To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 738
- compare with another revision
- download diff
- download tarball
- view history from revision 738
- Committer: Teddy Hogeborn
- Date: 2014-10-08 21:07:10 UTC
- Revision ID: teddy@recompile.se-20141008210710-x0rg80z2aabdg05d
Handle local Zeroconf service name collisions.
Service name collisions from other servers have always been handled,
but not *local* name collisions from services on the same host.
* mandos (AvahiService/rename): Handle local Zeroconf service name
collision.
(AvahiServiceToSyslog.rename): Pass on any extra arguments.
Service name collisions from other servers have always been handled,
but not *local* name collisions from services on the same host.
* mandos (AvahiService/rename): Handle local Zeroconf service name
collision.
(AvahiServiceToSyslog.rename): Pass on any extra arguments.
- files added:
- debian/upstream
- files modified:
- DBUS-API
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2012 Teddy Hogeborn
13
* Copyright © 2008-2012 Björn Påhlsson
12
* Copyright © 2008-2014 Teddy Hogeborn
13
* Copyright © 2008-2014 Björn Påhlsson
14
14
*
15
15
* This program is free software: you can redistribute it and/or
16
16
* modify it under the terms of the GNU General Public License as
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#ifndef _LARGEFILE_SOURCE
34
34
#define _LARGEFILE_SOURCE
35
#endif
35
#endif /* not _LARGEFILE_SOURCE */
36
36
#ifndef _FILE_OFFSET_BITS
37
37
#define _FILE_OFFSET_BITS 64
38
#endif
38
#endif /* not _FILE_OFFSET_BITS */
39
39
40
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
41
42
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
43
stdout, ferror() */
44
44
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
55
55
opendir(), DIR */
56
56
#include <sys/stat.h> /* open(), S_ISREG */
57
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
58
inet_pton(), connect(),
59
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
60
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
62
*/
62
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
64
strtoimax() */
64
#include <assert.h> /* assert() */
65
65
#include <errno.h> /* perror(), errno,
66
66
program_invocation_short_name */
67
67
#include <time.h> /* nanosleep(), time(), sleep() */
73
73
*/
74
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
75
getuid(), getgid(), seteuid(),
76
setgid(), pause(), _exit() */
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
76
setgid(), pause(), _exit(),
77
unlinkat() */
78
#include <arpa/inet.h> /* inet_pton(), htons() */
78
79
#include <iso646.h> /* not, or, and */
79
80
#include <argp.h> /* struct argp_option, error_t, struct
80
81
argp_state, struct argp,
88
89
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
90
WEXITSTATUS(), WTERMSIG() */
90
91
#include <grp.h> /* setgroups() */
92
#include <argz.h> /* argz_add_sep(), argz_next(),
93
argz_delete(), argz_append(),
94
argz_stringify(), argz_add(),
95
argz_count() */
96
#include <netdb.h> /* getnameinfo(), NI_NUMERICHOST,
97
EAI_SYSTEM, gai_strerror() */
91
98
92
99
#ifdef __linux__
93
100
#include <sys/klog.h> /* klogctl() */
135
142
static const char sys_class_net[] = "/sys/class/net";
136
143
char *connect_to = NULL;
137
144
const char *hookdir = HOOKDIR;
145
int hookdir_fd = -1;
138
146
uid_t uid = 65534;
139
147
gid_t gid = 65534;
140
148
141
149
/* Doubly linked list that need to be circularly linked when used */
142
150
typedef struct server{
143
151
const char *ip;
144
uint16_t port;
152
in_port_t port;
145
153
AvahiIfIndex if_index;
146
154
int af;
147
155
struct timespec last_seen;
151
159
152
160
/* Used for passing in values through the Avahi callback functions */
153
161
typedef struct {
154
AvahiSimplePoll *simple_poll;
155
162
AvahiServer *server;
156
163
gnutls_certificate_credentials_t cred;
157
164
unsigned int dh_bits;
159
166
const char *priority;
160
167
gpgme_ctx_t ctx;
161
168
server *current_server;
169
char *interfaces;
170
size_t interfaces_size;
162
171
} mandos_context;
163
172
164
/* global context so signal handler can reach it*/
165
mandos_context mc = { .simple_poll = NULL, .server = NULL,
166
.dh_bits = 1024, .priority = "SECURE256"
167
":!CTYPE-X.509:+CTYPE-OPENPGP",
168
.current_server = NULL };
173
/* global so signal handler can reach it*/
174
AvahiSimplePoll *simple_poll;
169
175
170
176
sig_atomic_t quit_now = 0;
171
177
int signal_received = 0;
179
185
perror(print_text);
180
186
}
181
187
182
__attribute__((format (gnu_printf, 2, 3)))
188
__attribute__((format (gnu_printf, 2, 3), nonnull))
183
189
int fprintf_plus(FILE *stream, const char *format, ...){
184
190
va_list ap;
185
191
va_start (ap, format);
186
192
187
193
TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",
188
194
program_invocation_short_name));
189
return TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
195
return (int)TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
190
196
}
191
197
192
198
/*
194
200
* bytes. "buffer_capacity" is how much is currently allocated,
195
201
* "buffer_length" is how much is already used.
196
202
*/
203
__attribute__((nonnull, warn_unused_result))
197
204
size_t incbuffer(char **buffer, size_t buffer_length,
198
205
size_t buffer_capacity){
199
206
if(buffer_length + BUFFER_SIZE > buffer_capacity){
200
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
201
if(buffer == NULL){
207
char *new_buf = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
208
if(new_buf == NULL){
209
int old_errno = errno;
210
free(*buffer);
211
errno = old_errno;
212
*buffer = NULL;
202
213
return 0;
203
214
}
215
*buffer = new_buf;
204
216
buffer_capacity += BUFFER_SIZE;
205
217
}
206
218
return buffer_capacity;
207
219
}
208
220
209
221
/* Add server to set of servers to retry periodically */
210
bool add_server(const char *ip, uint16_t port, AvahiIfIndex if_index,
211
int af){
222
__attribute__((nonnull, warn_unused_result))
223
bool add_server(const char *ip, in_port_t port, AvahiIfIndex if_index,
224
int af, server **current_server){
212
225
int ret;
213
226
server *new_server = malloc(sizeof(server));
214
227
if(new_server == NULL){
221
234
.af = af };
222
235
if(new_server->ip == NULL){
223
236
perror_plus("strdup");
237
free(new_server);
238
return false;
239
}
240
ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
241
if(ret == -1){
242
perror_plus("clock_gettime");
243
#ifdef __GNUC__
244
#pragma GCC diagnostic push
245
#pragma GCC diagnostic ignored "-Wcast-qual"
246
#endif
247
free((char *)(new_server->ip));
248
#ifdef __GNUC__
249
#pragma GCC diagnostic pop
250
#endif
251
free(new_server);
224
252
return false;
225
253
}
226
254
/* Special case of first server */
227
if (mc.current_server == NULL){
255
if(*current_server == NULL){
228
256
new_server->next = new_server;
229
257
new_server->prev = new_server;
230
mc.current_server = new_server;
231
/* Place the new server last in the list */
258
*current_server = new_server;
232
259
} else {
233
new_server->next = mc.current_server;
234
new_server->prev = mc.current_server->prev;
260
/* Place the new server last in the list */
261
new_server->next = *current_server;
262
new_server->prev = (*current_server)->prev;
235
263
new_server->prev->next = new_server;
236
mc.current_server->prev = new_server;
237
}
238
ret = clock_gettime(CLOCK_MONOTONIC, &mc.current_server->last_seen);
239
if(ret == -1){
240
perror_plus("clock_gettime");
241
return false;
264
(*current_server)->prev = new_server;
242
265
}
243
266
return true;
244
267
}
246
269
/*
247
270
* Initialize GPGME.
