aboutsummaryrefslogtreecommitdiff
path: root/src/jail.c
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2018-05-08 17:19:47 +0200
committerToni Uhlig <matzeton@googlemail.com>2018-05-08 17:19:47 +0200
commitbc240cca7918d6e6f4f56fbe19d32eb20f07a567 (patch)
treeb803bc1e6fb6446369fc063e7efdd53152745569 /src/jail.c
parentdad140b0a494c416532a546fdd034dc27ad05b8c (diff)
POTD skeleton #46.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/jail.c')
-rw-r--r--src/jail.c254
1 files changed, 128 insertions, 126 deletions
diff --git a/src/jail.c b/src/jail.c
index 7bb0f70..195356e 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -4,7 +4,6 @@
#include <signal.h>
#include <pty.h>
#include <sys/wait.h>
-#include <sys/epoll.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <assert.h>
@@ -15,21 +14,29 @@
#include "utils.h"
#include "log.h"
-typedef struct jail_prisoner_process {
+typedef struct prisoner_process {
psocket client_psock;
char host_buf[NI_MAXHOST], service_buf[NI_MAXSERV];
char *newroot;
-} jail_prisoner_process;
+} prisoner_process;
-static int jail_mainloop_epoll(int epoll_fd, jail_ctx *ctx[], size_t siz)
+typedef struct server_event {
+ const jail_ctx **jail_ctx;
+ const size_t siz;
+} server_event;
+
+typedef struct client_event {
+ const psocket *client_sock;
+ const int tty_fd;
+} client_event;
+
+static int jail_mainloop(event_ctx **ev_ctx, const jail_ctx *ctx[], size_t siz)
__attribute__((noreturn));
-static int jail_accept_client(jail_ctx *ctx[],
- size_t siz, struct epoll_event *event);
-static int jail_childfn(jail_prisoner_process *ctx)
+static int jail_accept_client(event_ctx *ev_ctx, int fd, void *user_data);
+static int jail_childfn(prisoner_process *ctx)
__attribute__((noreturn));
-static int jail_socket_tty_epoll(jail_prisoner_process *ctx, int tty_fd);
-static forward_state
-jail_socket_tty_io_epoll(struct epoll_event *ev, int dest_fd);
+static int jail_socket_tty(prisoner_process *ctx, int tty_fd);
+static int jail_socket_tty_io(event_ctx *ev_ctx, int src_fd, void *user_data);
void jail_init_ctx(jail_ctx **ctx, size_t stacksize)
@@ -77,20 +84,21 @@ int jail_validate_ctx(const jail_ctx *ctx)
return 0;
}
-int jail_setup_epoll(jail_ctx *ctx[], size_t siz)
+int jail_setup_event(jail_ctx *ctx[], size_t siz, event_ctx **ev_ctx)
{
- int s, fd = epoll_create1(0); /* flags == 0 -> obsolete size arg is dropped */
- struct epoll_event ev;
+ int s;
assert(ctx);
assert(siz > 0 && siz < POTD_MAXFD);
- if (fd < 0)
- return -1;
+
+ event_init(ev_ctx);
+ if (event_setup(*ev_ctx))
+ return 1;
for (size_t i = 0; i < siz; ++i) {
- memset(&ev, 0, sizeof(ev));
- ev.data.fd = ctx[i]->fwd_ctx.sock.fd;
- ev.events = EPOLLIN | EPOLLET;
+ if (event_add_sock(*ev_ctx, &ctx[i]->fwd_ctx.sock)) {
+ return 1;
+ }
s = socket_addrtostr_in(&ctx[i]->fwd_ctx.sock,
ctx[i]->host_buf, ctx[i]->service_buf);
@@ -98,27 +106,21 @@ int jail_setup_epoll(jail_ctx *ctx[], size_t siz)
E_GAIERR(s, "Convert socket address to string");
return -2;
}
- N("Jail service listening on %s:%s: %d",
- ctx[i]->host_buf, ctx[i]->service_buf, ev.data.fd);
-
- s = epoll_ctl(fd, EPOLL_CTL_ADD, ctx[i]->fwd_ctx.sock.fd, &ev);
- if (s) {
- close(fd);
- return -3;
- }
+ N("Jail service listening on %s:%s",
+ ctx[i]->host_buf, ctx[i]->service_buf);
}
- return fd;
+ return 0;
}
-pid_t jail_daemonize(int epoll_fd, jail_ctx *ctx[], size_t siz)
+pid_t jail_daemonize(event_ctx **ev_ctx, jail_ctx *ctx[], size_t siz)
{
pid_t p;
int s;
size_t i;
- assert(ctx);
- assert(siz > 0);
+ assert(ev_ctx && *ev_ctx && ctx);
+ assert(siz > 0 && siz <= POTD_MAXFD);
for (i = 0; i < siz; ++i) {
assert(ctx[i]);
