emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5eccd4893a
ndhc/cfg.rl

362 lines
12 KiB
Plaintext
Raw Normal View History

Relicense as MIT. It's a lot more common than BSD 2-clause it is both compatible and nearly identical in effect.
2022-02-07 06:35:29 +05:30
// Copyright 2018 Nicholas J. Kain <njkain at gmail dot com>
// SPDX-License-Identifier: MIT
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
#include <stdio.h>
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include "ndhc-defines.h"
#include "cfg.h"
#include "arp.h"
#include "ndhc.h"
#include "ifchd.h"
#include "sockd.h"
#include "nk/log.h"
Don't depend on external ncmlib.
2020-10-20 16:14:31 +05:30
#include "nk/privs.h"
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
#include "nk/io.h"
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
Get rid of nk/copy_cmdarg.h
2022-02-25 17:31:55 +05:30
static void copy_cmdarg(char *dest, const char *src,
size_t destlen, const char *argname)
{
Use memccpy() and memcpy() instead of nstr{cpy,lcpy,cat}. These are standard, either in POSIX or C23. The semantics are slightly different as the error path does not enforce null-termination in the function itself, so enforce that by hand. As a nice side effect, this makes those error paths easier to audit.
2022-08-27 13:23:48 +05:30
if (!memccpy(dest, src, 0, destlen))
Get rid of nk/copy_cmdarg.h
2022-02-25 17:31:55 +05:30
suicide("snprintf failed on %s", argname);
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
struct cfgparse {
char buf[MAX_BUF];
size_t buflen;
int ternary; // = 0 nothing, -1 = false, +1 = true
int cs;
};
%%{
machine cfg_actions;
access ccfg.;
In cfg.rl, when performing clear action, don't clear the cs member in ccfg.
2014-04-16 00:26:35 +05:30
action clear {
memset(&ccfg.buf, 0, sizeof ccfg.buf);
ccfg.buflen = 0;
ccfg.ternary = 0;
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
action append {
if (ccfg.buflen < sizeof ccfg.buf - 1)
ccfg.buf[ccfg.buflen++] = *p;
else
suicide("line or option is too long");
}
action term {
if (ccfg.buflen < sizeof ccfg.buf)
ccfg.buf[ccfg.buflen] = 0;
}
action truval { ccfg.ternary = 1; }
action falsval { ccfg.ternary = -1; }
action clientid { get_clientid_string(ccfg.buf, ccfg.buflen); }
action hostname {
copy_cmdarg(client_config.hostname, ccfg.buf,
sizeof client_config.hostname, "hostname");
}
action interface {
copy_cmdarg(client_config.interface, ccfg.buf,
sizeof client_config.interface, "interface");
}
action now {
switch (ccfg.ternary) {
Convert logical booleans in client_config_t to bool type.
2017-01-19 15:43:30 +05:30
case 1: client_config.abort_if_no_lease = true; break;
case -1: client_config.abort_if_no_lease = false; default: break;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
}
action request { set_client_addr(ccfg.buf); }
action vendorid {
copy_cmdarg(client_config.vendor, ccfg.buf,
sizeof client_config.vendor, "vendorid");
}
action user {
if (nk_uidgidbyname(ccfg.buf, &ndhc_uid, &ndhc_gid))
suicide("invalid ndhc user '%s' specified", ccfg.buf);
}
action ifch_user {
if (nk_uidgidbyname(ccfg.buf, &ifch_uid, &ifch_gid))
suicide("invalid ifch user '%s' specified", ccfg.buf);
}
action sockd_user {
if (nk_uidgidbyname(ccfg.buf, &sockd_uid, &sockd_gid))
suicide("invalid sockd user '%s' specified", ccfg.buf);
}
action chroot {
copy_cmdarg(chroot_dir, ccfg.buf, sizeof chroot_dir, "chroot");
}
action state_dir {
copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir");
}
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
action script_file {
copy_cmdarg(script_file, ccfg.buf, sizeof script_file, "script-file");
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
action seccomp_enforce {
Remove seccomp support. It breaks with the existing whitelists on the latest glibc and is just too much maintenance burden. It also causes the most questions for new users. Something like openbsd's pledge() would be fine, but I have no intention of maintaining such a thing. Most of the value-gain would come from disallowing high-risk syscalls like ptrace() and the perf syscalls, anyway. ndhc already uses extensive defense-in-depth and wasn't using seccomp on non-(x86|x86-64) platforms, so it's not a huge loss.