248
271
*/
249
static bool init_gpgme(const char *seckey, const char *pubkey,
250
const char *tempdir){
272
__attribute__((nonnull, warn_unused_result))
273
static bool init_gpgme(const char * const seckey,
274
const char * const pubkey,
275
const char * const tempdir,
276
mandos_context *mc){
251
277
gpgme_error_t rc;
252
278
gpgme_engine_info_t engine_info;
253
279
254
255
280
/*
256
281
* Helper function to insert pub and seckey to the engine keyring.
257
282
*/
258
bool import_key(const char *filename){
283
bool import_key(const char * const filename){
259
284
int ret;
260
285
int fd;
261
286
gpgme_data_t pgp_data;
273
298
return false;
274
299
}
275
300
276
rc = gpgme_op_import(mc.ctx, pgp_data);
301
rc = gpgme_op_import(mc->ctx, pgp_data);
277
302
if(rc != GPG_ERR_NO_ERROR){
278
303
fprintf_plus(stderr, "bad gpgme_op_import: %s: %s\n",
279
304
gpgme_strsource(rc), gpgme_strerror(rc));
323
348
}
324
349
325
350
/* Create new GPGME "context" */
326
rc = gpgme_new(&(mc.ctx));
351
rc = gpgme_new(&(mc->ctx));
327
352
if(rc != GPG_ERR_NO_ERROR){
328
353
fprintf_plus(stderr, "Mandos plugin mandos-client: "
329
354
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
342
367
* Decrypt OpenPGP data.
343
368
* Returns -1 on error
344
369
*/
370
__attribute__((nonnull, warn_unused_result))
345
371
static ssize_t pgp_packet_decrypt(const char *cryptotext,
346
372
size_t crypto_size,
347
char **plaintext){
373
char **plaintext,
374
mandos_context *mc){
348
375
gpgme_data_t dh_crypto, dh_plain;
349
376
gpgme_error_t rc;
350
377
ssize_t ret;
376
403
377
404
/* Decrypt data from the cryptotext data buffer to the plaintext
378
405
data buffer */
379
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
406
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
380
407
if(rc != GPG_ERR_NO_ERROR){
381
408
fprintf_plus(stderr, "bad gpgme_op_decrypt: %s: %s\n",
382
409
gpgme_strsource(rc), gpgme_strerror(rc));
383
410
plaintext_length = -1;
384
411
if(debug){
385
412
gpgme_decrypt_result_t result;
386
result = gpgme_op_decrypt_result(mc.ctx);
413
result = gpgme_op_decrypt_result(mc->ctx);
387
414
if(result == NULL){
388
415
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
389
416
} else {
466
493
return plaintext_length;
467
494
}
468
495
469
static const char * safer_gnutls_strerror(int value){
470
const char *ret = gnutls_strerror(value); /* Spurious warning from
471
-Wunreachable-code */
496
__attribute__((warn_unused_result))
497
static const char *safer_gnutls_strerror(int value){
498
const char *ret = gnutls_strerror(value);
472
499
if(ret == NULL)
473
500
ret = "(unknown)";
474
501
return ret;
475
502
}
476
503
477
504
/* GnuTLS log function callback */
505
__attribute__((nonnull))
478
506
static void debuggnutls(__attribute__((unused)) int level,
479
507
const char* string){
480
508
fprintf_plus(stderr, "GnuTLS: %s", string);
481
509
}
482
510
511
__attribute__((nonnull, warn_unused_result))
483
512
static int init_gnutls_global(const char *pubkeyfilename,
484
const char *seckeyfilename){
513
const char *seckeyfilename,
514
mandos_context *mc){
485
515
int ret;
486
516
487
517
if(debug){
504
534
}
505
535
506
536
/* OpenPGP credentials */
507
ret = gnutls_certificate_allocate_credentials(&mc.cred);
537
ret = gnutls_certificate_allocate_credentials(&mc->cred);
508
538
if(ret != GNUTLS_E_SUCCESS){
509
539
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
510
540
safer_gnutls_strerror(ret));
520
550
}
521
551
522
552
ret = gnutls_certificate_set_openpgp_key_file
523
(mc.cred, pubkeyfilename, seckeyfilename,
553
(mc->cred, pubkeyfilename, seckeyfilename,
524
554
GNUTLS_OPENPGP_FMT_BASE64);
525
555
if(ret != GNUTLS_E_SUCCESS){
526
556
fprintf_plus(stderr,
532
562
}
533
563
534
564
/* GnuTLS server initialization */
535
ret = gnutls_dh_params_init(&mc.dh_params);
565
ret = gnutls_dh_params_init(&mc->dh_params);
536
566
if(ret != GNUTLS_E_SUCCESS){
537
567
fprintf_plus(stderr, "Error in GnuTLS DH parameter"
538
568
" initialization: %s\n",
539
569
safer_gnutls_strerror(ret));
540
570
goto globalfail;
541
571
}
542
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
572
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
543
573
if(ret != GNUTLS_E_SUCCESS){
544
574
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
545
575
safer_gnutls_strerror(ret));
546
576
goto globalfail;
547
577
}
548
578
549
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
579
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
550
580
551
581
return 0;
552
582
553
583
globalfail:
554
584
555
gnutls_certificate_free_credentials(mc.cred);
585
gnutls_certificate_free_credentials(mc->cred);
556
586
gnutls_global_deinit();
557
gnutls_dh_params_deinit(mc.dh_params);
587
gnutls_dh_params_deinit(mc->dh_params);
558
588
return -1;
559
589
}
560
590
561
static int init_gnutls_session(gnutls_session_t *session){
591
__attribute__((nonnull, warn_unused_result))
592
static int init_gnutls_session(gnutls_session_t *session,
593
mandos_context *mc){
562
594
int ret;
563
595
/* GnuTLS session creation */
564
596
do {
576
608
{
577
609
const char *err;
578
610
do {
579
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
611
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
580
612
if(quit_now){
581
613
gnutls_deinit(*session);
582
614
return -1;
593
625
594
626
do {
595
627
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
596
mc.cred);
628
mc->cred);
597
629
if(quit_now){
598
630
gnutls_deinit(*session);
599
631
return -1;
609
641
/* ignore client certificate if any. */
610
642
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
611
643
612
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
644
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
613
645
614
646
return 0;
615
647
}
619
651
__attribute__((unused)) const char *txt){}
620
652
621
653
/* Called when a Mandos server is found */
622
static int start_mandos_communication(const char *ip, uint16_t port,
