sys: specify process context for dropping root

Similarly to enabling the syscall filter, specify what kind of chronyd
process is dropping the root privileges.

main.c

@@ -625,7 +625,7 @@ int main
 
   /* Drop root privileges if the specified user has a non-zero UID */
   if (!geteuid() && (pw->pw_uid || pw->pw_gid))
-    SYS_DropRoot(pw->pw_uid, pw->pw_gid);
+    SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS);
 
   REF_Initialise();
   SST_Initialise();

nts_ke_server.c

@@ -646,7 +646,7 @@ run_helper(uid_t uid, gid_t gid, int scfilter_level)
   LOG_SetMinSeverity(log_severity);
 
   if (!geteuid() && (uid || gid))
-    SYS_DropRoot(uid, gid);
+    SYS_DropRoot(uid, gid, SYS_NTSKE_HELPER);
 
   NKS_Initialise();
 

sys.c

@@ -97,16 +97,16 @@ SYS_Finalise(void)
 
 /* ================================================== */
 
-void SYS_DropRoot(uid_t uid, gid_t gid)
+void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
 {
 #if defined(LINUX) && defined (FEAT_PRIVDROP)
-  SYS_Linux_DropRoot(uid, gid, !null_driver);
+  SYS_Linux_DropRoot(uid, gid, context, !null_driver);
 #elif defined(SOLARIS) && defined(FEAT_PRIVDROP)
-  SYS_Solaris_DropRoot(uid, gid);
+  SYS_Solaris_DropRoot(uid, gid, context);
 #elif (defined(NETBSD) || defined(FREEBSD)) && defined(FEAT_PRIVDROP)
-  SYS_NetBSD_DropRoot(uid, gid);
+  SYS_NetBSD_DropRoot(uid, gid, context);
 #elif defined(MACOSX) && defined(FEAT_PRIVDROP)
-  SYS_MacOSX_DropRoot(uid, gid);
+  SYS_MacOSX_DropRoot(uid, gid, context);
 #else
   LOG_FATAL("dropping root privileges not supported");
 #endif
@@ -114,7 +114,7 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
 
 /* ================================================== */
 
-void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
+void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context)
 {
 #if defined(LINUX) && defined(FEAT_SCFILTER)
   SYS_Linux_EnableSystemCallFilter(level, context);

sys.h

@@ -35,17 +35,17 @@ extern void SYS_Initialise(int clock_control);
 /* Called at the end of the run to do final clean-up */
 extern void SYS_Finalise(void);
 
-/* Drop root privileges to the specified user and group */
-extern void SYS_DropRoot(uid_t uid, gid_t gid);
-
 typedef enum {
   SYS_MAIN_PROCESS,
   SYS_NTSKE_HELPER,
-} SYS_SystemCallContext;
+} SYS_ProcessContext;
+
+/* Switch to the specified user and group in given context */
+extern void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
 
 /* Enable a system call filter to allow only system calls
    which chronyd normally needs after initialization */
-extern void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context);
+extern void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context);
 
 extern void SYS_SetScheduler(int SchedPriority);
 extern void SYS_LockMemory(void);

sys_linux.c

@@ -426,7 +426,7 @@ SYS_Linux_Finalise(void)
 
 #ifdef FEAT_PRIVDROP
 void
-SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
+SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control)
 {
   char cap_text[256];
   cap_t cap;
@@ -480,7 +480,7 @@ void check_seccomp_applicability(void)
 /* ================================================== */
 
 void
-SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
+SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
 {
   const int syscalls[] = {
     /* Clock */

sys_linux.h

@@ -33,9 +33,9 @@ extern void SYS_Linux_Initialise(void);
 
 extern void SYS_Linux_Finalise(void);
 
-extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control);
+extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control);
 
-extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context);
+extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context);
 
 extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor);
 

sys_macosx.c

@@ -415,7 +415,7 @@ SYS_MacOSX_SetScheduler(int SchedPriority)
 /* ================================================== */
 
 #ifdef FEAT_PRIVDROP
-void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
 {
   PRV_StartHelper();
 

sys_macosx.h

@@ -30,8 +30,10 @@
 #ifndef GOT_SYS_MACOSX_H
 #define GOT_SYS_MACOSX_H
 
+#include "sys.h"
+
 void SYS_MacOSX_SetScheduler(int SchedPriority);
-void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
 void SYS_MacOSX_Initialise(void);
 void SYS_MacOSX_Finalise(void);
 

sys_netbsd.c

@@ -131,7 +131,7 @@ SYS_NetBSD_Finalise(void)
 
 #ifdef FEAT_PRIVDROP
 void
-SYS_NetBSD_DropRoot(uid_t uid, gid_t gid)
+SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
 {
 #ifdef NETBSD
   int fd;

sys_netbsd.h

@@ -28,10 +28,12 @@
 #ifndef GOT_SYS_NETBSD_H
 #define GOT_SYS_NETBSD_H
 
+#include "sys.h"
+
 void SYS_NetBSD_Initialise(void);
 
 void SYS_NetBSD_Finalise(void);
 
-void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid);
+void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
 
 #endif

sys_solaris.c

@@ -55,7 +55,7 @@ SYS_Solaris_Finalise(void)
 
 #ifdef FEAT_PRIVDROP
 void
-SYS_Solaris_DropRoot(uid_t uid, gid_t gid)
+SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
 {
   PRV_StartHelper();
   UTI_DropRoot(uid, gid);

sys_solaris.h

@@ -27,10 +27,12 @@
 #ifndef GOT_SYS_SOLARIS_H
 #define GOT_SYS_SOLARIS_H
 
+#include "sys.h"
+
 void SYS_Solaris_Initialise(void);
 
 void SYS_Solaris_Finalise(void);
 
-void SYS_Solaris_DropRoot(uid_t uid, gid_t gid);
+void SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
 
 #endif