privsep: Don't open PF_INET socket for each ioctl

[rsmarples]

Because we already have it open ....

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fb07568d-92e7-401b-a57a-14910dcc6a7b

📥 Commits

Reviewing files that changed from the base of the PR and between 3cccb74 and 436002d.

📒 Files selected for processing (1)

• src/privsep-root.c

---

Walkthrough

ps_root_doioctl in src/privsep-root.c is refactored to accept an fd parameter instead of creating and closing its own PF_INET/SOCK_DGRAM socket internally. Under IOCTL_REQUEST_TYPE, the request is copied into a local ioctl_request_t before the ioctl call. The PS_IOCTL dispatch site is updated to pass ctx->pf_inet_fd. Additionally, ps_root_startcb now returns -1 and aborts startup when socket initialization fails, instead of only logging the error.

Changes

Privilege separation socket handling refactor

Layer / File(s)	Summary
ps_root_doioctl fd parameter and call site src/privsep-root.c	ps_root_doioctl gains an fd parameter and removes internal socket creation; conditionally wraps the request in ioctl_request_t under IOCTL_REQUEST_TYPE before calling ioctl(fd, ...); PS_IOCTL dispatch in ps_root_recvmsgcb updated to pass ctx->pf_inet_fd.
ps_root_startcb socket initialization error handling src/privsep-root.c	ps_root_startcb now early-returns -1 when if_opensockets(ctx) fails, immediately aborting startup instead of continuing after only logging the error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• NetworkConfiguration/dhcpcd#627: Also modifies ps_root_doioctl in src/privsep-root.c, specifically changing the switch (req) allowlist for SIOCSIFADDR/SIOCAIFADDR.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main optimization: avoiding redundant PF_INET socket creation by reusing an existing socket for ioctl operations.
Description check	✅ Passed	The description directly relates to the changeset by explaining the rationale for the optimization, though it is minimal and could be more detailed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch privsep-ioctl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/privsep-root.c (1)

202-237: ⚠️ Potential issue | 🔴 Critical

Decode ioctl request once; use the same value for both the allow-list and syscall.

The function receives req as an unsigned long (from the wire), but on systems where IOCTL_REQUEST_TYPE is narrower, the allow-list check at line 209 validates the padded wire value while line 235 issues the decoded narrow value to ioctl(). On big-endian targets, this mismatch allows the checked request and issued request to differ, potentially bypassing the allow-list. Decode the request once at function entry and use that decoded value for both the switch statement and the ioctl call.

Proposed fix

 static ssize_t
 ps_root_doioctl(int fd, unsigned long req, void *data, size_t len)
 {
 `#ifdef` IOCTL_REQUEST_TYPE
-	ioctl_request_t reqt;
+	ioctl_request_t ioreq;
+
+	memcpy(&ioreq, &req, sizeof(ioreq));
+#else
+	unsigned long ioreq = req;
 `#endif`
 
 	/* Only allow these ioctls */
-	switch (req) {
+	switch (ioreq) {
@@
 `#ifdef` IOCTL_REQUEST_TYPE
-	memcpy(&reqt, &req, sizeof(reqt));
-	return ioctl(fd, reqt, data, len);
-#else
-	return ioctl(fd, req, data, len);
 `#endif`
+	return ioctl(fd, ioreq, data, len);
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/privsep-root.c` around lines 202 - 237, The function ps_root_doioctl has
a security vulnerability where the allow-list validation and the ioctl syscall
use different representations of the request value on systems with
IOCTL_REQUEST_TYPE. On big-endian targets, the padded wire value checked in the
switch statement may differ from the decoded narrow value used in the ioctl
call, bypassing the allow-list. Decode the ioctl request value once at the
beginning of the function immediately after entry (before the switch statement)
by performing the memcpy operation that converts from unsigned long req to
ioctl_request_t reqt. Then use this decoded reqt value in both the switch
statement for validation and in the ioctl syscall, replacing the current
conditional logic that currently applies the decoding only for the
IOCTL_REQUEST_TYPE case.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/privsep-root.c`:
- Around line 507-508: The code at line 507-508 in src/privsep-root.c uses
ctx->pf_inet_fd for ps_root_doioctl calls, but the socket initialization at line
649-650 only logs failures and continues without ensuring a valid fd is set,
causing subsequent EBADF errors when ctx->pf_inet_fd remains invalid. Either
make the if_opensockets failure fatal by calling it before entering the main
request-serving loop (so requests are never served with an invalid fd), or add a
one-shot recovery mechanism at the ps_root_doioctl call site that attempts to
open a socket if ctx->pf_inet_fd is -1 before proceeding with the ioctl
operation. Choose the approach that best fits the intended control flow and
error handling strategy.

---

Outside diff comments:
In `@src/privsep-root.c`:
- Around line 202-237: The function ps_root_doioctl has a security vulnerability
where the allow-list validation and the ioctl syscall use different
representations of the request value on systems with IOCTL_REQUEST_TYPE. On
big-endian targets, the padded wire value checked in the switch statement may
differ from the decoded narrow value used in the ioctl call, bypassing the
allow-list. Decode the ioctl request value once at the beginning of the function
immediately after entry (before the switch statement) by performing the memcpy
operation that converts from unsigned long req to ioctl_request_t reqt. Then use
this decoded reqt value in both the switch statement for validation and in the
ioctl syscall, replacing the current conditional logic that currently applies
the decoding only for the IOCTL_REQUEST_TYPE case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 29a75f2b-8253-4e64-97ed-92ae26176ef2

📥 Commits

Reviewing files that changed from the base of the PR and between 82bbc03 and 3cccb74.

📒 Files selected for processing (1)

• src/privsep-root.c