654
__attribute__((nonnull, warn_unused_result))
655
static int start_mandos_communication(const char *ip, in_port_t port,
623
656
AvahiIfIndex if_index,
624
int af){
657
int af, mandos_context *mc){
625
658
int ret, tcp_sd = -1;
626
659
ssize_t sret;
627
union {
628
struct sockaddr_in in;
629
struct sockaddr_in6 in6;
630
} to;
660
struct sockaddr_storage to;
631
661
char *buffer = NULL;
632
662
char *decrypted_buffer = NULL;
633
663
size_t buffer_length = 0;
657
687
return -1;
658
688
}
659
689
660
ret = init_gnutls_session(&session);
690
/* If the interface is specified and we have a list of interfaces */
691
if(if_index != AVAHI_IF_UNSPEC and mc->interfaces != NULL){
692
/* Check if the interface is one of the interfaces we are using */
693
bool match = false;
694
{
695
char *interface = NULL;
696
while((interface=argz_next(mc->interfaces, mc->interfaces_size,
697
interface))){
698
if(if_nametoindex(interface) == (unsigned int)if_index){
699
match = true;
700
break;
701
}
702
}
703
}
704
if(not match){
705
/* This interface does not match any in the list, so we don't
706
connect to the server */
707
if(debug){
708
char interface[IF_NAMESIZE];
709
if(if_indextoname((unsigned int)if_index, interface) == NULL){
710
perror_plus("if_indextoname");
711
} else {
712
fprintf_plus(stderr, "Skipping server on non-used interface"
713
" \"%s\"\n",
714
if_indextoname((unsigned int)if_index,
715
interface));
716
}
717
}
718
return -1;
719
}
720
}
721
722
ret = init_gnutls_session(&session, mc);
661
723
if(ret != 0){
662
724
return -1;
663
725
}
664
726
665
727
if(debug){
666
728
fprintf_plus(stderr, "Setting up a TCP connection to %s, port %"
667
PRIu16 "\n", ip, port);
729
PRIuMAX "\n", ip, (uintmax_t)port);
668
730
}
669
731
670
732
tcp_sd = socket(pf, SOCK_STREAM, 0);
682
744
683
745
memset(&to, 0, sizeof(to));
684
746
if(af == AF_INET6){
685
to.in6.sin6_family = (sa_family_t)af;
686
ret = inet_pton(af, ip, &to.in6.sin6_addr);
747
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
748
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
687
749
} else { /* IPv4 */
688
to.in.sin_family = (sa_family_t)af;
689
ret = inet_pton(af, ip, &to.in.sin_addr);
750
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
751
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
690
752
}
691
753
if(ret < 0 ){
692
754
int e = errno;
701
763
goto mandos_end;
702
764
}
703
765
if(af == AF_INET6){
704
to.in6.sin6_port = htons(port); /* Spurious warnings from
705
-Wconversion and
706
-Wunreachable-code */
707
708
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
709
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
710
-Wunreachable-code*/
766
((struct sockaddr_in6 *)&to)->sin6_port = htons(port);
767
if(IN6_IS_ADDR_LINKLOCAL
768
(&((struct sockaddr_in6 *)&to)->sin6_addr)){
711
769
if(if_index == AVAHI_IF_UNSPEC){
712
770
fprintf_plus(stderr, "An IPv6 link-local address is"
713
771
" incomplete without a network interface\n");
715
773
goto mandos_end;
716
774
}
717
775
/* Set the network interface number as scope */
718
to.in6.sin6_scope_id = (uint32_t)if_index;
776
((struct sockaddr_in6 *)&to)->sin6_scope_id = (uint32_t)if_index;
719
777
}
720
778
} else {
721
to.in.sin_port = htons(port); /* Spurious warnings from
722
-Wconversion and
723
-Wunreachable-code */
779
((struct sockaddr_in *)&to)->sin_port = htons(port);
724
780
}
725
781
726
782
if(quit_now){
734
790
if(if_indextoname((unsigned int)if_index, interface) == NULL){
735
791
perror_plus("if_indextoname");
736
792
} else {
737
fprintf_plus(stderr, "Connection to: %s%%%s, port %" PRIu16
738
"\n", ip, interface, port);
793
fprintf_plus(stderr, "Connection to: %s%%%s, port %" PRIuMAX
794
"\n", ip, interface, (uintmax_t)port);
739
795
}
740
796
} else {
741
fprintf_plus(stderr, "Connection to: %s, port %" PRIu16 "\n",
742
ip, port);
797
fprintf_plus(stderr, "Connection to: %s, port %" PRIuMAX "\n",
798
ip, (uintmax_t)port);
743
799
}
744
800
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
745
801
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
746
const char *pcret;
747
802
if(af == AF_INET6){
748
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
749
sizeof(addrstr));
803
ret = getnameinfo((struct sockaddr *)&to,
804
sizeof(struct sockaddr_in6),
805
addrstr, sizeof(addrstr), NULL, 0,
806
NI_NUMERICHOST);
750
807
} else {
751
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
752
sizeof(addrstr));
808
ret = getnameinfo((struct sockaddr *)&to,
809
sizeof(struct sockaddr_in),
810
addrstr, sizeof(addrstr), NULL, 0,
811
NI_NUMERICHOST);
753
812
}
754
if(pcret == NULL){
755
perror_plus("inet_ntop");
756
} else {
757
if(strcmp(addrstr, ip) != 0){
758
fprintf_plus(stderr, "Canonical address form: %s\n", addrstr);
759
}
813
if(ret == EAI_SYSTEM){
814
perror_plus("getnameinfo");
815
} else if(ret != 0) {
816
fprintf_plus(stderr, "getnameinfo: %s", gai_strerror(ret));
817
} else if(strcmp(addrstr, ip) != 0){
818
fprintf_plus(stderr, "Canonical address form: %s\n", addrstr);
760
819
}
761
820
}
762
821
766
825
}
767
826
768
827
if(af == AF_INET6){
769
ret = connect(tcp_sd, &to.in6, sizeof(to));
828
ret = connect(tcp_sd, (struct sockaddr *)&to,
829
sizeof(struct sockaddr_in6));
770
830
} else {
771
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
831
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
832
sizeof(struct sockaddr_in));
772
833
}
773
834
if(ret < 0){
774
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
835
if((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
775
836
int e = errno;
776
837
perror_plus("connect");
777
838
errno = e;
938
999
if(buffer_length > 0){
939
1000
ssize_t decrypted_buffer_size;
940
1001
decrypted_buffer_size = pgp_packet_decrypt(buffer, buffer_length,
941
&decrypted_buffer);
1002
&decrypted_buffer, mc);
942
1003
if(decrypted_buffer_size >= 0){
943
1004
944
1005
written = 0;
992
1053
