Nicholas J. Kain
cab9162d8d
Remove socketpair from the seccomp syscall filter whitelist.
...
socketpair() is called only before privileges are dropped, so it does
not need to be in the whitelist.
2014-04-07 03:44:53 -04:00
Nicholas J. Kain
5fa2030bab
Use a socketpair rather than a pair of pipes for communication between
...
ndhc and ifch, similar to sockd. A single pipe is also maintained so
that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
Nicholas J. Kain
e2ee728982
Consolidate all of the global static variables in arp.c into a single
...
struct, and use booleans where appropriate.
2014-04-06 22:12:31 -04:00
Nicholas J. Kain
a86363f248
Create a new process ID group for ndhc.
2014-04-06 22:07:12 -04:00
Nicholas J. Kain
b761889025
Move source from ndhc/ to src/ since ifchd is no longer a separate program.
2014-04-06 16:57:06 -04:00
Nicholas J. Kain
b511d45c2f
Change most error comparisons from == -1 to < 0. Some were not changed,
...
as the different negative values equate to different errors.
Tests against syscall returns and fds are very common and mostly fit
the pattern of this change.
The gain is increased range-exclusion.
2014-04-06 06:33:14 -04:00
Nicholas J. Kain
c03be059f5
writeordie() was buggy; delete the == 1 which makes no sense.
2014-04-06 06:31:40 -04:00
Nicholas J. Kain
3d76fbeedc
Make sure that all safe_* return values use ssize_t.
2014-04-06 06:24:13 -04:00
Nicholas J. Kain
745e9e8923
If we encounter read errors reading the duid or iaid after successfully
...
opening the file, print an error and exit.
2014-04-06 06:06:53 -04:00
Nicholas J. Kain
7b0db5b8d3
arp.c: If the safe_read that fetches arp responses encounters a
...
return of -1 with errno == EAGAIN or EWOULDBLOCK, then report the
error, as it should never happen given that the function is called
only once after polling for ready-reads.
Further, the old code was buggy; it would subtract from the arpreply_offset
the return value of -1 in that case, which is just wrong.
2014-04-06 06:02:03 -04:00
Nicholas J. Kain
8b4c7f05b2
arp.c: Check for < 0 for invalid fds and function errors instead of == -1.
2014-04-06 05:54:21 -04:00
Nicholas J. Kain
8af6bee46d
arp_switch_state() was far too confusing and buggy. Pass the target state as
...
an argument, and only switch the global state after a change is successfully
made.
2014-04-06 05:51:52 -04:00
Nicholas J. Kain
1e52914f2e
Remove a lot of permitted syscalls from the seccomp filter list.
...
Probably the most notable is that setsockopt is only allowed from sockd.
This change prevents ndhc and ifch from removing BPF filters that have been
installed onto a socket.
2014-04-06 05:21:56 -04:00
Nicholas J. Kain
812912126e
ifch doesn't need to save a pidfile because its lifetime is strictly bounded
...
by that of ndhc by the shared pipe, so remove that option.
2014-04-06 02:27:52 -04:00
Nicholas J. Kain
6b1d422d6f
arp_min_close_fd() and arp_close_fd() can return void.
2014-04-05 23:40:18 -04:00
Nicholas J. Kain
1c30247c36
arp_reopen_fd() can be return void.
2014-04-05 23:37:44 -04:00
Nicholas J. Kain
6750209e12
Have sockd apply BPF filters to ARP sockets.
2014-04-05 21:39:27 -04:00
Nicholas J. Kain
5212e0dfc5
Switch to using a socket for ndhc/sockd IPC so that fd passing works.
2014-04-05 05:25:56 -04:00
Nicholas J. Kain
9622640698
Add command line help for the sockd-user option.
2014-04-05 05:23:37 -04:00
Nicholas J. Kain
ef51971a6d
Update to latest ncmlib privilege.[ch].
2014-04-05 05:23:18 -04:00
Nicholas J. Kain
09d6f7dfb8
Introduce a ndhc-sockd daemon that separates out the remaining elevated
...
capabilities from the ndhc master process.
Privsep is now complete. The only notable improvement from before is that
exploitation of ndhc would only allow an attacker to open raw sockets,
bind sockets to ports < port 1024, and create broadcast sockets on the
interface that ndhc is performing dhcp on rather than on all interfaces.
However, this seems like a worthwhile change; note that it was already
impossible for an attacker to sniff packets on any interfaces (as that
requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
Nicholas J. Kain
65c3cd4fd9
Make many more logging prints specify the interface and function, and make
...
the return checks for safe_(read|write) stricter.
2014-04-04 04:01:49 -04:00
Nicholas J. Kain
2200b68aff
Print a warning if the BPF is not installed for an ARP socket.
2014-04-04 03:55:32 -04:00
Nicholas J. Kain
dc2ac46fd4
Update to latest ncmlib and remove some dead preprocessor defines.
2014-03-31 16:06:41 -04:00
Nicholas J. Kain
2f54ff75f3
Use nk_uidgidbyname().