@@ -136,81 +138,54 @@ pid_t jail_daemonize(int epoll_fd, jail_ctx *ctx[], size_t siz)
W_STRERR("%s", "Jail daemonize");
return -1;
case 0:
- N("Jail daemon mainloop on Epoll fd %d", epoll_fd);
- jail_mainloop_epoll(epoll_fd, ctx, siz);
+ N("%s", "Jail daemon mainloop");
+ jail_mainloop(ev_ctx, (const jail_ctx **) ctx, siz);
}
D2("Jail daemon pid: %d", p);
- close(epoll_fd);
+ event_free(ev_ctx);
for (i = 0; i < siz; ++i)
socket_close(&ctx[i]->fwd_ctx.sock);
return p;
}
-static int jail_mainloop_epoll(int epoll_fd, jail_ctx *ctx[], size_t siz)
+static int jail_mainloop(event_ctx **ev_ctx, const jail_ctx *ctx[], size_t siz)
{
- static struct epoll_event *events = NULL;
- sigset_t eset;
-
- if (!events)
- events = (struct epoll_event *) calloc(POTD_MAXEVENTS, sizeof(*events));
-
- assert(events);
- assert(ctx);
- assert(siz > 0 && siz < POTD_MAXFD);
+ int rc;
+ server_event ev_jail = { ctx, siz };
set_procname("[potd] jail");
assert( set_child_sighandler() == 0 );
- sigemptyset(&eset);
-
- while (1) {
- int n, i;
- n = epoll_pwait(epoll_fd, events, POTD_MAXEVENTS, -1, &eset);
- if (n < 0)
- goto error;
+ rc = event_loop(*ev_ctx, jail_accept_client, &ev_jail);
+ event_free(ev_ctx);
- for (i = 0; i < n; ++i) {
- if ((events[i].events & EPOLLERR) ||
- (events[i].events & EPOLLHUP) ||
- (!(events[i].events & EPOLLIN)))
- {
- E_STRERR("Epoll for descriptor %d", events[i].data.fd);
- close(events[i].data.fd);
- continue;
- } else {
- if (jail_accept_client(ctx, siz, &events[i])) {
- /* new client connection, accept succeeded */
- continue;
- }
- W2("Jail daemon accept client failed: [fd: %d , npoll: %d]", events[i].data.fd, n);
- }
- }
- }
-
- close(epoll_fd);
- exit(EXIT_SUCCESS);
-error:
- close(epoll_fd);
- exit(EXIT_FAILURE);
+ exit(rc);
}
-static int jail_accept_client(jail_ctx *ctx[],
- size_t siz, struct epoll_event *event)
+static int jail_accept_client(event_ctx *ev_ctx, int fd, void *user_data)
{
size_t i, rc = 0;
int s;
pid_t prisoner_pid;
- static jail_prisoner_process *args;
+ server_event *ev_jail = (server_event *) user_data;
+ static prisoner_process *args;
+ const jail_ctx *jail_ctx;
+
+ (void) ev_ctx;
+ assert(ev_jail);
- for (i = 0; i < siz; ++i) {
- if (ctx[i]->fwd_ctx.sock.fd == event->data.fd) {
- args = (jail_prisoner_process *) calloc(1, sizeof(*args));
+ for (i = 0; i < ev_jail->siz; ++i) {
+ jail_ctx = ev_jail->jail_ctx[i];
+ if (jail_ctx->fwd_ctx.sock.fd == fd) {
+ args = (prisoner_process *) calloc(1, sizeof(*args));
assert(args);
- args->newroot = ctx[i]->newroot;
+ args->newroot = jail_ctx->newroot;
- if (socket_accept_in(&ctx[i]->fwd_ctx.sock, &args->client_psock)) {
+ if (socket_accept_in(&jail_ctx->fwd_ctx.sock,
+ &args->client_psock))
+ {
E_STRERR("Could not accept client connection for fd %d",
args->client_psock.fd);
goto error;
@@ -224,7 +199,7 @@ static int jail_accept_client(jail_ctx *ctx[],
}
N2("New connection from %s:%s to %s:%s: %d",
args->host_buf, args->service_buf,
- ctx[i]->host_buf, ctx[i]->service_buf,
+ jail_ctx->host_buf, jail_ctx->service_buf,
args->client_psock.fd);
prisoner_pid = fork();
@@ -249,7 +224,7 @@ error:
return rc;
}
-static int jail_childfn(jail_prisoner_process *ctx)
+static int jail_childfn(prisoner_process *ctx)
{
const char *path_dev = "/dev";
const char *path_devpts = "/dev/pts";
@@ -262,7 +237,8 @@ static int jail_childfn(jail_prisoner_process *ctx)
assert(ctx);
self_pid = getpid();
-
+ if (setpgrp())
+ FATAL("Jail set process group for pid %d", self_pid);
if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0)
FATAL("Jail child prctl for pid %d", self_pid);
if (!ctx->newroot)
@@ -279,6 +255,10 @@ static int jail_childfn(jail_prisoner_process *ctx)