return retval;
993
1054
}
994
1055
1056
__attribute__((nonnull))
995
1057
static void resolve_callback(AvahiSServiceResolver *r,
996
1058
AvahiIfIndex interface,
997
1059
AvahiProtocol proto,
1005
1067
AVAHI_GCC_UNUSED AvahiStringList *txt,
1006
1068
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1007
1069
flags,
1008
AVAHI_GCC_UNUSED void* userdata){
1009
assert(r);
1070
void *mc){
1071
if(r == NULL){
1072
return;
1073
}
1010
1074
1011
1075
/* Called whenever a service has been resolved successfully or
1012
1076
timed out */
1013
1077
1014
1078
if(quit_now){
1079
avahi_s_service_resolver_free(r);
1015
1080
return;
1016
1081
}
1017
1082
1021
1086
fprintf_plus(stderr, "(Avahi Resolver) Failed to resolve service "
1022
1087
"'%s' of type '%s' in domain '%s': %s\n", name, type,
1023
1088
domain,
1024
avahi_strerror(avahi_server_errno(mc.server)));
1089
avahi_strerror(avahi_server_errno
1090
(((mandos_context*)mc)->server)));
1025
1091
break;
1026
1092
1027
1093
case AVAHI_RESOLVER_FOUND:
1033
1099
PRIdMAX ") on port %" PRIu16 "\n", name,
1034
1100
host_name, ip, (intmax_t)interface, port);
1035
1101
}
1036
int ret = start_mandos_communication(ip, port, interface,
1037
avahi_proto_to_af(proto));
1102
int ret = start_mandos_communication(ip, (in_port_t)port,
1103
interface,
1104
avahi_proto_to_af(proto),
1105
mc);
1038
1106
if(ret == 0){
1039
avahi_simple_poll_quit(mc.simple_poll);
1107
avahi_simple_poll_quit(simple_poll);
1040
1108
} else {
1041
if(not add_server(ip, port, interface,
1042
avahi_proto_to_af(proto))){
1109
if(not add_server(ip, (in_port_t)port, interface,
1110
avahi_proto_to_af(proto),
1111
&((mandos_context*)mc)->current_server)){
1043
1112
fprintf_plus(stderr, "Failed to add server \"%s\" to server"
1044
1113
" list\n", name);
1045
1114
}
1058
1127
const char *domain,
1059
1128
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1060
1129
flags,
1061
AVAHI_GCC_UNUSED void* userdata){
1062
assert(b);
1130
void *mc){
1131
if(b == NULL){
1132
return;
1133
}
1063
1134
1064
1135
/* Called whenever a new services becomes available on the LAN or
1065
1136
is removed from the LAN */
1073
1144
case AVAHI_BROWSER_FAILURE:
1074
1145
1075
1146
fprintf_plus(stderr, "(Avahi browser) %s\n",
1076
avahi_strerror(avahi_server_errno(mc.server)));
1077
avahi_simple_poll_quit(mc.simple_poll);
1147
avahi_strerror(avahi_server_errno
1148
(((mandos_context*)mc)->server)));
1149
avahi_simple_poll_quit(simple_poll);
1078
1150
return;
1079
1151
1080
1152
case AVAHI_BROWSER_NEW:
1083
1155
the callback function is called the Avahi server will free the
1084
1156
resolver for us. */
1085
1157
1086
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1087
name, type, domain, protocol, 0,
1088
resolve_callback, NULL) == NULL)
1158
if(avahi_s_service_resolver_new(((mandos_context*)mc)->server,
1159
interface, protocol, name, type,
1160
domain, protocol, 0,
1161
resolve_callback, mc) == NULL)
1089
1162
fprintf_plus(stderr, "Avahi: Failed to resolve service '%s':"
1090
1163
" %s\n", name,
1091
avahi_strerror(avahi_server_errno(mc.server)));
1164
avahi_strerror(avahi_server_errno
1165
(((mandos_context*)mc)->server)));
1092
1166
break;
1093
1167
1094
1168
case AVAHI_BROWSER_REMOVE:
1113
1187
signal_received = sig;
1114
1188
int old_errno = errno;
1115
1189
/* set main loop to exit */
1116
if(mc.simple_poll != NULL){
1117
avahi_simple_poll_quit(mc.simple_poll);
1190
if(simple_poll != NULL){
1191
avahi_simple_poll_quit(simple_poll);
1118
1192
}
1119
1193
errno = old_errno;
1120
1194
}
1121
1195
1196
__attribute__((nonnull, warn_unused_result))
1122
1197
bool get_flags(const char *ifname, struct ifreq *ifr){
1123
1198
int ret;
1199
error_t ret_errno;
1124
1200
1125
1201
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1126
1202
if(s < 0){
1203
ret_errno = errno;
1127
1204
perror_plus("socket");
1205
errno = ret_errno;
1128
1206
return false;
1129
1207
}
1130
1208
strcpy(ifr->ifr_name, ifname);
1131
1209
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1132
1210
if(ret == -1){
1133
1211
if(debug){
1212
ret_errno = errno;
1134
1213
perror_plus("ioctl SIOCGIFFLAGS");
1214
errno = ret_errno;
1135
1215
}
1136
1216
return false;
1137
1217
}
1138
1218
return true;
1139
1219
}
1140
1220
1221
__attribute__((nonnull, warn_unused_result))
1141
1222
bool good_flags(const char *ifname, const struct ifreq *ifr){
1142
1223
1143
1224
/* Reject the loopback device */
1185
1266
* corresponds to an acceptable network device.
1186
1267
* (This function is passed to scandir(3) as a filter function.)
1187
1268
*/
1269
__attribute__((nonnull, warn_unused_result))
1188
1270
int good_interface(const struct dirent *if_entry){
1189
1271
if(if_entry->d_name[0] == '.'){
1190
1272
return 0;
1206
1288
}
1207
1289
1208
1290
/*
1209
* This function determines if a directory entry in /sys/class/net
1210
* corresponds to an acceptable network device which is up.
1211
* (This function is passed to scandir(3) as a filter function.)
1212
*/
1213
int up_interface(const struct dirent *if_entry){
1214
if(if_entry->d_name[0] == '.'){
1215
return 0;
1216
}
1217
1218
struct ifreq ifr;
1219
if(not get_flags(if_entry->d_name, &ifr)){
1220
if(debug){
1221
fprintf_plus(stderr, "Failed to get flags for interface "
1222
"\"%s\"\n", if_entry->d_name);
1223
}
1224
return 0;
1225
}
1226
1227
/* Reject down interfaces */
1228
if(not (ifr.ifr_flags & IFF_UP)){
1229
if(debug){
1230
fprintf_plus(stderr, "Rejecting down interface \"%s\"\n",
1231
if_entry->d_name);
1232
}
1233
return 0;
1234
}
1235
1236
/* Reject non-running interfaces */
1237
if(not (ifr.ifr_flags & IFF_RUNNING)){
1238
if(debug){
1239
fprintf_plus(stderr, "Rejecting non-running interface \"%s\"\n",
1240
if_entry->d_name);
1241
}
1242
return 0;
1243
}
1244
1245
if(not good_flags(if_entry->d_name, &ifr)){
1246
return 0;
1247
}
1248
return 1;
1249
}
1250
1291
* This function determines if a network interface is up.
