diff options
author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-21 13:56:56 +0200 |
---|---|---|
committer | Toni Uhlig <matzeton@googlemail.com> | 2018-05-21 13:56:56 +0200 |
commit | 472a5a7a0078b1d2792cb52003e3bd50e208cafc (patch) | |
tree | cb8383f7df000e45d0f0f8ee4d5c9fc2927b0b07 | |
parent | 50bb59a86d354f775f78198b7ecf27ce5300dacf (diff) |
POTD skeleton #67.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
-rw-r--r-- | src/jail.c | 58 | ||||
-rw-r--r-- | src/main.c | 4 | ||||
-rw-r--r-- | src/protocol_ssh.c | 11 | ||||
-rw-r--r-- | src/pseccomp.c | 2 | ||||
-rw-r--r-- | src/utils.c | 1 |
5 files changed, 63 insertions, 13 deletions
@@ -3,6 +3,7 @@ #include <sched.h> #include <signal.h> #include <pty.h> +#include <sys/signalfd.h> #include <sys/wait.h> #include <sys/prctl.h> #include <sys/stat.h> @@ -29,6 +30,7 @@ typedef struct server_event { typedef struct client_event { psocket *client_sock; int tty_fd; + int signal_fd; char tty_logbuf[BUFSIZ]; size_t off_logbuf; char *tty_logbuf_escaped; @@ -238,7 +240,7 @@ static int jail_childfn(prisoner_process *ctx) const char *path_devpts = "/dev/pts"; const char *path_proc = "/proc"; const char *path_shell = "/bin/sh"; - int s, master_fd; + int i, s, master_fd; int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC| CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/; //unsigned int ug_map[3] = { 0, 10000, 65535 }; @@ -248,12 +250,9 @@ static int jail_childfn(prisoner_process *ctx) assert(ctx); self_pid = getpid(); set_procname("[potd] jail-client"); - if (set_child_sighandler()) - FATAL("Set sighandler for pid %d", self_pid); - if (setpgrp()) - FATAL("Jail set process group for pid %d", self_pid); - if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) + if (prctl(PR_SET_PDEATHSIG, SIGTERM) != 0) FATAL("Jail child prctl for pid %d", self_pid); + if (!ctx->newroot) FATAL("New root set for pid %d", self_pid); @@ -331,6 +330,9 @@ static int jail_childfn(prisoner_process *ctx) if (close_fds_except(0, 1, 2, -1)) exit(EXIT_FAILURE); + if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) + exit(EXIT_FAILURE); + printf("%s", " _______ ________ __\n" " | |.-----.-----.-----.| | | |.----.| |_\n" @@ -360,26 +362,39 @@ static int jail_childfn(prisoner_process *ctx) if (execl(path_shell, path_shell, (char *) NULL)) exit(EXIT_FAILURE); default: - if (set_fd_nonblock(master_fd)) - FATAL("Pty master fd nonblock for prisoner pid %d", + if (set_fd_nonblock(master_fd)) { + E_STRERR("Pty master fd nonblock for prisoner pid %d", child_pid); + goto finalise; + } N("Socket to tty I/O for prisoner pid %d", child_pid); if (jail_socket_tty(ctx, master_fd)) - FATAL("Socket to tty I/O for prisoner pid %d", + E_STRERR("Socket to tty I/O for prisoner pid %d", child_pid); - waitpid(child_pid, &s, 0); + + kill(child_pid, SIGTERM); + i = 10; + while (i > 0 && waitpid(child_pid, &s, WNOHANG) > 0) { + if (WIFEXITED(s)) + break; + usleep(250000); + i--; + } + kill(child_pid, SIGKILL); } +finalise: close(master_fd); exit(EXIT_FAILURE); } static int jail_socket_tty(prisoner_process *ctx, int tty_fd) { - static client_event ev_cli = {NULL, 0, {0}, 0, 0, 0}; + static client_event ev_cli = {NULL, -1, -1, {0}, 0, 0, 0}; int s, rc = 1; event_ctx *ev_ctx = NULL; + sigset_t mask; assert(ctx); ev_cli.tty_fd = tty_fd; @@ -407,9 +422,27 @@ static int jail_socket_tty(prisoner_process *ctx, int tty_fd) goto finish; } + sigemptyset(&mask); + sigaddset(&mask, SIGTERM); + sigaddset(&mask, SIGINT); + if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1) { + E_STRERR("%s", "SIGTERM block"); + goto finish; + } + ev_cli.signal_fd = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC); + if (ev_cli.signal_fd < 0) { + E_STRERR("%s", "SIGNAL fd"); + goto finish; + } + if (event_add_fd(ev_ctx, ev_cli.signal_fd)) { + E_STRERR("Jail SIGNAL fd %d", ev_cli.signal_fd); + goto finish; + } + ev_cli.client_sock = &ctx->client_psock; rc = event_loop(ev_ctx, jail_socket_tty_io, &ev_cli); finish: + close(ev_cli.signal_fd); event_free(&ev_ctx); return rc; } @@ -429,6 +462,9 @@ jail_socket_tty_io(event_ctx *ev_ctx, int src_fd, void *user_data) dest_fd = ev_cli->tty_fd; } else if (src_fd == ev_cli->tty_fd) { dest_fd = ev_cli->client_sock->fd; + } else if (src_fd == ev_cli->signal_fd) { + ev_ctx->active = 0; + return 0; } else return 0; fwd_state = event_forward_connection(ev_ctx, dest_fd, jail_log_input, @@ -150,9 +150,9 @@ int main(int argc, char *argv[]) E2("%s daemon with pid %d terminated, exiting", (child_pid == jail_pid ? "Jail" : "Redirector"), (child_pid == jail_pid ? jail_pid : rdr_pid)); - kill(0, SIGTERM); + kill(getpid(), SIGTERM); break; - } + } else W2("Process with pid %d terminated", child_pid); } return 0; diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c index 1941dbb..559dfe7 100644 --- a/src/protocol_ssh.c +++ b/src/protocol_ssh.c @@ -162,12 +162,23 @@ int ssh_on_listen(protocol_ctx *ctx) break; } D2("SSH protocol pid: %d", p); + ssh_on_shutdown(ctx); return s != 0; } int ssh_on_shutdown(protocol_ctx *ctx) { + ssh_data *d; + + assert(ctx->src.data); + + d = (ssh_data *) ctx->src.data; + ssh_bind_free(d->sshbind); + free(d); + ctx->src.data = NULL; + ssh_finalize(); + return 0; } diff --git a/src/pseccomp.c b/src/pseccomp.c index da39cbb..97504d2 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -9,6 +9,7 @@ static int pseccomp_using_valgrind(void); static const int default_allowed_syscalls[] = { + SCMP_SYS(signalfd), SCMP_SYS(signalfd4), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), SCMP_SYS(exit), SCMP_SYS(exit_group), @@ -45,6 +46,7 @@ static const int protocol_disabled_syscalls[] = { }; static const int jail_allowed_syscalls[] = { + SCMP_SYS(signalfd), SCMP_SYS(signalfd4), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), SCMP_SYS(exit), SCMP_SYS(exit_group), diff --git a/src/utils.c b/src/utils.c index aa65c28..7953614 100644 --- a/src/utils.c +++ b/src/utils.c @@ -76,6 +76,7 @@ static void sighandler_master(int signo) case SIGINT: case SIGTERM: case SIGABRT: + W("Got signal %d, exiting", signo); kill(0, SIGTERM); exit(EXIT_FAILURE); } |