2018-02-09 14:03:04 +05:30
log_line("seccomp_enforce option is deprecated; please remove it");
log_line("In the meanwhile, it is ignored and seccomp is disabled.");
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
action relentless_defense {
switch (ccfg.ternary) {
case 1: set_arp_relentless_def(true); break;
case -1: set_arp_relentless_def(false); default: break;
}
}
action arp_probe_wait {
int t = atoi(ccfg.buf);
if (t >= 0)
Build with -Wstrict-overflow=5 and fix revealed warnings. Some of these are actual bugs, but none are security-sensitive.
2022-08-10 21:02:30 +05:30
arp_probe_wait = (unsigned)t;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
action arp_probe_num {
int t = atoi(ccfg.buf);
if (t >= 0)
Build with -Wstrict-overflow=5 and fix revealed warnings. Some of these are actual bugs, but none are security-sensitive.
2022-08-10 21:02:30 +05:30
arp_probe_num = (unsigned)t;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
action arp_probe_min {
Build with -Wstrict-overflow=5 and fix revealed warnings. Some of these are actual bugs, but none are security-sensitive.
2022-08-10 21:02:30 +05:30
int ti = atoi(ccfg.buf);
if (ti >= 0) {
unsigned t = (unsigned)ti;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
arp_probe_min = t;
Build with -Wstrict-overflow=5 and fix revealed warnings. Some of these are actual bugs, but none are security-sensitive.
2022-08-10 21:02:30 +05:30
if (arp_probe_min > arp_probe_max) {
t = arp_probe_max;
arp_probe_max = arp_probe_min;
arp_probe_min = t;
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
}
action arp_probe_max {
Build with -Wstrict-overflow=5 and fix revealed warnings. Some of these are actual bugs, but none are security-sensitive.
2022-08-10 21:02:30 +05:30
int ti = atoi(ccfg.buf);
if (ti >= 0) {
unsigned t = (unsigned)ti;
arp_probe_max = t;
if (arp_probe_min > arp_probe_max) {
t = arp_probe_max;
arp_probe_max = arp_probe_min;
arp_probe_min = t;
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
}
action gw_metric {
char *q;
long mt = strtol(ccfg.buf, &q, 10);
if (q == ccfg.buf)
suicide("gw-metric arg '%s' isn't a valid number", ccfg.buf);
if (mt > INT_MAX)
suicide("gw-metric arg '%s' is too large", ccfg.buf);
if (mt < 0)
mt = 0;
client_config.metric = (int)mt;
}
action resolv_conf {
copy_cmdarg(resolv_conf_d, ccfg.buf, sizeof resolv_conf_d,
"resolv-conf");
}
action dhcp_set_hostname {
switch (ccfg.ternary) {
case 1: allow_hostname = 1; break;
case -1: allow_hostname = 0; default: break;
}
}
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-14 02:55:36 +05:30
action rfkill_idx {
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 13:09:46 +05:30
uint32_t t = (uint32_t)atoi(ccfg.buf);
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-14 02:55:36 +05:30
client_config.rfkillIdx = t;
Convert logical booleans in client_config_t to bool type.