1292
*/
1293
__attribute__((nonnull, warn_unused_result))
1294
bool interface_is_up(const char *interface){
1295
struct ifreq ifr;
1296
if(not get_flags(interface, &ifr)){
1297
if(debug){
1298
fprintf_plus(stderr, "Failed to get flags for interface "
1299
"\"%s\"\n", interface);
1300
}
1301
return false;
1302
}
1303
1304
return (bool)(ifr.ifr_flags & IFF_UP);
1305
}
1306
1307
/*
1308
* This function determines if a network interface is running
1309
*/
1310
__attribute__((nonnull, warn_unused_result))
1311
bool interface_is_running(const char *interface){
1312
struct ifreq ifr;
1313
if(not get_flags(interface, &ifr)){
1314
if(debug){
1315
fprintf_plus(stderr, "Failed to get flags for interface "
1316
"\"%s\"\n", interface);
1317
}
1318
return false;
1319
}
1320
1321
return (bool)(ifr.ifr_flags & IFF_RUNNING);
1322
}
1323
1324
__attribute__((nonnull, pure, warn_unused_result))
1251
1325
int notdotentries(const struct dirent *direntry){
1252
1326
/* Skip "." and ".." */
1253
1327
if(direntry->d_name[0] == '.'
1260
1334
}
1261
1335
1262
1336
/* Is this directory entry a runnable program? */
1337
__attribute__((nonnull, warn_unused_result))
1263
1338
int runnable_hook(const struct dirent *direntry){
1264
1339
int ret;
1265
1340
size_t sret;
1273
1348
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1274
1349
"abcdefghijklmnopqrstuvwxyz"
1275
1350
"0123456789"
1276
"_-");
1351
"_.-");
1277
1352
if((direntry->d_name)[sret] != '\0'){
1278
1353
/* Contains non-allowed characters */
1279
1354
if(debug){
1283
1358
return 0;
1284
1359
}
1285
1360
1286
char *fullname = NULL;
1287
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1288
if(ret < 0){
1289
perror_plus("asprintf");
1290
return 0;
1291
}
1292
1293
ret = stat(fullname, &st);
1361
ret = fstatat(hookdir_fd, direntry->d_name, &st, 0);
1294
1362
if(ret == -1){
1295
1363
if(debug){
1296
1364
perror_plus("Could not stat hook");
1320
1388
return 1;
1321
1389
}
1322
1390
1323
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval){
1391
__attribute__((nonnull, warn_unused_result))
1392
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval,
1393
mandos_context *mc){
1324
1394
int ret;
1325
1395
struct timespec now;
1326
1396
struct timespec waited_time;
1327
1397
intmax_t block_time;
1328
1398
1329
1399
while(true){
1330
if(mc.current_server == NULL){
1331
if (debug){
1400
if(mc->current_server == NULL){
1401
if(debug){
1332
1402
fprintf_plus(stderr, "Wait until first server is found."
1333
1403
" No timeout!\n");
1334
1404
}
1335
1405
ret = avahi_simple_poll_iterate(s, -1);
1336
1406
} else {
1337
if (debug){
1407
if(debug){
1338
1408
fprintf_plus(stderr, "Check current_server if we should run"
1339
1409
" it, or wait\n");
1340
1410
}
1347
1417
/* Calculating in ms how long time between now and server
1348
1418
who we visted longest time ago. Now - last seen. */
1349
1419
waited_time.tv_sec = (now.tv_sec
1350
- mc.current_server->last_seen.tv_sec);
1420
- mc->current_server->last_seen.tv_sec);
1351
1421
waited_time.tv_nsec = (now.tv_nsec
1352
- mc.current_server->last_seen.tv_nsec);
1422
- mc->current_server->last_seen.tv_nsec);
1353
1423
/* total time is 10s/10,000ms.
1354
1424
Converting to s from ms by dividing by 1,000,
1355
1425
and ns to ms by dividing by 1,000,000. */
1357
1427
- ((intmax_t)waited_time.tv_sec * 1000))
1358
1428
- ((intmax_t)waited_time.tv_nsec / 1000000));
1359
1429
1360
if (debug){
1430
if(debug){
1361
1431
fprintf_plus(stderr, "Blocking for %" PRIdMAX " ms\n",
1362
1432
block_time);
1363
1433
}
1364
1434
1365
1435
if(block_time <= 0){
1366
ret = start_mandos_communication(mc.current_server->ip,
1367
mc.current_server->port,
1368
mc.current_server->if_index,
1369
mc.current_server->af);
1436
ret = start_mandos_communication(mc->current_server->ip,
1437
mc->current_server->port,
1438
mc->current_server->if_index,
1439
mc->current_server->af, mc);
1370
1440
if(ret == 0){
1371
avahi_simple_poll_quit(mc.simple_poll);
1441
avahi_simple_poll_quit(s);
1372
1442
return 0;
1373
1443
}
1374
1444
ret = clock_gettime(CLOCK_MONOTONIC,
1375
&mc.current_server->last_seen);
1445
&mc->current_server->last_seen);
1376
1446
if(ret == -1){
1377
1447
perror_plus("clock_gettime");
1378
1448
return -1;
1379
1449
}
1380
mc.current_server = mc.current_server->next;
1450
mc->current_server = mc->current_server->next;
1381
1451
block_time = 0; /* Call avahi to find new Mandos
1382
1452
servers, but don't block */
1383
1453
}
1385
1455
ret = avahi_simple_poll_iterate(s, (int)block_time);
1386
1456
}
1387
1457
if(ret != 0){
1388
if (ret > 0 or errno != EINTR){
1458
if(ret > 0 or errno != EINTR){
1389
1459
return (ret != 1) ? ret : 0;
1390
1460
}
1391
1461
}
1393
1463
}
1394
1464
1395
1465
/* Set effective uid to 0, return errno */
1466
__attribute__((warn_unused_result))
1396
1467
error_t raise_privileges(void){
1397
1468
error_t old_errno = errno;
1398
1469
error_t ret_errno = 0;
1399
1470
if(seteuid(0) == -1){
1400
1471
ret_errno = errno;
1401
perror_plus("seteuid");
1402
1472
}
1403
1473
errno = old_errno;
1404
1474
return ret_errno;
1405
1475
}
1406
1476
1407
1477
/* Set effective and real user ID to 0. Return errno. */
1478
__attribute__((warn_unused_result))
1408
1479
error_t raise_privileges_permanently(void){
1409
1480
error_t old_errno = errno;
1410
1481
error_t ret_errno = raise_privileges();
1414
1485
}
1415
1486
if(setuid(0) == -1){
1416
1487
ret_errno = errno;
1417
perror_plus("seteuid");
1418
1488
}
1419
1489
errno = old_errno;
1420
1490
return ret_errno;
1421
1491
}
1422
1492
1423
1493
/* Set effective user ID to unprivileged saved user ID */
1494
__attribute__((warn_unused_result))
1424
1495
error_t lower_privileges(void){
1425
1496
error_t old_errno = errno;
1426
1497
error_t ret_errno = 0;
1427
1498
if(seteuid(uid) == -1){
1428
1499
ret_errno = errno;
1429
perror_plus("seteuid");
1430
}
1431
errno = old_errno;
1432
return ret_errno;
1433
}
1434
1435
bool run_network_hooks(const char *mode, const char *interface,
1500
}
1501
errno = old_errno;
1502
return ret_errno;
1503
}
1504
1505
/* Lower privileges permanently */
1506
__attribute__((warn_unused_result))
1507
error_t lower_privileges_permanently(void){
1508
error_t old_errno = errno;
1509
error_t ret_errno = 0;
1510
if(setuid(uid) == -1){
1511
ret_errno = errno;
1512
}
1513
errno = old_errno;
