/mandos/trunk : revision 1141

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/password-agent.c

Committer: Teddy Hogeborn
Date: 2019-08-03 11:39:38 UTC
Revision ID: teddy@recompile.se-20190803113938-httj8rqsnct08txx

dracut-module/password-agent.c: Bug fix: Ignore deleted files

If a question file ("ask.*") is opened, deleted, and then closed, we
still get an IN_CLOSE_WRITE ievent after the IN_DELETE ievent.  We
should pass the IN_EXCL_UNLINK flag to inotify_add_watch() to avoid
this.

* dracut-module/password-agent.c (add_inotify_dir_watch): Add
  "IN_EXCL_UNLINK" flag to inotify_add_watch().
  (test_add_inotify_dir_watch_IN_EXCL_UNLINK): New test.
  (run_tests): Add new test.

files removed:
debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/upstream/metadata

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests/control

dracut-module/ask-password-mandos.service

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-hook

initramfs-tools-script

intro.xml

mandos

mandos-ctl

mandos-keygen

mandos-monitor

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

plugin-runner.c

plugins.d/mandos-client.c

plugins.d/plymouth.c

Show diffs side-by-side

added added

removed removed

dracut-module/password-agent.c

* Mandos password agent - Simple password agent to run Mandos client

* This file is part of Mandos.

#include <error.h> /* error() */

#include <sysexits.h> /* EX_USAGE, EX_OSERR, EX_OSFILE */

#include <errno.h> /* errno, error_t, EACCES,

ENAMETOOLONG, ENOENT, ENOTDIR,

ENOMEM, EEXIST, ECHILD, EPERM,

EAGAIN, EINTR, ENOBUFS, EADDRINUSE,

ENAMETOOLONG, ENOENT, EEXIST,

ECHILD, EPERM, ENOMEM, EAGAIN,

EINTR, ENOBUFS, EADDRINUSE,

ECONNREFUSED, ECONNRESET,

ETOOMANYREFS, EMSGSIZE, EBADF,

EINVAL */

ARGP_ERR_UNKNOWN, ARGP_KEY_ARGS,

struct argp, argp_parse(),

ARGP_NO_EXIT */

#include <stdint.h> /* SIZE_MAX */

#include <unistd.h> /* uid_t, gid_t, close(), pipe2(),

fork(), _exit(), dup2(),

STDOUT_FILENO, setresgid(),

#include <sys/mman.h> /* munlock(), mlock() */

#include <fcntl.h> /* O_CLOEXEC, O_NONBLOCK, fcntl(),

F_GETFD, F_GETFL, FD_CLOEXEC,

open(), O_WRONLY, O_NOCTTY,

O_RDONLY, O_NOFOLLOW */

open(), O_WRONLY, O_RDONLY */

#include <sys/wait.h> /* waitpid(), WNOHANG, WIFEXITED(),

WEXITSTATUS() */

#include <limits.h> /* PIPE_BUF, NAME_MAX, INT_MAX */

#include <sys/inotify.h> /* inotify_init1(), IN_NONBLOCK,

IN_CLOEXEC, inotify_add_watch(),

IN_CLOSE_WRITE, IN_MOVED_TO,

IN_MOVED_FROM, IN_DELETE,

IN_EXCL_UNLINK, IN_ONLYDIR,

struct inotify_event */

IN_DELETE, struct inotify_event */

#include <fnmatch.h> /* fnmatch(), FNM_FILE_NAME */

#include <stdio.h> /* asprintf(), FILE, stderr, fopen(),

100

fclose(), getline(), sscanf(),

101

feof(), ferror(), rename(),

102

fdopen(), fprintf(), fscanf() */

#include <stdio.h> /* asprintf(), FILE, fopen(),

getline(), sscanf(), feof(),

ferror(), fclose(), stderr,

rename(), fdopen(), fprintf(),

fscanf() */

103

100

#include <glib.h> /* GKeyFile, g_key_file_free(), g_key_file_new(),

104

101

GError, g_key_file_load_from_file(),

105

102

G_KEY_FILE_NONE, TRUE, G_FILE_ERROR_NOENT,

148

145

mono_microsecs next_run;

