diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-07-23 07:59:30 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-07-23 07:59:30 +0200 |
| commit | 9aabd792ddba2f2baf31f14a55a21ab6b646d21d (patch) | |
| tree | ee05aeaa4b22052e57e16922c453b019219240b3 /src | |
| parent | 486645a1b6ed3a12c938201e7729b4aeed5e1f93 (diff) | |
| parent | b821e069cd21d212e64cbacc1d3dd1bd22419623 (diff) | |
Merge branch 'master' into feature/jail_protocol
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/Makefile.am | 2 | ||||
| -rw-r--r-- | src/capabilities.c | 4 | ||||
| -rw-r--r-- | src/capabilities.h | 4 | ||||
| -rw-r--r-- | src/compat.c | 104 | ||||
| -rw-r--r-- | src/compat.h | 55 | ||||
| -rw-r--r-- | src/filesystem.c | 44 | ||||
| -rw-r--r-- | src/filesystem.h | 33 | ||||
| -rw-r--r-- | src/forward.c | 4 | ||||
| -rw-r--r-- | src/forward.h | 4 | ||||
| -rw-r--r-- | src/jail.c | 9 | ||||
| -rw-r--r-- | src/jail.h | 4 | ||||
| -rw-r--r-- | src/log.c | 11 | ||||
| -rw-r--r-- | src/log.h | 4 | ||||
| -rw-r--r-- | src/log_colored.c | 4 | ||||
| -rw-r--r-- | src/log_colored.h | 4 | ||||
| -rw-r--r-- | src/log_file.c | 4 | ||||
| -rw-r--r-- | src/log_file.h | 4 | ||||
| -rw-r--r-- | src/main.c | 32 | ||||
| -rw-r--r-- | src/options.c | 4 | ||||
| -rw-r--r-- | src/options.h | 4 | ||||
| -rw-r--r-- | src/pevent.c | 4 | ||||
| -rw-r--r-- | src/pevent.h | 4 | ||||
| -rw-r--r-- | src/protocol.c | 4 | ||||
| -rw-r--r-- | src/protocol.h | 4 | ||||
| -rw-r--r-- | src/protocol_ssh.c | 56 | ||||
| -rw-r--r-- | src/protocol_ssh.h | 4 | ||||
| -rw-r--r-- | src/pseccomp.c | 4 | ||||
| -rw-r--r-- | src/pseccomp.h | 4 | ||||
| -rw-r--r-- | src/redirector.c | 4 | ||||
| -rw-r--r-- | src/redirector.h | 4 | ||||
| -rw-r--r-- | src/socket.c | 20 | ||||
| -rw-r--r-- | src/socket.h | 4 | ||||
| -rw-r--r-- | src/utils.c | 160 | ||||
| -rw-r--r-- | src/utils.h | 4 |
34 files changed, 486 insertions, 132 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 65e1a19..c2fe07c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,5 @@ sbin_PROGRAMS = potd -potd_SOURCES = utils.c options.c log.c log_colored.c log_file.c socket.c pevent.c capabilities.c filesystem.c jail_protocol.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c +potd_SOURCES = compat.c utils.c options.c log.c log_colored.c log_file.c socket.c pevent.c capabilities.c filesystem.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c if HAVE_SECCOMP potd_SOURCES += pseccomp.c endif diff --git a/src/capabilities.c b/src/capabilities.c index 155454c..0fa81bc 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/capabilities.h b/src/capabilities.h index 9ee8df3..7822b9c 100644 --- a/src/capabilities.h +++ b/src/capabilities.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/compat.c b/src/compat.c new file mode 100644 index 0000000..72c78a3 --- /dev/null +++ b/src/compat.c @@ -0,0 +1,104 @@ +/* + * compat.c + * potd is licensed under the BSD license: + * + * Copyright (c) 2018 Toni Uhlig <matzeton@googlemail.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * - The names of its contributors may not be used to endorse or promote + * products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <errno.h> + +#include "compat.h" + + +char * +potd_strtok(char *str, const char *delim, char **saveptr) +{ +#ifdef HAVE_STRTOK_R + return strtok_r(str, delim, saveptr); +#else + (void) saveptr; + + return strtok(str, delim); +#endif +} + +struct tm * +potd_localtime(const time_t *timep, struct tm *result) +{ +#ifdef HAVE_LOCALTIME_R + return localtime_r(timep, result); +#else + (void) result; + + return localtime(timep); +#endif +} + +int +potd_getpwnam(const char *name, struct passwd *pwd) +{ + struct passwd *result = NULL; + + errno = 0; +#ifdef HAVE_GETPWNAM_R + char buf[BUFSIZ]; + + return getpwnam_r(name, pwd, buf, sizeof buf, &result) || !result; +#else + result = getpwnam(name); + if (result) + *pwd = *result; + + return result == NULL; +#endif +} + +int +potd_getgrnam(const char *name, struct group *grp) +{ + struct group *result = NULL; + + errno = 0; +#ifdef HAVE_GETGRNAM_R + char buf[BUFSIZ]; + + return getgrnam_r(name, grp, buf, sizeof buf, &result) || !result; +#else + result = getgrnam(name); + if (result) + *grp = *result; + + return result == NULL; +#endif +} diff --git a/src/compat.h b/src/compat.h new file mode 100644 index 0000000..386b80e --- /dev/null +++ b/src/compat.h @@ -0,0 +1,55 @@ +/* + * compat.h + * potd is licensed under the BSD license: + * + * Copyright (c) 2018 Toni Uhlig <matzeton@googlemail.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * - The names of its contributors may not be used to endorse or promote + * products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef POTD_COMPAT_H +#define POTD_COMPAT_H 1 + +#include <string.h> +#include <time.h> +#include <pwd.h> +#include <grp.h> + + +char * +potd_strtok(char *str, const char *delim, char **saveptr); + +struct tm * +potd_localtime(const time_t *timep, struct tm *result); + +int +potd_getpwnam(const char *name, struct passwd *pwd); + +int +potd_getgrnam(const char *name, struct group *grp); + +#endif diff --git a/src/filesystem.c b/src/filesystem.c index 56cf05c..fa94987 100644 --- a/src/filesystem.c +++ b/src/filesystem.c @@ -1,3 +1,36 @@ +/* + * filesystem.c + * potd is licensed under the BSD license: + * + * Copyright (c) 2018 Toni Uhlig <matzeton@googlemail.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * - The names of its contributors may not be used to endorse or promote + * products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + #ifdef HAVE_CONFIG_H #include "config.h" #else @@ -16,6 +49,7 @@ #include <assert.h> #include "log.h" +#include "compat.h" #include "utils.h" #include "options.h" @@ -206,7 +240,7 @@ static MountData * get_last_mount(void) { FILE *fp = fopen("/proc/self/mountinfo", "r"); - char *ptr; + char *ptr, *saveptr = NULL; int cnt = 1; size_t len; @@ -232,11 +266,11 @@ get_last_mount(void) // mdata.dir: /home/netblue/.cache // mdata.fstype: tmpfs memset(&mdata, 0, sizeof(mdata)); - ptr = strtok(mbuf, " "); + ptr = potd_strtok(mbuf, " ", &saveptr); if (!ptr) goto errexit; - while ((ptr = strtok(NULL, " ")) != NULL) { + while ((ptr = potd_strtok(NULL, " ", &saveptr)) != NULL) { cnt++; if (cnt == 4) { mdata.fsname = ptr; @@ -246,11 +280,11 @@ get_last_mount(void) } } - ptr = strtok(NULL, "-"); + ptr = potd_strtok(NULL, "-", &saveptr); if (!ptr) goto errexit; - ptr = strtok(NULL, " "); + ptr = potd_strtok(NULL, " ", &saveptr); if (!ptr) goto errexit; mdata.fstype = ptr++; diff --git a/src/filesystem.h b/src/filesystem.h index bd801f6..809e30c 100644 --- a/src/filesystem.h +++ b/src/filesystem.h @@ -1,3 +1,36 @@ +/* + * filesystem.h + * potd is licensed under the BSD license: + * + * Copyright (c) 2018 Toni Uhlig <matzeton@googlemail.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * - The names of its contributors may not be used to endorse or promote + * products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + #ifndef POTD_FILESYSTEM_H #define POTD_FILESYSTEM_H 1 diff --git a/src/forward.c b/src/forward.c index 6468c03..2037a03 100644 --- a/src/forward.c +++ b/src/forward.