1514
return ret_errno;
1515
}
1516
1517
__attribute__((nonnull))
1518
void run_network_hooks(const char *mode, const char *interface,
1436
1519
const float delay){
1437
struct dirent **direntries;
1438
struct dirent *direntry;
1439
int ret;
1440
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1441
alphasort);
1520
struct dirent **direntries = NULL;
1521
if(hookdir_fd == -1){
1522
hookdir_fd = open(hookdir, O_RDONLY);
1523
if(hookdir_fd == -1){
1524
if(errno == ENOENT){
1525
if(debug){
1526
fprintf_plus(stderr, "Network hook directory \"%s\" not"
1527
" found\n", hookdir);
1528
}
1529
} else {
1530
perror_plus("open");
1531
}
1532
return;
1533
}
1534
}
1535
#ifdef __GLIBC__
1536
#if __GLIBC_PREREQ(2, 15)
1537
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1538
runnable_hook, alphasort);
1539
#else /* not __GLIBC_PREREQ(2, 15) */
1540
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1541
alphasort);
1542
#endif /* not __GLIBC_PREREQ(2, 15) */
1543
#else /* not __GLIBC__ */
1544
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1545
alphasort);
1546
#endif /* not __GLIBC__ */
1442
1547
if(numhooks == -1){
1443
1548
perror_plus("scandir");
1444
} else {
1445
int devnull = open("/dev/null", O_RDONLY);
1446
for(int i = 0; i < numhooks; i++){
1447
direntry = direntries[i];
1448
char *fullname = NULL;
1449
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1450
if(ret < 0){
1549
return;
1550
}
1551
struct dirent *direntry;
1552
int ret;
1553
int devnull = open("/dev/null", O_RDONLY);
1554
for(int i = 0; i < numhooks; i++){
1555
direntry = direntries[i];
1556
if(debug){
1557
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1558
direntry->d_name);
1559
}
1560
pid_t hook_pid = fork();
1561
if(hook_pid == 0){
1562
/* Child */
1563
/* Raise privileges */
1564
errno = raise_privileges_permanently();
1565
if(errno != 0){
1566
perror_plus("Failed to raise privileges");
1567
_exit(EX_NOPERM);
1568
}
1569
/* Set group */
1570
errno = 0;
1571
ret = setgid(0);
1572
if(ret == -1){
1573
perror_plus("setgid");
1574
_exit(EX_NOPERM);
1575
}
1576
/* Reset supplementary groups */
1577
errno = 0;
1578
ret = setgroups(0, NULL);
1579
if(ret == -1){
1580
perror_plus("setgroups");
1581
_exit(EX_NOPERM);
1582
}
1583
ret = dup2(devnull, STDIN_FILENO);
1584
if(ret == -1){
1585
perror_plus("dup2(devnull, STDIN_FILENO)");
1586
_exit(EX_OSERR);
1587
}
1588
ret = close(devnull);
1589
if(ret == -1){
1590
perror_plus("close");
1591
_exit(EX_OSERR);
1592
}
1593
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
1594
if(ret == -1){
1595
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
1596
_exit(EX_OSERR);
1597
}
1598
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1599
if(ret == -1){
1600
perror_plus("setenv");
1601
_exit(EX_OSERR);
1602
}
1603
ret = setenv("DEVICE", interface, 1);
1604
if(ret == -1){
1605
perror_plus("setenv");
1606
_exit(EX_OSERR);
1607
}
1608
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1609
if(ret == -1){
1610
perror_plus("setenv");
1611
_exit(EX_OSERR);
1612
}
1613
ret = setenv("MODE", mode, 1);
1614
if(ret == -1){
1615
perror_plus("setenv");
1616
_exit(EX_OSERR);
1617
}
1618
char *delaystring;
1619
ret = asprintf(&delaystring, "%f", (double)delay);
1620
if(ret == -1){
1451
1621
perror_plus("asprintf");
1452
continue;
1453
}
1454
if(debug){
1455
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1456
direntry->d_name);
1457
}
1458
pid_t hook_pid = fork();
1459
if(hook_pid == 0){
1460
/* Child */
1461
/* Raise privileges */
1462
raise_privileges_permanently();
1463
/* Set group */
1464
errno = 0;
1465
ret = setgid(0);
1466
if(ret == -1){
1467
perror_plus("setgid");
1468
}
1469
/* Reset supplementary groups */
1470
errno = 0;
1471
ret = setgroups(0, NULL);
1472
if(ret == -1){
1473
perror_plus("setgroups");
1474
}
1475
dup2(devnull, STDIN_FILENO);
1476
close(devnull);
1477
dup2(STDERR_FILENO, STDOUT_FILENO);
1478
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1479
if(ret == -1){
1480
perror_plus("setenv");
1481
_exit(EX_OSERR);
1482
}
1483
ret = setenv("DEVICE", interface, 1);
1484
if(ret == -1){
1485
perror_plus("setenv");
1486
_exit(EX_OSERR);
1487
}
1488
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1489
if(ret == -1){
1490
perror_plus("setenv");
1491
_exit(EX_OSERR);
1492
}
1493
ret = setenv("MODE", mode, 1);
1494
if(ret == -1){
1495
perror_plus("setenv");
1496
_exit(EX_OSERR);
1497
}
1498
char *delaystring;
1499
ret = asprintf(&delaystring, "%f", delay);
1500
if(ret == -1){
1501
perror_plus("asprintf");
1502
_exit(EX_OSERR);
1503
}
1504
ret = setenv("DELAY", delaystring, 1);
1505
if(ret == -1){
1506
free(delaystring);
1507
perror_plus("setenv");
1508
_exit(EX_OSERR);
1509
}
1622
_exit(EX_OSERR);
1623
}
1624
ret = setenv("DELAY", delaystring, 1);
1625
if(ret == -1){
1510
1626
free(delaystring);
1511
if(connect_to != NULL){
1512
ret = setenv("CONNECT", connect_to, 1);
1513
if(ret == -1){
1514
perror_plus("setenv");
1515
_exit(EX_OSERR);
1516
}
1517
}
1518
if(execl(fullname, direntry->d_name, mode, NULL) == -1){
1519
perror_plus("execl");
1520
_exit(EXIT_FAILURE);
1521
}
1627
perror_plus("setenv");
1628
_exit(EX_OSERR);
1629
}
1630
free(delaystring);
1631
if(connect_to != NULL){
1632
ret = setenv("CONNECT", connect_to, 1);
1633
if(ret == -1){
1634
perror_plus("setenv");
1635
_exit(EX_OSERR);
1636
}
1637
}
1638
int hook_fd = openat(hookdir_fd, direntry->d_name, O_RDONLY);
1639
if(hook_fd == -1){
1640
perror_plus("openat");
1641
_exit(EXIT_FAILURE);
1642
}
1643
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1644
perror_plus("close");
1645
_exit(EXIT_FAILURE);
1646
}
1647
if(fexecve(hook_fd, (char *const []){ direntry->d_name, NULL },
1648
environ) == -1){
1649
perror_plus("fexecve");
1650
_exit(EXIT_FAILURE);
1651
}
1652
} else {
1653
if(hook_pid == -1){
1654
perror_plus("fork");
1655
free(direntry);
1656
continue;
1657
}
1658
int status;
1659
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1660
perror_plus("waitpid");
1661
free(direntry);
1662
continue;
1663
}
1664
if(WIFEXITED(status)){
1665
if(WEXITSTATUS(status) != 0){
1666
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1667
" with status %d\n", direntry->d_name,
1668
WEXITSTATUS(status));
1669
free(direntry);
1670
continue;
1671
}
1672
} else if(WIFSIGNALED(status)){
1673