149

146

} __attribute__((designated_init)) task_queue;

150

147

151

/* "task_func" - A function type for task functions

148

/* "func_type" - A function type for task functions

152

149

153

150

I.e. functions for the code which runs when a task is run, all have

154

151

this type */

434

431

case EACCES:

435

432

case ENAMETOOLONG:

436

433

case ENOENT:

437

case ENOTDIR:

438

434

return EX_OSFILE;

439

435

default:

440

436

return EX_OSERR;

651

647

652

648

__attribute__((nonnull, warn_unused_result))

653

649

bool add_to_queue(task_queue *const queue, const task_context task){

654

if((queue->length + 1) > (SIZE_MAX / sizeof(task_context))){

655

/* overflow */

656

error(0, ENOMEM, "Failed to allocate %" PRIuMAX

657

" tasks for queue->tasks", (uintmax_t)(queue->length + 1));

658

errno = ENOMEM;

659

return false;

660

}

661

650

const size_t needed_size = sizeof(task_context)*(queue->length + 1);

662

651

if(needed_size > (queue->allocated)){

663

652

task_context *const new_tasks = realloc(queue->tasks,

868

857

}

869

858

close(pipefds[1]);

870

859

871

if(pid == -1){

872

error(0, errno, "Failed to fork()");

873

close(pipefds[0]);

874

return false;

875

}

876

877

860

if(not add_to_queue(queue, (task_context){

878

861

.func=wait_for_mandos_client_exit,

879

862

.pid=pid,

1035

1018

}

1036

1019

1037

1020

if(inotify_add_watch(fd, dir, IN_CLOSE_WRITE | IN_MOVED_TO

1038

| IN_MOVED_FROM| IN_DELETE | IN_EXCL_UNLINK

1039

| IN_ONLYDIR)

1021

| IN_MOVED_FROM| IN_DELETE | IN_EXCL_UNLINK)

1040

1022

== -1){

1041

1023

error(0, errno, "Failed to create inotify watch on %s", dir);

1042

1024

return false;

1193

1175

bool *const password_is_read = task.password_is_read;

1194

1176

1195

1177

/* We use the GLib "Key-value file parser" functions to parse the

1196

question file. See <https://systemd.io/PASSWORD_AGENTS/> for

1197

specification of contents */

1178

question file. See <https://www.freedesktop.org/wiki/Software

1179

/systemd/PasswordAgents/> for specification of contents */

1198

1180

__attribute__((nonnull))

1199

1181

void cleanup_g_key_file(GKeyFile **key_file){

1200

1182

if(*key_file != NULL){

1490

1472

not. You may but don't have to include a final NUL byte in

1491

1473

your message.

1492

1474

1493

— <https://systemd.io/PASSWORD_AGENTS/> (Tue, 15 Sep 2020

1494

14:24:20 GMT)

1475

— <https://www.freedesktop.org/wiki/Software/systemd/

1476

PasswordAgents/> (Wed 08 Oct 2014 02:14:28 AM UTC)

1495

1477

1496

1478

send_buffer[0] = '+'; /* Prefix with "+" */

1497

1479

/* Always add an extra NUL */

1502

1484

errno = 0;

1503

1485

ssize_t ssret = send(fd, send_buffer, send_buffer_length,

1504

1486

MSG_NOSIGNAL);

1505

const error_t saved_errno = (ssret < 0) ? errno : 0;

1487

const error_t saved_errno = errno;

1506

1488

#if defined(__GLIBC_PREREQ) and __GLIBC_PREREQ(2, 25)

1507

1489

explicit_bzero(send_buffer, send_buffer_length);

1508

1490

#else

1526

1508

/* Retry, below */

1527

1509

break;