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/forward.h b/src/forward.h index 3a02597..8e24d24 100644 --- a/src/forward.h +++ b/src/forward.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -340,7 +340,7 @@ static int jail_childfn(prisoner_process *ctx) snprintf(path, sizeof path, "%s%s", ctx->newroot, path_shell); D2("Checking Shell '%s'", path); if (access(path, R_OK|X_OK)) - FATAL("Shell '%s' is not accessible", path); + FATAL("Access to shell '%s'", path); snprintf(path, sizeof path, "%s%s", ctx->newroot, path_dev); D2("Mounting devtmpfs to '%s'", path); @@ -457,7 +457,8 @@ static int jail_childfn(prisoner_process *ctx) caps_drop_all(); #endif - sethostname("openwrt", SIZEOF("openwrt")); + if (sethostname("openwrt", SIZEOF("openwrt"))) + exit(EXIT_FAILURE); if (execl(path_shell, path_shell, (char *) NULL)) exit(EXIT_FAILURE); break; @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -35,6 +35,7 @@ #include <time.h> #include "log.h" +#include "compat.h" log_priority log_prio = NOTICE; log_open_cb log_open = NULL; @@ -48,12 +49,12 @@ char * curtime_str(char *buf, size_t siz) { time_t t; - struct tm *tmp; + struct tm *tmp, res; t = time(NULL); - tmp = localtime(&t); + tmp = potd_localtime(&t, &res); - if (!strftime(buf, siz, "%d %b %y - %H:%M:%S", tmp)) + if (tmp && !strftime(buf, siz, "%d %b %y - %H:%M:%S", tmp)) snprintf(buf, siz, "%s", "UNKNOWN_TIME"); return buf; @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/log_colored.c b/src/log_colored.c index d422f5f..ded097c 100644 --- a/src/log_colored.c +++ b/src/log_colored.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/log_colored.h b/src/log_colored.h index 42e930f..31aa19a 100644 --- a/src/log_colored.h +++ b/src/log_colored.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/log_file.c b/src/log_file.c index 8d04e73..33011ec 100644 --- a/src/log_file.c +++ b/src/log_file.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/log_file.h b/src/log_file.h index b5b7e1f..94604b7 100644 --- a/src/log_file.h +++ b/src/log_file.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -55,14 +55,14 @@ #include "jail.h" static size_t jl_siz = 0; -static jail_ctx *jl_ctx = NULL; +static jail_ctx **jl_ctx = NULL; static pid_t jl_pid = -1; static size_t prt_siz = 0; -static protocol_ctx *prt_ctx = NULL; +static protocol_ctx **prt_ctx = NULL; static size_t rdr_siz = 0; -static redirector_ctx *rdr_ctx = NULL; +static redirector_ctx **rdr_ctx = NULL; static pid_t rdr_pid = -1; static void jail_preinit(char jail_hosts[][2][NI_MAXHOST], @@ -241,7 +241,7 @@ static int process_options(int validate_only) siz = validate_hostport_option(OPT_JAIL, 0); if (siz && !validate_only) { jl_siz = siz; - jl_ctx = (jail_ctx *) calloc(siz, sizeof *jl_ctx); + jl_ctx = (jail_ctx **) calloc(siz, sizeof(jail_ctx)); assert(jl_ctx); ol = NULL; @@ -256,8 +256,8 @@ static int process_options(int validate_only) i++; } - jail_preinit(hosts, ports, &jl_ctx, jl_siz); - jl_pid = jail_init(&jl_ctx, jl_siz); + jail_preinit(hosts, ports, jl_ctx, jl_siz); + jl_pid = jail_init(jl_ctx, jl_siz); } if (siz) rc++; @@ -265,7 +265,7 @@ static int process_options(int validate_only) siz = validate_hostport_option(OPT_PROTOCOL, 1); if (siz && !validate_only) { prt_siz = siz; - prt_ctx = (protocol_ctx *) calloc(siz, sizeof *prt_ctx); + prt_ctx = (protocol_ctx **) calloc(siz, sizeof(protocol_ctx)); assert(prt_ctx); ol = NULL; @@ -281,8 +281,8 @@ static int process_options(int