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1674
" signal %d\n", direntry->d_name,
1675
WTERMSIG(status));
1676
free(direntry);
1677
continue;
1522
1678
} else {
1523
int status;
1524
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1525
perror_plus("waitpid");
1526
free(fullname);
1527
continue;
1528
}
1529
if(WIFEXITED(status)){
1530
if(WEXITSTATUS(status) != 0){
1531
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1532
" with status %d\n", direntry->d_name,
1533
WEXITSTATUS(status));
1534
free(fullname);
1535
continue;
1536
}
1537
} else if(WIFSIGNALED(status)){
1538
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1539
" signal %d\n", direntry->d_name,
1540
WTERMSIG(status));
1541
free(fullname);
1542
continue;
1543
} else {
1544
fprintf_plus(stderr, "Warning: network hook \"%s\""
1545
" crashed\n", direntry->d_name);
1546
free(fullname);
1547
continue;
1548
}
1549
}
1550
free(fullname);
1551
if(debug){
1552
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1553
direntry->d_name);
1554
}
1555
}
1556
close(devnull);
1557
}
1558
return true;
1679
fprintf_plus(stderr, "Warning: network hook \"%s\""
1680
" crashed\n", direntry->d_name);
1681
free(direntry);
1682
continue;
1683
}
1684
}
1685
if(debug){
1686
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1687
direntry->d_name);
1688
}
1689
free(direntry);
1690
}
1691
free(direntries);
1692
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1693
perror_plus("close");
1694
} else {
1695
hookdir_fd = -1;
1696
}
1697
close(devnull);
1559
1698
}
1560
1699
1561
int bring_up_interface(const char *const interface,
1562
const float delay){
1563
int sd = -1;
1564
int old_errno = errno;
1565
int ret_errno = 0;
1700
__attribute__((nonnull, warn_unused_result))
1701
error_t bring_up_interface(const char *const interface,
1702
const float delay){
1703
error_t old_errno = errno;
1566
1704
int ret;
1567
1705
struct ifreq network;
1568
AvahiIfIndex if_index = (AvahiIfIndex)if_nametoindex(interface);
1706
unsigned int if_index = if_nametoindex(interface);
1569
1707
if(if_index == 0){
1570
1708
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
1571
1709
errno = old_errno;
1577
1715
return EINTR;
1578
1716
}
1579
1717
1580
/* Re-raise priviliges */
1581
raise_privileges();
1582
1583
#ifdef __linux__
1584
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1585
messages about the network interface to mess up the prompt */
1586
ret = klogctl(8, NULL, 5);
1587
bool restore_loglevel = true;
1588
if(ret == -1){
1589
restore_loglevel = false;
1590
perror_plus("klogctl");
1591
}
1592
#endif /* __linux__ */
1593
1594
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1595
if(sd < 0){
1596
ret_errno = errno;
1597
perror_plus("socket");
1598
#ifdef __linux__
1599
if(restore_loglevel){
1600
ret = klogctl(7, NULL, 0);
1601
if(ret == -1){
1602
perror_plus("klogctl");
1603
}
1604
}
1605
#endif /* __linux__ */
1606
/* Lower privileges */
1607
lower_privileges();
1608
errno = old_errno;
1609
return ret_errno;
1610
}
1611
strcpy(network.ifr_name, interface);
1612
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1613
if(ret == -1){
1614
ret_errno = errno;
1615
perror_plus("ioctl SIOCGIFFLAGS");
1616
#ifdef __linux__
1617
if(restore_loglevel){
1618
ret = klogctl(7, NULL, 0);
1619
if(ret == -1){
1620
perror_plus("klogctl");
1621
}
1622
}
1623
#endif /* __linux__ */
1624
/* Lower privileges */
1625
lower_privileges();
1626
errno = old_errno;
1627
return ret_errno;
1628
}
1629
if((network.ifr_flags & IFF_UP) == 0){
1630
network.ifr_flags |= IFF_UP;
1631
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1718
if(not interface_is_up(interface)){
1719
error_t ret_errno = 0, ioctl_errno = 0;
1720
if(not get_flags(interface, &network)){
1721
ret_errno = errno;
1722
fprintf_plus(stderr, "Failed to get flags for interface "
1723
"\"%s\"\n", interface);
1724
errno = old_errno;
1725
return ret_errno;
1726
}
1727
network.ifr_flags |= IFF_UP; /* set flag */
1728
1729
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1730
if(sd == -1){
1731
ret_errno = errno;
1732
perror_plus("socket");
1733
errno = old_errno;
1734
return ret_errno;
1735
}
1736
1737
if(quit_now){
1738
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1739
if(ret == -1){
1740
perror_plus("close");
1741
}
1742
errno = old_errno;
1743
return EINTR;
1744
}
1745
1746
if(debug){
1747
fprintf_plus(stderr, "Bringing up interface \"%s\"\n",
1748
interface);
1749
}
1750
1751
/* Raise privileges */
1752
ret_errno = raise_privileges();
1753
if(ret_errno != 0){
1754
errno = ret_errno;
1755
perror_plus("Failed to raise privileges");
1756
}
1757
1758
#ifdef __linux__
1759
int ret_linux;
1760
bool restore_loglevel = false;
1761
if(ret_errno == 0){
1762
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1763
messages about the network interface to mess up the prompt */
1764
ret_linux = klogctl(8, NULL, 5);
1765
if(ret_linux == -1){
1766
perror_plus("klogctl");
1767
} else {
1768
restore_loglevel = true;
1769
}
1770
}
1771
#endif /* __linux__ */
1772
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
1773
ioctl_errno = errno;
1774
#ifdef __linux__
1775
if(restore_loglevel){
1776
ret_linux = klogctl(7, NULL, 0);
1777
if(ret_linux == -1){
1778
perror_plus("klogctl");
1779
}
1780
}
1781
#endif /* __linux__ */
1782
1783
/* If raise_privileges() succeeded above */
1784
if(ret_errno == 0){
1785
/* Lower privileges */
1786
ret_errno = lower_privileges();
1787
if(ret_errno != 0){
1788
errno = ret_errno;
1789
perror_plus("Failed to lower privileges");
1790
}
1791
}
1792
1793
/* Close the socket */
1794
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1632
1795
if(ret == -1){
1633
ret_errno = errno;
1796
perror_plus("close");
1797
}
1798
1799
if(ret_setflags == -1){
1800
errno = ioctl_errno;
1634
1801
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1635
#ifdef __linux__
1636
if(restore_loglevel){
1637
ret = klogctl(7, NULL, 0);
1638
if(ret == -1){
1639
perror_plus("klogctl");
1640
}
1641
}
1642
#endif /* __linux__ */
1643
/* Lower privileges */
1644
lower_privileges();
1645
1802
errno = old_errno;
1646
return ret_errno;
1803
return ioctl_errno;
1647
1804
}
1805
} else if(debug){
1806
fprintf_plus(stderr, "Interface \"%s\" is already up; good\n",
1807
interface);
1648
1808
}
1809
1649
1810
/* Sleep checking until interface is running.