1528

1510

case EMSGSIZE:

1529

error(0, saved_errno, "Password of size %" PRIuMAX

1530

" is too big", (uintmax_t)password->length);

1511

error(0, 0, "Password of size %" PRIuMAX " is too big",

1512

(uintmax_t)password->length);

1531

1513

#if __GNUC__ < 7

1532

1514

/* FALLTHROUGH */

1533

1515

#else

1535

1517

#endif

1536

1518

case 0:

1537

1519

if(ssret >= 0 and ssret < (ssize_t)send_buffer_length){

1538

error(0, 0, "Password only partially sent to socket %s: %"

1539

PRIuMAX " out of %" PRIuMAX " bytes sent", filename,

1540

(uintmax_t)ssret, (uintmax_t)send_buffer_length);

1520

error(0, 0, "Password only partially sent to socket");

1541

1521

}

1542

1522

#if __GNUC__ < 7

1543

1523

/* FALLTHROUGH */

1899

1879

g_assert_true(queue->tasks[0].func == dummy_func);

1900

1880

}

1901

1881

1902

static void test_add_to_queue_overflow(__attribute__((unused))

1903

test_fixture *fixture,

1904

__attribute__((unused))

1905

gconstpointer user_data){

1906

__attribute__((cleanup(cleanup_queue)))

1907

task_queue *queue = create_queue();

1908

g_assert_nonnull(queue);

1909

g_assert_true(queue->length == 0);

1910

queue->length = SIZE_MAX / sizeof(task_context); /* fake max size */

1911

1912

FILE *real_stderr = stderr;

1913

FILE *devnull = fopen("/dev/null", "we");

1914

g_assert_nonnull(devnull);

1915

stderr = devnull;

1916

const bool ret = add_to_queue(queue,

1917

(task_context){ .func=dummy_func });

1918

g_assert_true(errno == ENOMEM);

1919

g_assert_false(ret);

1920

stderr = real_stderr;

1921

g_assert_cmpint(fclose(devnull), ==, 0);

1922

queue->length = 0; /* Restore real size */

1923

}

1924

1925

1882

static void dummy_func(__attribute__((unused))

1926

1883

const task_context task,

1927

1884

__attribute__((unused))

2198

2155

}

2199

2156

exit(EXIT_SUCCESS);

2200

2157

}

2201

if(pid == -1){

2202

error(EXIT_FAILURE, errno, "Failed to fork()");

2203

}

2204

2205

2158

int status;

2206

2159

waitpid(pid, &status, 0);

2207

2160

if(WIFEXITED(status) and (WEXITSTATUS(status) == EXIT_SUCCESS)){

2269

2222

2270

2223

{

2271

2224

__attribute__((cleanup(cleanup_close)))

2272

const int devnull_fd = open("/dev/null",

2273

O_WRONLY | O_CLOEXEC | O_NOCTTY);

2225

const int devnull_fd = open("/dev/null", O_WRONLY | O_CLOEXEC);

2274

2226

g_assert_cmpint(devnull_fd, >=, 0);

2275

2227

__attribute__((cleanup(cleanup_close)))

2276

2228

const int real_stderr_fd = dup(STDERR_FILENO);

2300

2252

{

2301

2253

__attribute__((cleanup(cleanup_close)))

2302

2254

const int devnull_fd = open("/dev/null",

2303

O_WRONLY | O_CLOEXEC | O_NOCTTY);

2255

O_WRONLY | O_CLOEXEC);

2304

2256

g_assert_cmpint(devnull_fd, >=, 0);

2305

2257

__attribute__((cleanup(cleanup_close)))

2306

2258

const int real_stderr_fd = dup(STDERR_FILENO);

2951

2903

2952

2904

__attribute__((cleanup(cleanup_close)))

2953

2905

const int devnull_fd = open("/dev/null",

2954

O_WRONLY | O_CLOEXEC | O_NOCTTY);

