Convert privsep imsg code to use imsg_get_fd().

ok yasuoka

allow npppd to use pppac(4) (once i wire it up)

Switch base tools from /dev/bpf0 to /dev/bpf. Now that /dev/bpf has been
around for two releases, it should be safe to do so.

ok bluhm deraadt sthen tb yasuoka

Replace the /dev/bpf* open loop with a plain open("/dev/bpf0", ...).
ok deraadt jca

Remove setproctitle() for the parent process. Because rc.d(8) uses process
titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@

strings.h -> string.h to prevent an implicit declaration. Also remove a
bunch of NULL-checks before free().

EAGAIN handling for imsg_read. OK henning@ benno@

Simplify and lock down priv_open():
* kill the 'mode' argument
* fail if passed any flags other than O_ACCMODE OR O_NONBLOCK
* paranoia: mask O_CREAT when calling open() with only two arguments
* instead of using ioctl(FIONBIO) after the fact, pass O_NONBLOCK to
priv_open()

"good start" deraadt@
ok yasuoka@

Add missing initializations in privsep.c

From Yuuichi Someya at IIJ.

move to <limits.h> universe
ok yasuoka

close fd when fdopen fails

ok yasuoka@

Fix privsep.c. Call missing imsg_free() after imsg_get(). Also add
missing #include <net/if.h> to use IFNAMESIZ and replace some strncmp()
by startswith().

Some functions need to dup() before sending a socket by imsg and don't
need to close() after sending socket since imsg_compose() closes the
passing socket.

Fix a potential bug. privsep.c didn't check the interface name
correctly if it's pppx.

Fix error in previous.

Use imsg(3) for the IPC between the privileged process and the
non-privileged process to be unify the way. Also fix style.

Fix memory leak in privsep.c. Free the memories which were allocated by
getcap(3).

Deleting ip address of tun inteface was failed. This was caused by
passing wrong inteface name to ioctl().

pointed out by csszep at gmail.com

framed-ip-address and framed-ip-netmask were not working.

pointed out by Andrew Ngo.

New configuration syntax for npppd(8). `npppd.conf' will be based on
parse.y and `npppd-users' will be based on getcap(3). Add man pages.

feedback from giovanni

Fix comments and styles. Delete unused variables and labels.
No binary changes.

ok mcbride henning

Replace npppdctl(8) by new npppctl(8). npppctl was written from
scratch, it uses parser.c derived from ikectl(8) to have OpenBSD's
fashion. This includes related changes listed below:
- changed npppd control IPC heavyly.
- support IPv6 as tunnel source address.
- deleted support changing the configuration of npppd_ctl on running.
Because it is not so needed but it requires privilege operations.
- refactors.

man page helps from jmc. tested by sebastia.
ok deraadt sebastia sthen

Improved npppd privileged separations:
- Changed finalizing way to the privileged process. In old way, the
privileged process could not aware abnormal exit of the process in
jail. Then the processes in jail remained as zombies. Created a
pipe to monitor the privileged process, the privileged process can
exit in peace by using the pipe.
- npppd will exit abnormally when the privileged process exits
abnormally.
- PF_KEY socket requires privileges.
- Return correct "errno" to the jail in priv_open().
- Cleanup.

ok hsuenaga@

Fixed some bugs of priv_send(). The bugs caused sending routing messages
failures. 'errno' returned by the privileged process was not initialized.
'tolen' in priv_sendto() was garbage.

ok hsuenaga@

privilege separation of npppd.

- Drop privilege after daemon initializing.
- Some system calls that requires root privileges were replaced to
wrapper functions that communicate with a separated privileged
process via IPC. And the privileged process checks whether the
operations are acceptable.

allow npppd to use pppac(4) (once i wire it up)

Switch base tools from /dev/bpf0 to /dev/bpf. Now that /dev/bpf has been
around for two releases, it should be safe to do so.

ok bluhm deraadt sthen tb yasuoka

Replace the /dev/bpf* open loop with a plain open("/dev/bpf0", ...).
ok deraadt jca

Remove setproctitle() for the parent process. Because rc.d(8) uses process
titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@

strings.h -> string.h to prevent an implicit declaration. Also remove a
bunch of NULL-checks before free().

EAGAIN handling for imsg_read. OK henning@ benno@

Simplify and lock down priv_open():
* kill the 'mode' argument
* fail if passed any flags other than O_ACCMODE OR O_NONBLOCK
* paranoia: mask O_CREAT when calling open() with only two arguments
* instead of using ioctl(FIONBIO) after the fact, pass O_NONBLOCK to
priv_open()

"good start" deraadt@
ok yasuoka@

Add missing initializations in privsep.c

From Yuuichi Someya at IIJ.

move to <limits.h> universe
ok yasuoka

close fd when fdopen fails

ok yasuoka@

Fix privsep.c. Call missing imsg_free() after imsg_get(). Also add
missing #include <net/if.h> to use IFNAMESIZ and replace some strncmp()
by startswith().

Some functions need to dup() before sending a socket by imsg and don't
need to close() after sending socket since imsg_compose() closes the
passing socket.

Fix a potential bug. privsep.c didn't check the interface name
correctly if it's pppx.

Fix error in previous.

Use imsg(3) for the IPC between the privileged process and the
non-privileged process to be unify the way. Also fix style.

Fix memory leak in privsep.c. Free the memories which were allocated by
getcap(3).