D2("Mounting rootfs to '%s'", ctx->newroot);
mount_root();
+ D2("Checking Shell '%s%s'", ctx->newroot, path_shell);
+ if (access(path_shell, R_OK|X_OK))
+ FATAL("Shell '%s%s' is not accessible", ctx->newroot, path_shell);
+
D2("Mounting devtmpfs to '%s%s'", ctx->newroot, path_dev);
s = mkdir(path_dev, S_IRUSR|S_IWUSR|S_IXUSR|
S_IRGRP|S_IXGRP|
@@ -323,70 +303,92 @@ static int jail_childfn(jail_prisoner_process *ctx)
self_pid);
break;
case 0:
- D2("Executing '%s'", path_shell);
if (execl(path_shell, path_shell, (char *) NULL))
- FATAL("Execute a shell for pid %d", self_pid);
- break;
+ exit(EXIT_FAILURE);
default:
if (set_fd_nonblock(master_fd))
FATAL("Pty master fd nonblock for prisoner pid %d",
child_pid);
N("Socket to tty I/O loop for prisoner pid %d",
child_pid);
- if (jail_socket_tty_epoll(ctx, master_fd))
+ if (jail_socket_tty(ctx, master_fd))
FATAL("Socket to tty I/O loop for prisoner pid %d",
child_pid);
waitpid(child_pid, &s, 0);
}
+ close(master_fd);
exit(EXIT_FAILURE);
}
-static int jail_socket_tty_epoll(jail_prisoner_process *ctx, int tty_fd)
+static int jail_socket_tty(prisoner_process *ctx, int tty_fd)
{
- int s, fd;
- struct epoll_event event = {0,{0}};
- struct epoll_event *events;
- sigset_t eset;
+ client_event ev_cli = {NULL, tty_fd};
+ int s, rc = 1;
+ event_ctx *ev_ctx = NULL;
assert(ctx);
- events = (struct epoll_event *) calloc(POTD_MAXEVENTS, sizeof(*events));
- assert(events);
-
- fd = epoll_create1(0);
- if (fd < 0)
- return -1;
-
- event.events = EPOLLIN | EPOLLET;
- event.data.fd = ctx->client_psock.fd;
- s = epoll_ctl(fd, EPOLL_CTL_ADD, ctx->client_psock.fd, &event);
- if (s)
- FATAL("Jail Socket Epoll for client %s:%s",
- ctx->host_buf, ctx->service_buf);
- event.data.fd = tty_fd;
- s = epoll_ctl(fd, EPOLL_CTL_ADD, tty_fd, &event);
- if (s)
- FATAL("Jail TTY Epoll for client %s:%s",
- ctx->host_buf, ctx->service_buf);
-
- sigemptyset(&eset);
-
- while (1) {
- int n, i;
-
- n = epoll_pwait(fd, events, POTD_MAXEVENTS, -1, &eset);
- if (n < 0)
- break;
- for (i = 0; i < n; ++i) {
- }
+ event_init(&ev_ctx);
+ if (event_setup(ev_ctx)) {
+ E_STRERR("Jail event context creation for jail tty fd %d",
+ tty_fd);
+ goto finish;
+ }
+ s = socket_nonblock(&ctx->client_psock);
+ if (s) {
+ E_STRERR("Socket non blocking mode to client %s:%s fd %d",
+ ctx->host_buf, ctx->service_buf, ctx->client_psock.fd);
+ goto finish;
+ }
+ if (event_add_sock(ev_ctx, &ctx->client_psock)) {
+ E_STRERR("Jail event context for socket %s:%s",
+ ctx->host_buf, ctx->service_buf);
+ goto finish;
+ }
+ if (event_add_fd(ev_ctx, tty_fd)) {
+ E_STRERR("Jail event context for tty fd %d",
+ tty_fd);
+ goto finish;
}
- return 0;
+ ev_cli.client_sock = &ctx->client_psock;
+ rc = event_loop(ev_ctx, jail_socket_tty_io, &ev_cli);
+finish:
+ event_free(&ev_ctx);
+ return rc;
}
-static forward_state
-jail_socket_tty_io_epoll(struct epoll_event *ev, int dest_fd)
+static int
+jail_socket_tty_io(event_ctx *ev_ctx, int src_fd, void *user_data)
{
- return CON_OK;
+ int dest_fd;
+ client_event *ev_cli = (client_event *) user_data;
+ forward_state fwd_state;
+
+ (void) ev_ctx;
+ (void) src_fd;
+ (void) ev_cli;
+
+ if (src_fd == ev_cli->client_sock->fd) {
+ dest_fd = ev_cli->tty_fd;
+ } else if (src_fd == ev_cli->tty_fd) {
+ dest_fd = ev_cli->client_sock->fd;
+ } else return 0;
+
+ fwd_state = event_forward_connection(ev_ctx, dest_fd);
+
+ switch (fwd_state) {
+ case CON_IN_TERMINATED:
+ case CON_OUT_TERMINATED:
+ ev_ctx->active = 0;
+ case CON_OK:
+ return 1;
+ case CON_IN_ERROR:
+ case CON_OUT_ERROR:
+ ev_ctx->active = 0;
+ return 0;
+ }
+
+ return 1;
}
Powered by cgit, Themed by Ted Yin.