validate_only) i++; } - ssh_protocol_preinit(hosts, ports, &prt_ctx, prt_siz); - ssh_protocol_init(&prt_ctx, prt_siz); + ssh_protocol_preinit(hosts, ports, prt_ctx, prt_siz); + ssh_protocol_init(prt_ctx, prt_siz); } if (siz) rc++; @@ -290,7 +290,7 @@ static int process_options(int validate_only) siz = validate_hostport_option(OPT_REDIRECT, 1); if (siz && !validate_only) { rdr_siz = siz; - rdr_ctx = (redirector_ctx *) calloc(siz, sizeof *rdr_ctx); + rdr_ctx = (redirector_ctx **) calloc(siz, sizeof(redirector_ctx)); assert(rdr_ctx); ol = NULL; @@ -306,8 +306,8 @@ static int process_options(int validate_only) i++; } - rdr_preinit(hosts, ports, &rdr_ctx, rdr_siz); - rdr_init(&rdr_ctx, rdr_siz); + rdr_preinit(hosts, ports, rdr_ctx, rdr_siz); + rdr_init(rdr_ctx, rdr_siz); } if (siz) rc++; @@ -371,8 +371,8 @@ int main(int argc, char *argv[]) N("%s (C) 2018 Toni Uhlig <%s>", PACKAGE_STRING, PACKAGE_BUGREPORT); #endif - ABORT_ON_FATAL( selftest_minimal_requirements(), - "Selfcheck" ); + if (selftest_minimal_requirements()) + exit(EXIT_FAILURE); if (geteuid() != 0) { E("%s", "I was made for root!"); diff --git a/src/options.c b/src/options.c index b8f07eb..e497461 100644 --- a/src/options.c +++ b/src/options.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/options.h b/src/options.h index d2fe86e..96bd025 100644 --- a/src/options.h +++ b/src/options.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/pevent.c b/src/pevent.c index c7b5d8a..bb4d0b0 100644 --- a/src/pevent.c +++ b/src/pevent.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/pevent.h b/src/pevent.h index 1215faf..607949d 100644 --- a/src/pevent.h +++ b/src/pevent.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/protocol.c b/src/protocol.c index 5f66a1e..5deafd0 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/protocol.h b/src/protocol.h index 39fd1a1..1571047 100644 --- a/src/protocol.h +++ b/src/protocol.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c index 98e0819..cc490b2 100644 --- a/src/protocol_ssh.c +++ b/src/protocol_ssh.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -58,6 +58,7 @@ #include "pseccomp.h" #endif #include "options.h" +#include "compat.h" #include "utils.h" #include "log.h" @@ -302,16 +303,16 @@ static int gen_default_keys(void) char path[PATH_MAX]; char cmd[BUFSIZ]; int s = 0; - struct passwd *pwd; + struct passwd pwd; errno = 0; - pwd = getpwnam(getopt_str(OPT_CHUSER)); + if (potd_getpwnam(getopt_str(OPT_CHUSER), &pwd)) + return 1; + if (mkdir(getopt_str(OPT_SSH_RUN_DIR), R_OK|W_OK|X_OK) && errno == ENOENT) { if (chmod(getopt_str(OPT_SSH_RUN_DIR), S_IRWXU)) return 1; - if (!pwd) - return 1; - if (chown(getopt_str(OPT_SSH_RUN_DIR), pwd->pw_uid, pwd->pw_gid)) + if (chown(getopt_str(OPT_SSH_RUN_DIR), pwd.pw_uid, pwd.pw_gid)) return 1; } @@ -319,46 +320,49 @@ static int gen_default_keys(void) rsa_key_suf); if (gen_export_sshkey(SSH_KEYTYPE_RSA, 1024, path)) { W("libssh %s key generation failed, using fallback ssh-keygen", "RSA"); - remove(path); - if (snprintf(cmd, sizeof cmd, "ssh-keygen -t rsa -b 1024 -f %s -N '' " + if ((!remove(path) || errno == ENOENT) && + snprintf(cmd, sizeof cmd, "ssh-keygen -t rsa -b 1024 -f %s -N '' " ">/dev/null 2>/dev/null", path) > 0) { s |= system(cmd); } else s++; } - chmod(path, S_IRWXU); - if (pwd) - chown(path, pwd->pw_uid, pwd->pw_gid); + if (chmod(path, S_IRUSR)) + return 1; + if (chown(path, pwd.pw_uid, pwd.pw_gid)) + return 1; snprintf(path, sizeof path, "%s/%s", getopt_str(OPT_SSH_RUN_DIR), dsa_key_suf); if (gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, path)) { W("libssh %s key generation failed, using fallback ssh-keygen", "DSA"); - remove(path); - if (snprintf(cmd, sizeof cmd, "ssh-keygen -t dsa -b 1024 -f %s -N '' " + if ((!remove(path) || errno == ENOENT) && + snprintf(cmd, sizeof cmd, "ssh-keygen -t dsa -b 1024 -f %s -N '' " ">/dev/null 2>/dev/null", path) > 0) { s |= system(cmd); } else s++; } - chmod(path, S_IRWXU); - if (pwd) - chown(path, pwd->pw_uid, pwd->pw_gid); + if (chmod(path, S_IRUSR)) + return 1; + if (chown(path, pwd.pw_uid, pwd.pw_gid)) + return 1; snprintf(path, sizeof path, "%s/%s", getopt_str(OPT_SSH_RUN_DIR), ecdsa_key_suf); if (gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, path)) { W("libssh %s key generation failed, using fallback ssh-keygen", "ECDSA"); - remove(path); - if (snprintf(cmd, sizeof cmd, "ssh-keygen -t ecdsa -b 256 -f %s -N '' " + if ((!remove(path) || errno == ENOENT) && + snprintf(cmd, sizeof cmd, "ssh-keygen -t ecdsa -b 256 -f %s -N '' " ">/dev/null 2>/dev/null", path) > 0) { s |= system(cmd); } else s++; } - chmod(path, S_IRWXU); - if (pwd) - chown(path, pwd->pw_uid, pwd->pw_gid); + if (chmod(path, S_IRUSR)) + return 1; + if (chown(path, pwd.pw_uid, pwd.pw_gid)) + return 1; return s != 0; } @@ -415,6 +419,7 @@ static void ssh_log_cb(int priority, const char *function, switch (priority) { case 0: W("libssh: %s", buffer); + break; default: P("libssh: %s", buffer); break; @@ -623,7 +628,7 @@ static int auth_password(const char *user, const char *pass, size_t i; double d; time_t o, t = time(NULL); - struct tm *tmp; + struct tm tmp; char time_str[64] = {0}; for (i = 0; i < CACHE_MAX; ++i) { @@ -637,8 +642,9 @@ static int auth_password(const char *user, const char *pass, strncmp(pass, cache[i].pass, PASS_LEN) == 0 && strnlen(pass, PASS_LEN) == strnlen(cache[i].pass, PASS_LEN)) { - tmp = localtime(&o); - if (!strftime(time_str, sizeof time_str, "%H:%M:%S", tmp)) + if (!potd_localtime(&o, &tmp)) + continue; + if (!strftime(time_str, sizeof time_str, "%H:%M:%S", &tmp)) snprintf(time_str, sizeof time_str, "%s", "UNKNOWN_TIME"); N("Got cached user/pass '%s'/'%s' from %s", user, pass, time_str); diff --git a/src/protocol_ssh.h b/src/protocol_ssh.h index 511201a..8b15b3f 100644 --- a/src/protocol_ssh.h +++ b/src/protocol_ssh.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/pseccomp.c b/src/pseccomp.c index 6c97559..248f1cf 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/pseccomp.h b/src/pseccomp.h index 562ba8a..202f577 100644 --- a/src/pseccomp.h +++ b/src/pseccomp.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/redirector.c b/src/redirector.c index fd9e1f9..42952ea 100644 --- a/src/redirector.c +++ b/src/redirector.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/redirector.h b/src/redirector.h index 60d6330..a1e3e51 100644 --- a/src/redirector.h +++ b/src/redirector.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/socket.c b/src/socket.c index 8c3d9ab..5b37cf1 100644 --- a/src/socket.c +++ b/src/socket.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -137,6 +137,8 @@ int socket_bind_in(psocket *psock, struct addrinfo **results) finalise: socket_freeaddr(results); + /* suppress coverity fals-positive: fd out of scope */ + /* coverity[leaked_handle] */ return s; } @@ -209,6 +211,8 @@ int socket_connect_in(psocket *psock, struct addrinfo **results) finalise: socket_freeaddr(results); + /* suppress coverity fals-positive: fd out of scope */ + /* coverity[leaked_handle] */ return s; } @@ -295,13 +299,15 @@ ssize_t socket_get_ifnames(const psocket *test_sock, char name[][IFNAMSIZ], assert(test_sock); sock = socket(test_sock->family, test_sock->socktype, test_sock->protocol); - if (sock <= 0) + if (sock < 0) return -1; ifc.ifc_len = sizeof buf; ifc.ifc_buf = buf; - if (ioctl(sock, SIOCGIFCONF, &ifc) == -1) + if (ioctl(sock, SIOCGIFCONF, &ifc) == -1) { + close(sock); return -1; + } it = ifc.ifc_req; end = it + (ifc.ifc_len / sizeof(struct ifreq)); @@ -327,12 +333,15 @@ ssize_t socket_get_ifnames(const psocket *test_sock, char name[][IFNAMSIZ], int socket_set_ifaddr(const psocket *test_sock, const char *ifname, const char *addr, const char *mask) { - struct ifreq ifr = {0}; + struct ifreq ifr; int sock; assert(test_sock); + memset(&ifr, 0, sizeof ifr); sock = socket(test_sock->family, test_sock->socktype, test_sock->protocol); + if (sock < 0) + return 1; strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ifr.ifr_addr.sa_family = AF_INET; @@ -343,6 +352,7 @@ int socket_set_ifaddr(const psocket *test_sock, ioctl(sock, SIOCSIFNETMASK, &ifr); ioctl(sock, SIOCGIFFLAGS, &ifr); + /* coverity[buffer_size_warning] */ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ifr.ifr_flags |= (IFF_UP | IFF_RUNNING); diff --git a/src/socket.h b/src/socket.h index c6eb732..07fe490 100644 --- a/src/socket.h +++ b/src/socket.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" diff --git a/src/utils.c b/src/utils.c index 5c7bf1b..82902e2 100644 --- a/src/utils.c +++ b/src/utils.c @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" @@ -63,6 +63,10 @@ #endif #include "utils.h" +#include "compat.h" +#ifdef HAVE_SECCOMP +#include "pseccomp.h" +#endif #include "log.h" #include "options.h" @@ -294,7 +298,8 @@ pid_t daemonize(int stay_foreground) if (!stay_foreground) { /* Change the working directory to the root directory */ /* or another appropriated directory */ - chdir("/"); + if (chdir("/")) + return -1; /* Close all open file descriptors */ assert( close_fds_except(-1) == 0 ); assert( redirect_devnull_to(0, 1, 2, -1) == 0 ); @@ -375,8 +380,8 @@ int redirect_devnull_to(int fds, ...) int change_user_group(const char *user, const char *group) { - struct passwd *pwd = NULL; - struct group *grp = NULL; + struct passwd pwd; + struct group grp; gid_t gid; if (group) @@ -384,22 +389,24 @@ int change_user_group(const char *user, const char *group) else D2("Change user to '%s' and its main group", user); - pwd = getpwnam(user); - if (!pwd) + if (potd_getpwnam(user, &pwd)) { + E_STRERR("Get uid from user '%s'", user); return 1; + } if (!group) { - gid = pwd->pw_gid; + gid = pwd.pw_gid; } else { - grp = getgrnam(group); - if (!grp) + if (potd_getgrnam(group, &grp)) { + E_STRERR("Get gid from group '%s'", group); return 1; - gid = grp->gr_gid; + } + gid = grp.gr_gid; } if (setresgid(gid, gid, gid)) return 1; - if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) + if (setresuid(pwd.pw_uid, pwd.pw_uid, pwd.pw_uid)) return 1; return 0; @@ -422,10 +429,8 @@ int safe_chroot(const char *newroot) } s = chroot("."); - if (s) { - E_STRERR("Change root directory to '%s'", "."); + if (s) return 1; - } s = chdir("/"); if (s) { @@ -746,7 +751,8 @@ static int cgroups_write_file(const char *cdir, const char *csub, value, cdir, csub); s = 1; } - close(fd); + if (fd >= 0) + close(fd); } return s; @@ -1042,8 +1048,14 @@ int selftest_minimal_requirements(void) char buf[32] = {0}; char test[64] = {0}; + pid_t child_pid; +#ifdef HAVE_SECCOMP + pseccomp_ctx *psc = NULL; +#endif + N2("%s", "Selftest .."); + /* do some basic runtime tests */ memset(&test[0], 'A', sizeof test); test[sizeof test - 1] = 0; s = snprintf(buf, sizeof buf, "%s", &test[0]); @@ -1052,22 +1064,120 @@ int selftest_minimal_requirements(void) if (buf[sizeof