2014-03-30 22:18:04 -04:00
Nicholas J. Kain
2d8654ae59
Update copyright dates.
2014-03-30 17:23:35 -04:00
Nicholas J. Kain
1abf8462d3
Convert logging messages to suicide() where appropriate and clean up the
...
logging messages a bit.
2014-03-30 17:21:27 -04:00
Nicholas J. Kain
82d9682ed8
Update to latest ncmlib changes.
2014-03-30 17:02:48 -04:00
Nicholas J. Kain
abda60e0e9
Remove unused defines.
2014-03-28 11:17:52 -04:00
Nicholas J. Kain
1b6b52d2eb
Don't background the daemon by default. Process supervision is finally
...
catching on and becoming the norm.
2014-03-28 00:12:33 -04:00
Nicholas J. Kain
704e414171
Add nl_sendgetaddr and nl_sendgetaddrs variants for v4/v6.
2014-03-28 00:09:53 -04:00
Nicholas J. Kain
77ce7b9a6c
printf 'hh' length modifier is a gnu extension. Don't use it.
2014-03-25 05:27:47 -04:00
Nicholas J. Kain
00e7e2a61b
Remove an implicit narrowing cast from void* in nl.h.
...
This cast is fine in C, but if the header is included from C++, even from
an extern "C" block, it will cause an error.
2014-03-24 09:55:55 -04:00
Nicholas J. Kain
4b92b10f32
ifch doesn't need chmod or unlink whitelisted for seccomp-filter.
2014-03-22 23:39:50 -04:00
Nicholas J. Kain
71db577ed5
Replace the remaining calls to rand() with nk_random_u32().
2014-03-22 02:08:23 -04:00
Nicholas J. Kain
009f80b428
x86 has a slightly different syscall interface, so some changes are
...
necessary for the seccomp filters to work.
Specifically, x86 has the old catch-all socketcall and the non-legacy
fnctl64 system calls.
2014-03-22 01:32:55 -04:00
Nicholas J. Kain
22dcfc00ee
Enable seccomp-filter if CMake detects that host is x86_64 or x86.
2014-03-21 23:52:15 -04:00
Nicholas J. Kain
2d79465eed
Enforce field width for MAC address prints.
2014-03-21 21:29:25 -04:00
Nicholas J. Kain
ab68966442
ifchange.c: Fix ifcmd_iplist so that it works properly.
...
Also, add some extra diagnostic prints to ifcmd_raw.
2014-03-20 23:50:58 -04:00
Nicholas J. Kain
6cfb1eb340
duiaid.c: Fix trivial errors found from testing so that it works.
2014-03-20 23:26:19 -04:00
Nicholas J. Kain
a73a28588f
Factor out copy_cmdarg() to common ncmlib header.
2014-03-20 05:25:40 -04:00
Nicholas J. Kain
f365498188
Convert the remaining strnk* calls to use snprintf instead, and make sure
...
to detect truncations and failures in all cases.
2014-03-20 04:07:12 -04:00
Nicholas J. Kain
daadae0bf5
Switch to using snprintf in dhcp.c and ifch.c so that truncations can be
...
easily detected.
2014-03-19 19:32:45 -04:00
Nicholas J. Kain
f5281ee7ab
ifchange.c: inet_ntop won't fail so long as we always use a statically
...
determined valid address family and sufficiently long destination buffer.
2014-03-19 19:14:38 -04:00
Nicholas J. Kain
fa801fbec4
ifchange.c doesn't need strl.h included anymore.
2014-03-19 06:42:39 -04:00
Nicholas J. Kain
17f1889d4d
ifchd_cmd() had a lot of helper macros that were more obfuscating than
...
helpful. Remove them.
2014-03-19 06:40:42 -04:00
Nicholas J. Kain
db6169e099
Rename ifchd_cmd_* to ifcmd_*.
2014-03-19 06:34:29 -04:00
Nicholas J. Kain
4b78acb65a
Remove an intermediate buffer in options.c after all of the functions
...
operating on that buffer now always leave the buffer so that it has
a valid list of commands.
2014-03-19 06:32:13 -04:00
Nicholas J. Kain
2de848f2c7
If the snprintf in ifcmd_raw() fails, then we can restore the buffer to
...
its original state by zeroing out the data that was appended to the buffer
by the failed snprintf.
This trick allows ifcmd_raw() to never fail in a way that would attach
corrupt commands to the output buffer.
2014-03-19 06:14:50 -04:00
Nicholas J. Kain
a2e8136bc9
options.c: Rewrite the ifchd_cmd_* options command generation functions.
...
The old functions were harder to audit. The new ones factor out most
of the work into a common ifcmd_raw() helper, and make sure to perform
the updates atomically wrt the output buffer.
snprintf is used heavily, as the C99 semantics should be on any targetted
system.
The atomicity will be improved in the next patch, allowing the number
of command buffers to be reduced.
2014-03-19 06:07:01 -04:00