Import latest pidfile from NetBSD

[rsmarples]

More portable, better support for chroot and sandboxes.
Adapt codebase.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 80096da6-e075-4179-9191-e265b91112c7

📥 Commits

Reviewing files that changed from the base of the PR and between eb74aaf and e6a7902.

📒 Files selected for processing (11)

• compat/pidfile.c
• compat/pidfile.h
• configure
• src/bpf-bsd.c
• src/bpf-linux.c
• src/common.c
• src/dhcpcd.c
• src/dhcpcd.h
• src/privsep-control.c
• src/privsep-linux.c
• src/privsep.c

✅ Files skipped from review due to trivial changes (3)

• src/privsep-control.c
• src/bpf-linux.c
• src/bpf-bsd.c

🚧 Files skipped from review as they are similar to previous changes (7)

• src/common.c
• src/privsep-linux.c
• src/dhcpcd.h
• configure
• src/dhcpcd.c
• src/privsep.c
• compat/pidfile.c

---

Walkthrough

This PR refactors pidfile lifecycle management across dhcpcd to use dynamic path allocation, internal global state tracking, and improved cleanup semantics. Core pidfile operations are rewritten to support dynamic paths and reliable unlinking, new public accessors expose pidfile state, the daemon integrates capability rights limiting, and process fork/privilege-dropping cleanup is adjusted to work correctly with the new pidfile API.

Changes

Pidfile Lifecycle Refactoring

Layer / File(s)	Summary
Pidfile library refactoring and internal state compat/pidfile.c	Introduced internal global state (pf_path, pf_fd, pf_removeable), added pidfile_readfd() helper for parsing PID from open fd, rewritten pidfile_clean() to verify ownership and conditionally unlink, and refactored pidfile_lock()/pidfile_read() to use dynamic allocation via asprintf(), reuse locked fd when possible, and track global state.
Public API expansion and feature detection compat/pidfile.h, configure	Expanded pidfile header with new function declarations (pidfile, pidfile_unlock, pidfile_fd, pidfile_path, pidfile_unremoveable), updated configure feature test to probe pidfile_unlock(), and added fallback define DPIDFILE_LOCAL when pidfile support is unavailable.
Main daemon pidfile integration and memory management src/dhcpcd.h, src/dhcpcd.c	Changed struct dhcpcd_ctx.pidfile to dynamic pointer, implemented dynamic path allocation via asprintf() with error handling, added capability rights limiting to pidfile descriptor under PRIVSEP_RIGHTS, freed dynamically allocated pidfile in cleanup, and removed legacy _exit() behavior that prevented normal atexit handling.
Process fork and privilege separation with pidfile handling src/privsep.c, src/privsep-linux.c	Updated child process fork cleanup to explicitly unlock pidfile before chroot/root handling, removed pidfile_clean() from manager-side cleanup, marked pidfile unremoveable after dropping privileges, and added ftruncate and lseek to Linux seccomp syscall allowlist to support new pidfile truncation behavior.
Missing header includes for system calls src/bpf-bsd.c, src/bpf-linux.c, src/common.c, src/privsep-control.c	Added #include <unistd.h> to four source files that depend on POSIX declarations (read, writev, lseek, close).

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs:

• NetworkConfiguration/dhcpcd#604: Changes overlapping src/privsep.c (privsep/fork and IPC adjustments) and related privsep workflows.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: importing an updated pidfile implementation from NetBSD.
Description check	✅ Passed	The description relates to the changeset by explaining the motivation (improved portability, better chroot/sandbox support) and noting codebase adaptations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pidfile_unlock

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

configure (1)

1042-1070: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Expand the pidfile feature probe to cover the full util.h API, not just pidfile_unlock()

The configure pidfile test currently only compiles a call to pidfile_unlock(), so it can succeed on platforms with partial pidfile support even though the build later relies on additional util.h symbols (e.g., pidfile_lock(), pidfile_read(), pidfile_fd(), pidfile_unremoveable()). Update the probe to reference the same set of pidfile functions the real code uses.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@configure` around lines 1042 - 1070, The probe only calls pidfile_unlock()
but must exercise the full util.h pidfile API; update the generated _pidfile.c
(the probe created in the configure fragment) so main() invokes pidfile_lock(),
pidfile_unlock(), pidfile_read(), pidfile_fd() and pidfile_unremoveable() (e.g.,
call each and return a combined nonzero/zero result or cast to void where
appropriate) so the compiler/linker will require all symbols; keep the existing
include <util.h> and preserve the existing PIDFILE_LOCK / LIBUTIL detection flow
using XCC and -lutil as currently implemented.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@compat/pidfile.c`:
- Around line 79-81: pidfile_readfd() currently returns -1 on strtoi() parse
failures without setting errno, which lets pidfile_clean() pick up a stale
errno; update pidfile_readfd (around the strtoi() call) to set errno = error
before returning -1 when strtoi() indicates a parse error (i.e., when error != 0
and not the ENOTSUP newline case), so callers like pidfile_clean() that read
errno after pid == -1 get the correct error code.

In `@src/privsep-linux.c`:
- Around line 340-342: Extend the seccomp allowlist in privsep-linux.c to
include the large-file/compat syscall variants used on 32-bit targets: add
conditional SECCOMP_ALLOW entries for __NR_ftruncate64, __NR__llseek (the compat
llseek), and where available __NR_lseek64 alongside the existing __NR_ftruncate
and __NR_lseek so pidfile.c's calls won't trigger SIGSYS; guard each new entry
with the appropriate `#ifdef` (e.g., `#ifdef` __NR_ftruncate64 / `#ifdef` __NR__llseek
/ `#ifdef` __NR_lseek64) next to the existing SECCOMP_ALLOW(__NR_ftruncate) and
SECCOMP_ALLOW(__NR_lseek) lines.

---

Outside diff comments:
In `@configure`:
- Around line 1042-1070: The probe only calls pidfile_unlock() but must exercise
the full util.h pidfile API; update the generated _pidfile.c (the probe created
in the configure fragment) so main() invokes pidfile_lock(), pidfile_unlock(),
pidfile_read(), pidfile_fd() and pidfile_unremoveable() (e.g., call each and
return a combined nonzero/zero result or cast to void where appropriate) so the
compiler/linker will require all symbols; keep the existing include <util.h> and
preserve the existing PIDFILE_LOCK / LIBUTIL detection flow using XCC and -lutil
as currently implemented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c6b5be4-e0b7-426b-bfb7-082be4144c6c

📥 Commits

Reviewing files that changed from the base of the PR and between 15ff549 and a8178d8.

📒 Files selected for processing (11)

• compat/pidfile.c
• compat/pidfile.h
• configure
• src/bpf-bsd.c
• src/bpf-linux.c
• src/common.c
• src/dhcpcd.c
• src/dhcpcd.h
• src/privsep-control.c
• src/privsep-linux.c
• src/privsep.c

[rsmarples]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.