buf - 1] != 0) goto error; - if (getopt_used(OPT_RUNTEST)) { - N("%s", "Selftest success"); - exit(EXIT_SUCCESS); - } +#ifdef HAVE_VALGRIND + if (RUNNING_ON_VALGRIND) + W2("%s", "You are using valgrind. This is *ONLY* for debug reasons and may " + "affect your overall security! Be warned."); +#endif s = open(getopt_str(OPT_ROFILE), O_WRONLY|O_CREAT|O_TRUNC, 0); - if (s < 0 && errno != EEXIST) + if (s < 0 && errno != EEXIST) { + E_STRERR("RO-file '%s' check", getopt_str(OPT_ROFILE)); + goto error; + } else if (s >= 0) { + close(s); + if (chmod(getopt_str(OPT_ROFILE), S_IRUSR|S_IWUSR)) + goto error; + } + if (mkdir(getopt_str(OPT_RODIR), S_IRWXU) && errno != EEXIST) { + E_STRERR("RO-directory '%s' check", getopt_str(OPT_RODIR)); goto error; - if (mkdir(getopt_str(OPT_RODIR), S_IRWXU) && errno != EEXIST) + } + if (mkdir(getopt_str(OPT_ROOT), S_IRWXU) && errno != EEXIST) { + E_STRERR("ROOT-directory '%s' check", getopt_str(OPT_ROOT)); goto error; + } + if (mkdir(getopt_str(OPT_NETNS_RUN_DIR), S_IRWXU) && errno != EEXIST) { + E_STRERR("NETNS-directory '%s' check", getopt_str(OPT_NETNS_RUN_DIR)); + goto error; + } + + if (mkdir(getopt_str(OPT_SSH_RUN_DIR), S_IRWXU) && errno != EEXIST) { + E_STRERR("SSH-directory '%s' check", getopt_str(OPT_SSH_RUN_DIR)); + goto error; + } + + /* + * The following tests do neither work on travis-ci nor on gitlab. + * FIXME: fork() broken on some docker containers? + */ + s = -1; + child_pid = fork(); + if (!child_pid) { + if (change_default_user_group()) + exit(EXIT_FAILURE); + else + exit(EXIT_SUCCESS); + } else waitpid(child_pid, &s, 0); + if (s) + goto error; + + /* advanced sandbox tests */ + if (getuid() == (uid_t) 0) { + child_pid = fork(); + + switch (child_pid) { + case -1: + E_STRERR("%s", "Forking"); + goto error; + break; + case 0: + if (clearenv()) { + E_STRERR("%s", "Clearing environment vairables"); + exit(EXIT_FAILURE); + } + if (cgroups_set() || cgroups_activate()) { + E_STRERR("%s", "Activating cgroups"); + exit(EXIT_FAILURE); + } + if (unshare(CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS)) + { + E_STRERR("%s", "Unshare"); + exit(EXIT_FAILURE); + } + mount_root(); +#ifdef HAVE_SECCOMP + pseccomp_init(&psc, + (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0)); + if (pseccomp_default_rules(psc)) { + E_STRERR("%s", "Seccomp"); + exit(EXIT_FAILURE); + } + pseccomp_free(&psc); +#endif + + s = -1; + child_pid = fork(); + if (!child_pid) { + if (safe_chroot(getopt_str(OPT_ROOT))) + exit(EXIT_FAILURE); +#ifdef HAVE_SECCOMP + pseccomp_set_immutable(); + pseccomp_init(&psc, + (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0)); + if (pseccomp_jail_rules(psc)) + exit(EXIT_FAILURE); +#endif + exit(EXIT_SUCCESS); + } else waitpid(child_pid, &s, 0); + + exit(s); + default: + waitpid(child_pid, &s, 0); + if (s) + goto error; + } + } + + N("%s", "Selftest success"); + if (getopt_used(OPT_RUNTEST)) + exit(EXIT_SUCCESS); return 0; error: - if (getopt_used(OPT_RUNTEST)) { - E("%s", "Selftest failed"); + E("%s", "Selftest failed"); + if (getopt_used(OPT_RUNTEST)) exit(EXIT_FAILURE); - } + return 1; } diff --git a/src/utils.h b/src/utils.h index dc69be1..9e42743 100644 --- a/src/utils.h +++ b/src/utils.h @@ -14,8 +14,8 @@ * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - * - Neither the name of the Yellow Lemon Software nor the names of its - * contributors may be used to endorse or promote products derived from this + * - The names of its contributors may not be used to endorse or promote + * products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |