b2315b479ebb2e2fbc6ef79b0b6fa1052f4c8a40 (patch) | |
| tree | c5ea9b2de2b53f0889e42fde0c02d1add94fbc74 /usr.sbin | |
| parent | 0259891f8ccb345bf5bcd794bb00b2e592bfe565 (diff) | |
pledge(2) all the switchd processes.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/switchd/control.c | 120 | ||||
| -rw-r--r-- | usr.sbin/switchd/ofcconn.c | 24 | ||||
| -rw-r--r-- | usr.sbin/switchd/ofp.c | 17 | ||||
| -rw-r--r-- | usr.sbin/switchd/switchd.c | 16 | ||||
| -rw-r--r-- | usr.sbin/switchd/switchd.h | 6 |
5 files changed, 115 insertions, 68 deletions
diff --git a/usr.sbin/switchd/control.c b/usr.sbin/switchd/control.c index bd979430a61..b5ee43cb4dd 100644 --- a/usr.sbin/switchd/control.c +++ b/usr.sbin/switchd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.1 2016/07/19 16:54:26 reyk Exp $ */ +/* $OpenBSD: control.c,v 1.2 2016/07/20 21:01:06 reyk Exp $ */ /* * Copyright (c) 2010-2016 Reyk Floeter <reyk@openbsd.org> @@ -48,6 +48,72 @@ struct ctl_conn void control_close(int, struct control_sock *); void control_dispatch_imsg(int, short, void *); void control_imsg_forward(struct imsg *); +void control_run(struct privsep *, struct privsep_proc *, void *); + +int control_dispatch_ofp(int, struct privsep_proc *, struct imsg *); + +static struct privsep_proc procs[] = { + { "ofp", PROC_OFP, control_dispatch_ofp }, + { "parent", PROC_PARENT, NULL }, + { "ofcconn", PROC_OFCCONN, NULL } +}; + +pid_t +control(struct privsep *ps, struct privsep_proc *p) +{ + return (proc_run(ps, p, procs, nitems(procs), control_run, NULL)); +} + +void +control_run(struct privsep *ps, struct privsep_proc *p, void *arg) +{ + /* + * pledge in the control process: + * stdio - for malloc and basic I/O including events. + * cpath - for managing the control socket. + * unix - for the control socket. + */ + if (pledge("stdio cpath unix", NULL) == -1) + fatal("pledge"); +} + +int +control_dispatch_ofp(int fd, struct privsep_proc *p, struct imsg *imsg) +{ + int cfd; + struct ctl_conn *c; + uint8_t *d = imsg->data; + size_t s; + + switch (imsg->hdr.type) { + case IMSG_CTL_SWITCH: + case IMSG_CTL_MAC: + IMSG_SIZE_CHECK(imsg, &cfd); + memcpy(&cfd, d, sizeof(cfd)); + + if ((c = control_connbyfd(cfd)) == NULL) + fatalx("invalid control connection"); + + s = IMSG_DATA_SIZE(imsg) - sizeof(cfd); + d += sizeof(cfd); + imsg_compose_event(&c->iev, imsg->hdr.type, 0, 0, -1, d, s); + return (0); + case IMSG_CTL_END: + IMSG_SIZE_CHECK(imsg, &cfd); + memcpy(&cfd, d, sizeof(cfd)); + + if ((c = control_connbyfd(cfd)) == NULL) + fatalx("invalid control connection"); + + imsg_compose_event(&c->iev, IMSG_CTL_END, 0, 0, -1, NULL, 0); + return (0); + + default: + break; + } + + return (-1); +} int control_init(struct privsep *ps, struct control_sock *cs) @@ -319,55 +385,3 @@ control_imsg_forward(struct imsg *imsg) 0, imsg->hdr.pid, -1, imsg->data, imsg->hdr.len - IMSG_HEADER_SIZE); } - -int control_dispatch_ofp(int, struct privsep_proc *, struct imsg *); - -static struct privsep_proc procs[] = { - { "ofp", PROC_OFP, control_dispatch_ofp }, - { "parent", PROC_PARENT, NULL }, - { "ofcconn", PROC_OFCCONN, NULL } -}; - -pid_t -control(struct privsep *ps, struct privsep_proc *p) -{ - return (proc_run(ps, p, procs, nitems(procs), NULL, NULL)); -} - -int -control_dispatch_ofp(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - int cfd; - struct ctl_conn *c; - uint8_t *d = imsg->data; - size_t s; - - switch (imsg->hdr.type) { - case IMSG_CTL_SWITCH: - case IMSG_CTL_MAC: - IMSG_SIZE_CHECK(imsg, &cfd); - memcpy(&cfd, d, sizeof(cfd)); - - if ((c = control_connbyfd(cfd)) == NULL) - fatalx("invalid control connection"); - - s = IMSG_DATA_SIZE(imsg) - sizeof(cfd); - d += sizeof(cfd); - imsg_compose_event(&c->iev, imsg->hdr.type, 0, 0, -1, d, s); - return (0); - case IMSG_CTL_END: - IMSG_SIZE_CHECK(imsg, &cfd); - memcpy(&cfd, d, sizeof(cfd)); - - if ((c = control_connbyfd(cfd)) == NULL) - fatalx("invalid control connection"); - - imsg_compose_event(&c->iev, IMSG_CTL_END, 0, 0, -1, NULL, 0); - return (0); - - default: - break; - } - - return (-1); -} diff --git a/usr.sbin/switchd/ofcconn.c b/usr.sbin/switchd/ofcconn.c index 4583d17c2e3..91af32003fe 100644 --- a/usr.sbin/switchd/ofcconn.c +++ b/usr.sbin/switchd/ofcconn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofcconn.c,v 1.4 2016/07/19 18:11:08 reyk Exp $ */ +/* $OpenBSD: ofcconn.c,v 1.5 2016/07/20 21:01:06 reyk Exp $ */ /* * Copyright (c) 2016 YASUOKA Masahiko <yasuoka@openbsd.org> @@ -74,16 +74,30 @@ void ofcconn_close(struct ofcconn *); void ofcconn_free(struct ofcconn *); void ofcconn_shutdown_all(void); int ofcconn_send_hello(struct ofcconn *); +void ofccon_run(struct privsep *, struct privsep_proc *, void *); pid_t -ofcconn_proc_init(struct privsep *ps, struct privsep_proc *p) +ofcconn(struct privsep *ps, struct privsep_proc *p) { - p->p_shutdown = ofcconn_proc_shutdown; - return (proc_run(ps, p, procs, nitems(procs), NULL, NULL)); + p->p_shutdown = ofcconn_shutdown; + return (proc_run(ps, p, procs, nitems(procs), ofccon_run, NULL)); } void -ofcconn_proc_shutdown(void) +ofccon_run(struct privsep *ps, struct privsep_proc *p, void *arg) +{ + /* + * pledge in the control process: + * stdio - for malloc and basic I/O including events. + * inet - for socket operations and OpenFlow connections. + * recvfd - for receiving new sockets on reload. + */ + if (pledge("stdio inet recvfd", NULL) == -1) + fatal("pledge"); +} + +void +ofcconn_shutdown(void) { struct ofcconn *e, *t; diff --git a/usr.sbin/switchd/ofp.c b/usr.sbin/switchd/ofp.c index 8b8778fc20b..f0cf0cf6ddb 100644 --- a/usr.sbin/switchd/ofp.c +++ b/usr.sbin/switchd/ofp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofp.c,v 1.3 2016/07/20 14:15:08 reyk Exp $ */ +/* $OpenBSD: ofp.c,v 1.4 2016/07/20 21:01:06 reyk Exp $ */ /* * Copyright (c) 2013-2016 Reyk Floeter <reyk@openbsd.org> @@ -39,7 +39,7 @@ int ofp_dispatch_control(int, struct privsep_proc *, struct imsg *); int ofp_dispatch_parent(int, struct privsep_proc *, struct imsg *); -void ofp_init(struct privsep *, struct privsep_proc *, void *); +void ofp_run(struct privsep *, struct privsep_proc *, void *); int