2017-01-19 15:43:30 +05:30
client_config.enable_rfkill = true;
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-14 02:55:36 +05:30
}
Support s6 service startup notification This can be enabled via the s6-notify configure option; see http://www.skarnet.org/software/s6/notifywhenup.html for details. ndhc will signal that it is ready when the first valid lease is obtained. Programs dependent on a working network interface can then simply use s6-wait on the associated ndhc service dir. A typical command line option assuming the s6 service directory notification-fd contains '3' would be '--s6-notify 3', and a typical configure file option would be 's6-notify 3'.
2022-02-13 03:01:39 +05:30
action s6_notify {
client_config.s6_notify_fd = atoi(ccfg.buf);
client_config.enable_s6_notify = true;
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
action version { print_version(); exit(EXIT_SUCCESS); }
action help { show_usage(); exit(EXIT_SUCCESS); }
}%%
%%{
machine file_cfg;
access ccfg.;
include cfg_actions;
spc = [ \t];
delim = spc* '=' spc*;
string = [^\n]+ >clear $append %term;
term = '\n';
value = delim string term;
truval = ('true'|'1') % truval;
falsval = ('false'|'0') % falsval;
boolval = delim (truval|falsval) term;
blankline = term;
clientid = 'clientid' value @clientid;
hostname = 'hostname' value @hostname;
interface = 'interface' value @interface;
now = 'now' boolval @now;
request = 'request' value @request;
vendorid = 'vendorid' value @vendorid;
user = 'user' value @user;
ifch_user = 'ifch-user' value @ifch_user;
sockd_user = 'sockd-user' value @sockd_user;
chroot = 'chroot' value @chroot;
state_dir = 'state-dir' value @state_dir;
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
script_file = 'script-file' value @script_file;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
seccomp_enforce = 'seccomp-enforce' boolval @seccomp_enforce;
relentless_defense = 'relentless-defense' boolval @relentless_defense;
arp_probe_wait = 'arp-probe-wait' value @arp_probe_wait;
arp_probe_num = 'arp-probe-num' value @arp_probe_num;
arp_probe_min = 'arp-probe-min' value @arp_probe_min;
arp_probe_max = 'arp-probe-max' value @arp_probe_max;
gw_metric = 'gw-metric' value @gw_metric;
resolv_conf = 'resolv-conf' value @resolv_conf;
dhcp_set_hostname = 'dhcp-set-hostname' boolval @dhcp_set_hostname;
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-14 02:55:36 +05:30
rfkill_idx = 'rfkill-idx' value @rfkill_idx;
Support s6 service startup notification This can be enabled via the s6-notify configure option; see http://www.skarnet.org/software/s6/notifywhenup.html for details. ndhc will signal that it is ready when the first valid lease is obtained. Programs dependent on a working network interface can then simply use s6-wait on the associated ndhc service dir. A typical command line option assuming the s6 service directory notification-fd contains '3' would be '--s6-notify 3', and a typical configure file option would be 's6-notify 3'.
2022-02-13 03:01:39 +05:30
s6_notify = 's6-notify' value @s6_notify;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
main := blankline |
Remove legacy support for exiting after obtaining a DHCP lease.
2020-10-20 16:24:17 +05:30
clientid | hostname | interface | now |
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
request | vendorid | user | ifch_user | sockd_user | chroot |
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
state_dir | script_file | seccomp_enforce | relentless_defense |
arp_probe_wait | arp_probe_num | arp_probe_min | arp_probe_max |
gw_metric | resolv_conf | dhcp_set_hostname | rfkill_idx | s6_notify
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
;
}%%
%% write data;
Replace mostly obsolete -[static 1] with reliable old *-. This notation originally had the sole advantage of implying that the pointer was non-NULL, but it has seen little use and now clang presents warnings about it in certain contexts.
2022-01-12 09:05:19 +05:30
static void parse_cfgfile(const char *fname)
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
{
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
bool reached_eof = false;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
struct cfgparse ccfg;
memset(&ccfg, 0, sizeof ccfg);
char l[MAX_BUF];
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
size_t lc = 0;
memset(l, 0, sizeof l);
int fd = open(fname, O_RDONLY|O_CLOEXEC, 0);
if (fd < 0)
suicide("Unable to open config file '%s'.", fname);
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
size_t linenum = 0;
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
for (;;) {
if (lc + 1 >= sizeof l) suicide("sizeof l - 1 - lc would underflow");
ssize_t rc = safe_read(fd, l + lc, sizeof l - 1 - lc);
if (rc < 0)
suicide("Error reading config file '%s'.", fname);
if (rc == 0) {
l[lc] = '\n'; rc = 1; reached_eof = true; // Emulate a LF to terminate the line.
}
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 13:09:46 +05:30
lc += (size_t)rc;
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
size_t lstart = 0, lend = 0, consumed = 0;
for (; lend < lc; ++lend) {
if (l[lend] == '\n') {
++linenum; consumed = lend;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
size_t llen = lend - lstart;
const char *p = l + lstart;
const char *pe = l + lstart + llen + 1;
%% write init;
%% write exec;
if (ccfg.cs == file_cfg_error)
suicide("error parsing config file line %zu: malformed", linenum);
if (ccfg.cs < file_cfg_first_final)
suicide("error parsing config file line %zu: incomplete", linenum);
lstart = lend + 1;
}
}
if (reached_eof)
break;
if (!consumed && lend >= sizeof l - 1)
Simplify logging and fix some format specifiers.
2020-11-25 07:32:51 +05:30
suicide("Line %zu in config file '%s' is too long: %zu > %zu.",
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
linenum, fname, lend, sizeof l - 1);
if (consumed + 1 > lc) suicide("lc[%zu] - consumed[%zu] would underflow", lc, lend);
if (consumed) {
memmove(l, l + consumed + 1, lc - consumed - 1);
lc -= consumed + 1;
}
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
Eliminate fopen() in cfg.rl. Use unbuffered i/o instead. This is fairly tricky, but fopen() almost surely interally calls malloc when it creates the FILE* that it returns. I did promise that ndhc doesn't call malloc after initialization, besides what libc may do internally, but it feels a bit dishonest given that fopen() is basically sure to do so on any general-purpose libc. Thus, eliminate it and just use direct POSIX i/o. With the previous pidfile changes, ndhc doesn't use C fopen() at all. In practice, this change won't really be noticeable as most libcs, particularly with dynamic linking, will end up calling malloc themselves during program initialization before main() is invoked.
2016-05-07 02:14:10 +05:30
close(fd);
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
%%{
machine cmd_cfg;
access ccfg.;
include cfg_actions;
action cfgfile { parse_cfgfile(ccfg.buf); }
action tbv { ccfg.ternary = 1; }
string = [^\0]+ >clear $append %term;
argval = 0 string 0;
tbv = 0 % tbv;
cfgfile = ('-c'|'--config') argval @cfgfile;
clientid = ('-I'|'--clientid') argval @clientid;
hostname = ('-h'|'--hostname') argval @hostname;
interface = ('-i'|'--interface') argval @interface;
now = ('-n'|'--now') tbv @now;
request = ('-r'|'--request') argval @request;
vendorid = ('-V'|'--vendorid') argval @vendorid;
user = ('-u'|'--user') argval @user;
ifch_user = ('-U'|'--ifch-user') argval @ifch_user;
sockd_user = ('-D'|'--sockd-user') argval @sockd_user;
chroot = ('-C'|'--chroot') argval @chroot;
state_dir = ('-s'|'--state-dir') argval @state_dir;
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
script_file = ('-X'|'--script-file') argval @script_file;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
seccomp_enforce = ('-S'|'--seccomp-enforce') tbv @seccomp_enforce;
relentless_defense = ('-d'|'--relentless-defense') tbv @relentless_defense;
arp_probe_wait = ('-w'|'--arp-probe-wait') argval @arp_probe_wait;
arp_probe_num = ('-W'|'--arp-probe-num') argval @arp_probe_num;
arp_probe_min = ('-m'|'--arp-probe-min') argval @arp_probe_min;
arp_probe_max = ('-M'|'--arp-probe-max') argval @arp_probe_max;
gw_metric = ('-t'|'--gw-metric') argval @gw_metric;
resolv_conf = ('-R'|'--resolv-conf') argval @resolv_conf;
dhcp_set_hostname = ('-H'|'--dhcp-set-hostname') tbv @dhcp_set_hostname;
rfkill: Add support for reacting to radio kill switch events. In order for this to work, the correct rfkill index must be specified with the rfkill-idx option. It might be possible to auto-detect the corresponding rfkill-idx option, but I'm not sure if there's a guaranteed mapping between rfkill name and interface name, as it seems that rfkills should represent phy devices and not wlan devices. The rfkill indexes can be found by checking /sys/class/rfkill/rfkill<IDX>.