Deleting ip address of tun inteface was failed. This was caused by
passing wrong inteface name to ioctl().

pointed out by csszep at gmail.com

framed-ip-address and framed-ip-netmask were not working.

pointed out by Andrew Ngo.

New configuration syntax for npppd(8). `npppd.conf' will be based on
parse.y and `npppd-users' will be based on getcap(3). Add man pages.

feedback from giovanni

Fix comments and styles. Delete unused variables and labels.
No binary changes.

ok mcbride henning

Replace npppdctl(8) by new npppctl(8). npppctl was written from
scratch, it uses parser.c derived from ikectl(8) to have OpenBSD's
fashion. This includes related changes listed below:
- changed npppd control IPC heavyly.
- support IPv6 as tunnel source address.
- deleted support changing the configuration of npppd_ctl on running.
Because it is not so needed but it requires privilege operations.
- refactors.

man page helps from jmc. tested by sebastia.
ok deraadt sebastia sthen

Improved npppd privileged separations:
- Changed finalizing way to the privileged process. In old way, the
privileged process could not aware abnormal exit of the process in
jail. Then the processes in jail remained as zombies. Created a
pipe to monitor the privileged process, the privileged process can
exit in peace by using the pipe.
- npppd will exit abnormally when the privileged process exits
abnormally.
- PF_KEY socket requires privileges.
- Return correct "errno" to the jail in priv_open().
- Cleanup.

ok hsuenaga@

Fixed some bugs of priv_send(). The bugs caused sending routing messages
failures. 'errno' returned by the privileged process was not initialized.
'tolen' in priv_sendto() was garbage.

ok hsuenaga@

privilege separation of npppd.

- Drop privilege after daemon initializing.
- Some system calls that requires root privileges were replaced to
wrapper functions that communicate with a separated privileged
process via IPC. And the privileged process checks whether the
operations are acceptable.

Switch base tools from /dev/bpf0 to /dev/bpf. Now that /dev/bpf has been
around for two releases, it should be safe to do so.

ok bluhm deraadt sthen tb yasuoka

Replace the /dev/bpf* open loop with a plain open("/dev/bpf0", ...).
ok deraadt jca

Remove setproctitle() for the parent process. Because rc.d(8) uses process
titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@

strings.h -> string.h to prevent an implicit declaration. Also remove a
bunch of NULL-checks before free().

EAGAIN handling for imsg_read. OK henning@ benno@

Simplify and lock down priv_open():
* kill the 'mode' argument
* fail if passed any flags other than O_ACCMODE OR O_NONBLOCK
* paranoia: mask O_CREAT when calling open() with only two arguments
* instead of using ioctl(FIONBIO) after the fact, pass O_NONBLOCK to
priv_open()

"good start" deraadt@
ok yasuoka@

Add missing initializations in privsep.c

From Yuuichi Someya at IIJ.

move to <limits.h> universe
ok yasuoka

close fd when fdopen fails

ok yasuoka@

Fix privsep.c. Call missing imsg_free() after imsg_get(). Also add
missing #include <net/if.h> to use IFNAMESIZ and replace some strncmp()
by startswith().

Some functions need to dup() before sending a socket by imsg and don't
need to close() after sending socket since imsg_compose() closes the
passing socket.

Fix a potential bug. privsep.c didn't check the interface name
correctly if it's pppx.

Fix error in previous.

Use imsg(3) for the IPC between the privileged process and the
non-privileged process to be unify the way. Also fix style.

Fix memory leak in privsep.c. Free the memories which were allocated by
getcap(3).

Deleting ip address of tun inteface was failed. This was caused by
passing wrong inteface name to ioctl().

pointed out by csszep at gmail.com

framed-ip-address and framed-ip-netmask were not working.

pointed out by Andrew Ngo.

New configuration syntax for npppd(8). `npppd.conf' will be based on
parse.y and `npppd-users' will be based on getcap(3). Add man pages.

feedback from giovanni

Fix comments and styles. Delete unused variables and labels.
No binary changes.

ok mcbride henning

Replace npppdctl(8) by new npppctl(8). npppctl was written from
scratch, it uses parser.c derived from ikectl(8) to have OpenBSD's
fashion. This includes related changes listed below:
- changed npppd control IPC heavyly.
- support IPv6 as tunnel source address.
- deleted support changing the configuration of npppd_ctl on running.
Because it is not so needed but it requires privilege operations.
- refactors.

man page helps from jmc. tested by sebastia.
ok deraadt sebastia sthen

Improved npppd privileged separations:
- Changed finalizing way to the privileged process. In old way, the
privileged process could not aware abnormal exit of the process in
jail. Then the processes in jail remained as zombies. Created a
pipe to monitor the privileged process, the privileged process can
exit in peace by using the pipe.
- npppd will exit abnormally when the privileged process exits
abnormally.
- PF_KEY socket requires privileges.
- Return correct "errno" to the jail in priv_open().
- Cleanup.

ok hsuenaga@

Fixed some bugs of priv_send(). The bugs caused sending routing messages
failures. 'errno' returned by the privileged process was not initialized.
'tolen' in priv_sendto() was garbage.

ok hsuenaga@

privilege separation of npppd.

- Drop privilege after daemon initializing.
- Some system calls that requires root privileges were replaced to
wrapper functions that communicate with a separated privileged
process via IPC. And the privileged process checks whether the
operations are acceptable.