ofp_add_device(struct switchd *, int, const char *); static unsigned int id = 0; @@ -69,7 +69,7 @@ ofp(struct privsep *ps, struct privsep_proc *p) &srv->srv_addr)) == -1) fatal("listen"); - pid = proc_run(ps, p, procs, nitems(procs), ofp_init, NULL); + pid = proc_run(ps, p, procs, nitems(procs), ofp_run, NULL); close(srv->srv_fd); close(sc->sc_tap); @@ -77,11 +77,20 @@ ofp(struct privsep *ps, struct privsep_proc *p) } void -ofp_init(struct privsep *ps, struct privsep_proc *p, void *arg) +ofp_run(struct privsep *ps, struct privsep_proc *p, void *arg) { struct switchd *sc = ps->ps_env; struct switch_server *srv = &sc->sc_server; + /* + * pledge in the control process: + * stdio - for malloc and basic I/O including events. + * inet - for handling tcp connections with OpenFlow peers. + * recvfd - for receiving new sockets on reload. + */ + if (pledge("stdio inet recvfd", NULL) == -1) + fatal("pledge"); + event_set(&srv->srv_ev, srv->srv_fd, EV_READ, ofp_accept, srv); event_add(&srv->srv_ev, NULL); } diff --git a/usr.sbin/switchd/switchd.c b/usr.sbin/switchd/switchd.c index 57e4b1abf1d..57881cad45b 100644 --- a/usr.sbin/switchd/switchd.c +++ b/usr.sbin/switchd/switchd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: switchd.c,v 1.4 2016/07/20 11:43:31 jsg Exp $ */ +/* $OpenBSD: switchd.c,v 1.5 2016/07/20 21:01:06 reyk Exp $ */ /* * Copyright (c) 2013-2016 Reyk Floeter <reyk@openbsd.org> @@ -54,7 +54,7 @@ __dead void usage(void); static struct privsep_proc procs[] = { { "ofp", PROC_OFP, NULL, ofp }, { "control", PROC_CONTROL, parent_dispatch_control, control }, - { "ofcconn", PROC_OFCCONN, NULL, ofcconn_proc_init } + { "ofcconn", PROC_OFCCONN, NULL, ofcconn } }; __dead void @@ -169,8 +169,18 @@ main(int argc, char *argv[]) ps->ps_ninstances = 1; proc_init(ps, procs, nitems(procs)); + log_procinit("parent"); - setproctitle("parent"); + /* + * pledge in the parent process: + * stdio - for malloc and basic I/O including events. + * rpath - for reload to open and read the configuration files. + * inet - for opening OpenFlow and device sockets. + * dns - for resolving host in the configuration files. + * sendfd - send sockets to child processes on reload. + */ + if (pledge("stdio rpath inet dns proc sendfd", NULL) == -1) + fatal("pledge"); event_init(); diff --git a/usr.sbin/switchd/switchd.h b/usr.sbin/switchd/switchd.h index ecf2e3a6187..f810b6e3e04 100644 --- a/usr.sbin/switchd/switchd.h +++ b/usr.sbin/switchd/switchd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: switchd.h,v 1.4 2016/07/20 20:07:02 reyk Exp $ */ +/* $OpenBSD: switchd.h,v 1.5 2016/07/20 21:01:06 reyk Exp $ */ /* * Copyright (c) 2013-2016 Reyk Floeter <reyk@openbsd.org> @@ -197,8 +197,8 @@ int ofp13_input(struct switchd *, struct switch_connection *, struct ofp_header *, struct ibuf *); /* ofcconn.c */ -pid_t ofcconn_proc_init(struct privsep *, struct privsep_proc *); -void ofcconn_proc_shutdown(void); +pid_t ofcconn(struct privsep *, struct privsep_proc *); +void ofcconn_shutdown(void); /* imsg_util.c */ struct ibuf *ibuf_new(void *, size_t); |