2015-02-14 02:55:36 +05:30
rfkill_idx = ('-K'|'--rfkill-idx') argval @rfkill_idx;
Support s6 service startup notification This can be enabled via the s6-notify configure option; see http://www.skarnet.org/software/s6/notifywhenup.html for details. ndhc will signal that it is ready when the first valid lease is obtained. Programs dependent on a working network interface can then simply use s6-wait on the associated ndhc service dir. A typical command line option assuming the s6 service directory notification-fd contains '3' would be '--s6-notify 3', and a typical configure file option would be 's6-notify 3'.
2022-02-13 03:01:39 +05:30
s6_notify = ('-N'|'--s6-notify') argval @s6_notify;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
version = ('-v'|'--version') 0 @version;
help = ('-?'|'--help') 0 @help;
main := (
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
cfgfile | clientid | hostname | interface | now | request | vendorid |
user | ifch_user | sockd_user | chroot | state_dir | script_file |
seccomp_enforce | relentless_defense | arp_probe_wait | arp_probe_num |
arp_probe_min | arp_probe_max | gw_metric | resolv_conf |
dhcp_set_hostname | rfkill_idx | s6_notify | version | help
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
)*;
}%%
%% write data;
void parse_cmdline(int argc, char *argv[])
{
char argb[8192];
size_t argbl = 0;
for (size_t i = 1; i < (size_t)argc; ++i) {
ssize_t snl;
Use libc snprintf and nstr{cpy,cat}. We don't need async-safe snprintf anymore, and nstr{cpy,cat} are more ergonomic and efficient where they can used.
2022-08-09 23:47:31 +05:30
if (i > 1) snl = snprintf(argb + argbl, sizeof argb - argbl, "%c%s", 0, argv[i]);
else snl = snprintf(argb + argbl, sizeof argb - argbl, "%s", argv[i]);
snprintf() truncation checks were one byte too conservative.
2022-02-25 16:41:16 +05:30
if (snl < 0 || (size_t)snl > sizeof argb)
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
suicide("error parsing command line option: option too long");
Compile cleanly with -Wsign-conversion. I didn't notice anything that worried me.
2018-02-09 13:09:46 +05:30
argbl += (size_t)snl;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
}
Accept no command line arguments without error.
2014-04-21 21:34:13 +05:30
if (argbl == 0)
return;
Parse config options with ragel and support a configuration file.
2014-04-15 00:36:31 +05:30
struct cfgparse ccfg;
memset(&ccfg, 0, sizeof ccfg);
const char *p = argb;
const char *pe = argb + argbl + 1;
const char *eof = pe;
%% write init;
%% write exec;
if (ccfg.cs == cmd_cfg_error)
suicide("error parsing command line option: malformed");
if (ccfg.cs >= cmd_cfg_first_final)
return;
suicide("error parsing command line option: incomplete");
}
Reference in New Issue Copy Permalink