2906

O_WRONLY | O_CLOEXEC);

2955

2907

g_assert_cmpint(devnull_fd, >=, 0);

2956

2908

__attribute__((cleanup(cleanup_close)))

2957

2909

const int real_stderr_fd = dup(STDERR_FILENO);

3022

2974

3023

2975

__attribute__((cleanup(cleanup_close)))

3024

2976

const int devnull_fd = open("/dev/null",

3025

O_WRONLY | O_CLOEXEC, O_NOCTTY);

2977

O_WRONLY | O_CLOEXEC);

3026

2978

g_assert_cmpint(devnull_fd, >=, 0);

3027

2979

__attribute__((cleanup(cleanup_close)))

3028

2980

const int real_stderr_fd = dup(STDERR_FILENO);

3066

3018

buffer password = {};

3067

3019

3068

3020

/* Reading /proc/self/mem from offset 0 will always give EIO */

3069

const int fd = open("/proc/self/mem",

3070

O_RDONLY | O_CLOEXEC | O_NOCTTY);

3021

const int fd = open("/proc/self/mem", O_RDONLY | O_CLOEXEC);

3071

3022

3072

3023

bool password_is_read = false;

3073

3024

bool quit_now = false;

3501

3452

g_assert_cmpuint((unsigned int)queue->length, ==, 0);

3502

3453

}

3503

3454

3504

static void test_add_inotify_dir_watch_nondir(__attribute__((unused))

3505

test_fixture *fixture,

3506

__attribute__((unused))

3507

gconstpointer

3508

user_data){

3509

__attribute__((cleanup(cleanup_close)))

3510

const int epoll_fd = epoll_create1(EPOLL_CLOEXEC);

3511

g_assert_cmpint(epoll_fd, >=, 0);

3512

__attribute__((cleanup(cleanup_queue)))

3513

task_queue *queue = create_queue();

3514

g_assert_nonnull(queue);

3515

__attribute__((cleanup(string_set_clear)))

3516

string_set cancelled_filenames = {};

3517

const mono_microsecs current_time = 0;

3518

3519

bool quit_now = false;

3520

buffer password = {};

3521

bool mandos_client_exited = false;

3522

bool password_is_read = false;

3523

3524

const char not_a_directory[] = "/dev/tty";

3525

3526

FILE *real_stderr = stderr;

3527

FILE *devnull = fopen("/dev/null", "we");

3528

g_assert_nonnull(devnull);

3529

stderr = devnull;

3530

g_assert_false(add_inotify_dir_watch(queue, epoll_fd, &quit_now,

3531

&password, not_a_directory,

3532

&cancelled_filenames,

3533

&current_time,

3534

&mandos_client_exited,

3535

&password_is_read));

3536

stderr = real_stderr;

3537

g_assert_cmpint(fclose(devnull), ==, 0);

3538

3539

g_assert_cmpuint((unsigned int)queue->length, ==, 0);

3540

}

3541

3542

3455

static void test_add_inotify_dir_watch_EAGAIN(__attribute__((unused))

3543

3456

test_fixture *fixture,

3544

3457

__attribute__((unused))

3981

3894

const mono_microsecs current_time = 0;

3982

3895

3983

3896

/* Reading /proc/self/mem from offset 0 will always result in EIO */

3984

const int fd = open("/proc/self/mem",

3985

O_RDONLY | O_CLOEXEC | O_NOCTTY);

3897

const int fd = open("/proc/self/mem", O_RDONLY | O_CLOEXEC);

3986

3898

3987

3899

bool quit_now = false;

3988

3900

__attribute__((cleanup(cleanup_queue)))

5673

5585

__attribute__((unused))

5674

5586

gconstpointer user_data){

5675

5587

__attribute__((cleanup(cleanup_close)))

5676

const int epoll_fd = open("/dev/null",

5677

O_WRONLY | O_CLOEXEC | O_NOCTTY);

5588

const int epoll_fd = open("/dev/null", O_WRONLY | O_CLOEXEC);

5678

5589

__attribute__((cleanup(cleanup_string)))

5679

5590

char *const question_filename = strdup("/nonexistent/question");

5680

5591

g_assert_nonnull(question_filename);

5809

5720

char write_data[PIPE_BUF];

5810

5721

{

5811

5722

/* Construct test password buffer */

5812

/* Start with + since that is what the real protocol uses */

5723

/* Start with + since that is what the real procotol uses */

5813

5724

write_data[0] = '+';

5814

5725

/* Set a special character at string end just to mark the end */

5815

5726

write_data[sizeof(write_data)-2] = 'y';

5967

5878

char *const filename = strdup("/nonexistent/socket");

5968

5879

__attribute__((cleanup(string_set_clear)))

5969

5880

string_set cancelled_filenames = {};

5970

int socketfds[2];

5971

5972

/* Find a message size which triggers EMSGSIZE */

5973

__attribute__((cleanup(cleanup_string)))

5974

char *message_buffer = NULL;

5975

size_t message_size = PIPE_BUF + 1;

5976

for(ssize_t ssret = 0; ssret >= 0; message_size += 1024){

5977

if(message_size >= 1024*1024*1024){ /* 1 GiB */

5978

g_test_skip("Skipping EMSGSIZE test: Will not try 1GiB");

5979

return;

5980

}

5981

free(message_buffer);

5982

message_buffer = malloc(message_size);

5983

if(message_buffer == NULL){

5984

g_test_skip("Skipping EMSGSIZE test");

5985

g_test_message("Failed to malloc() %" PRIuMAX " bytes",

5986

(uintmax_t)message_size);

5987

return;

5988

}

5989

/* Fill buffer with 'x' */

5990

memset(message_buffer, 'x', message_size);

5991

/* Create a new socketpair for each message size to avoid having

5992

to empty the pipe by reading the message to a separate buffer

5993

5994

g_assert_cmpint(socketpair(PF_LOCAL, SOCK_DGRAM

5995

| SOCK_NONBLOCK | SOCK_CLOEXEC, 0,

5996

socketfds), ==, 0);

5997

ssret = send(socketfds[1], message_buffer, message_size,

5998

MSG_NOSIGNAL);

5999

error_t saved_errno = errno;

6000

g_assert_cmpint(close(socketfds[0]), ==, 0);

6001

g_assert_cmpint(close(socketfds[1]), ==, 0);

6002

6003

if(ssret < 0){

6004

if(saved_errno != EMSGSIZE) {

6005

g_test_skip("Skipping EMSGSIZE test");

6006

g_test_message("Error on send(): %s", strerror(saved_errno));

6007

return;

6008

}

6009

break;

6010

} else if(ssret != (ssize_t)message_size){

6011

g_test_skip("Skipping EMSGSIZE test");

6012

g_test_message("Partial send(): %" PRIuMAX " of %" PRIdMAX

6013

" bytes", (uintmax_t)ssret,

6014

(intmax_t)message_size);

6015

return;

6016

}

6017

}

6018

g_test_message("EMSGSIZE triggered by %" PRIdMAX " bytes",

6019

(intmax_t)message_size);

6020

6021

buffer password = {

6022

.data=message_buffer,

6023

.length=message_size - 2, /* Compensate for added '+' and NUL */

6024

.allocated=message_size,

5881

const size_t oversized = 1024*1024; /* Limit seems to be 212960 */

5882

__attribute__((cleanup(cleanup_buffer)))

5883

buffer password = {

5884

.data=malloc(oversized),

5885

.length=oversized,

5886

.allocated=oversized,

6025

5887

};

5888

g_assert_nonnull(password.data);

6026

5889

if(mlock(password.data, password.allocated) != 0){

6027

5890

g_assert_true(errno == EPERM or errno == ENOMEM);

6028

5891

}

5892

/* Construct test password buffer */

5893

/* Start with + since that is what the real procotol uses */

5894

password.data[0] = '+';

5895

/* Set a special character at string end just to mark the end */

5896

password.data[oversized-3] = 'y';

5897

/* Set NUL at buffer end, as suggested by the protocol */

5898

password.data[oversized-2] = '\0';

5899

/* Fill rest of password with 'x' */

5900

memset(password.data+1, 'x', oversized-3);

6029

5901

6030

5902

__attribute__((cleanup(cleanup_queue)))

6031

5903

task_queue *queue = create_queue();

6032

5904

g_assert_nonnull(queue);

5905

int socketfds[2];

6033

5906

g_assert_cmpint(socketpair(PF_LOCAL, SOCK_DGRAM

6034

5907

| SOCK_NONBLOCK | SOCK_CLOEXEC, 0,

6035

5908

socketfds), ==, 0);

6122

5995

__attribute__((unused))

6123

5996

gconstpointer user_data){

6124

5997

__attribute__((cleanup(cleanup_close)))

6125

const int epoll_fd = open("/dev/null",

6126

O_WRONLY | O_CLOEXEC | O_NOCTTY);

5998

const int epoll_fd = open("/dev/null", O_WRONLY | O_CLOEXEC);

6127

5999

__attribute__((cleanup(cleanup_string)))

6128

6000

char *const question_filename = strdup("/nonexistent/question");

6129

6001

g_assert_nonnull(question_filename);

6392

6264

const char *const

6393

6265

dirname){

6394

6266

__attribute__((cleanup(cleanup_close)))

6395

const int devnull_fd = open("/dev/null",

6396

O_WRONLY | O_CLOEXEC | O_NOCTTY);

6267

const int devnull_fd = open("/dev/null", O_WRONLY | O_CLOEXEC);

6397

6268

g_assert_cmpint(devnull_fd, >=, 0);

6398

6269

__attribute__((cleanup(cleanup_close)))

6399

6270

const int real_stderr_fd = dup(STDERR_FILENO);

7942

7813

test_add("/parse_arguments/mixed", test_parse_arguments_mixed);

7943

7814

test_add("/queue/create", test_create_queue);

7944

7815

test_add("/queue/add", test_add_to_queue);

7945

test_add("/queue/add/overflow", test_add_to_queue_overflow);

7946

7816

test_add("/queue/has_question/empty",

7947

7817

test_queue_has_question_empty);

7948

7818

test_add("/queue/has_question/false",

8035

7905

test_add_inotify_dir_watch);

8036

7906

test_add_st("/task-creators/add_inotify_dir_watch/fail",

8037

7907

test_add_inotify_dir_watch_fail);

8038

test_add_st("/task-creators/add_inotify_dir_watch/not-a-directory",

8039

test_add_inotify_dir_watch_nondir);

8040

7908

test_add_st("/task-creators/add_inotify_dir_watch/EAGAIN",

8041

7909

test_add_inotify_dir_watch_EAGAIN);

8042

7910

test_add_st("/task-creators/add_inotify_dir_watch/IN_CLOSE_WRITE",

8173

8041

g_option_context_set_help_enabled(context, FALSE);

8174

8042

g_option_context_set_ignore_unknown_options(context, TRUE);

8175

8043

8176

gboolean should_run_tests = FALSE;

8044

gboolean run_tests = FALSE;

8177

8045

GOptionEntry entries[] = {

8178

8046

{ "test", 0, 0, G_OPTION_ARG_NONE,

8179

&should_run_tests, "Run tests", NULL },

8047

&run_tests, "Run tests", NULL },

8180

8048

{ NULL }

8181

8049

};

8182

8050

g_option_context_add_main_entries(context, entries, NULL);

8189

8057

}

8190

8058

8191

8059

g_option_context_free(context);

8192

return should_run_tests != FALSE;

8060

return run_tests != FALSE;

8193

8061

}

Older »