1650
1811
Check every 0.25s, up to total time of delay */
1651
1812
for(int i=0; i < delay * 4; i++){
1652
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1653
if(ret == -1){
1654
perror_plus("ioctl SIOCGIFFLAGS");
1655
} else if(network.ifr_flags & IFF_RUNNING){
1813
if(interface_is_running(interface)){
1656
1814
break;
1657
1815
}
1658
1816
struct timespec sleeptime = { .tv_nsec = 250000000 };
1661
1819
perror_plus("nanosleep");
1662
1820
}
1663
1821
}
1664
/* Close the socket */
1665
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1666
if(ret == -1){
1667
perror_plus("close");
1822
1823
errno = old_errno;
1824
return 0;
1825
}
1826
1827
__attribute__((nonnull, warn_unused_result))
1828
error_t take_down_interface(const char *const interface){
1829
error_t old_errno = errno;
1830
struct ifreq network;
1831
unsigned int if_index = if_nametoindex(interface);
1832
if(if_index == 0){
1833
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
1834
errno = old_errno;
1835
return ENXIO;
1668
1836
}
1669
#ifdef __linux__
1670
if(restore_loglevel){
1671
/* Restores kernel loglevel to default */
1672
ret = klogctl(7, NULL, 0);
1837
if(interface_is_up(interface)){
1838
error_t ret_errno = 0, ioctl_errno = 0;
1839
if(not get_flags(interface, &network) and debug){
1840
ret_errno = errno;
1841
fprintf_plus(stderr, "Failed to get flags for interface "
1842
"\"%s\"\n", interface);
1843
errno = old_errno;
1844
return ret_errno;
1845
}
1846
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1847
1848
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1849
if(sd == -1){
1850
ret_errno = errno;
1851
perror_plus("socket");
1852
errno = old_errno;
1853
return ret_errno;
1854
}
1855
1856
if(debug){
1857
fprintf_plus(stderr, "Taking down interface \"%s\"\n",
1858
interface);
1859
}
1860
1861
/* Raise privileges */
1862
ret_errno = raise_privileges();
1863
if(ret_errno != 0){
1864
errno = ret_errno;
1865
perror_plus("Failed to raise privileges");
1866
}
1867
1868
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
1869
ioctl_errno = errno;
1870
1871
/* If raise_privileges() succeeded above */
1872
if(ret_errno == 0){
1873
/* Lower privileges */
1874
ret_errno = lower_privileges();
1875
if(ret_errno != 0){
1876
errno = ret_errno;
1877
perror_plus("Failed to lower privileges");
1878
}
1879
}
1880
1881
/* Close the socket */
1882
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
1673
1883
if(ret == -1){
1674
perror_plus("klogctl");
1675
}
1884
perror_plus("close");
1885
}
1886
1887
if(ret_setflags == -1){
1888
errno = ioctl_errno;
1889
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
1890
errno = old_errno;
1891
return ioctl_errno;
1892
}
1893
} else if(debug){
1894
fprintf_plus(stderr, "Interface \"%s\" is already down; odd\n",
1895
interface);
1676
1896
}
1677
#endif /* __linux__ */
1678
/* Lower privileges */
1679
lower_privileges();
1897
1680
1898
errno = old_errno;
1681
1899
return 0;
1682
1900
}
1683
1901
1684
1902
int main(int argc, char *argv[]){
1903
mandos_context mc = { .server = NULL, .dh_bits = 1024,
1904
.priority = "SECURE256:!CTYPE-X.509:"
1905
"+CTYPE-OPENPGP", .current_server = NULL,
1906
.interfaces = NULL, .interfaces_size = 0 };
1685
1907
AvahiSServiceBrowser *sb = NULL;
1686
int error;
1908
error_t ret_errno;
1687
1909
int ret;
1688
1910
intmax_t tmpmax;
1689
1911
char *tmp;
1690
1912
int exitcode = EXIT_SUCCESS;
1691
const char *interface = "";
1692
struct ifreq network;
1693
int sd = -1;
1694
bool take_down_interface = false;
1695
char tempdir[] = "/tmp/mandosXXXXXX";
1696
bool tempdir_created = false;
1913
char *interfaces_to_take_down = NULL;
1914
size_t interfaces_to_take_down_size = 0;
1915
char run_tempdir[] = "/run/tmp/mandosXXXXXX";
1916
char old_tempdir[] = "/tmp/mandosXXXXXX";
1917
char *tempdir = NULL;
1697
1918
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1698
1919
const char *seckey = PATHDIR "/" SECKEY;
1699
1920
const char *pubkey = PATHDIR "/" PUBKEY;
1921
char *interfaces_hooks = NULL;
1700
1922
1701
1923
bool gnutls_initialized = false;
1702
1924
bool gpgme_initialized = false;
1793
2015
connect_to = arg;
1794
2016
break;
1795
2017
case 'i': /* --interface */
1796
interface = arg;
2018
ret_errno = argz_add_sep(&mc.interfaces, &mc.interfaces_size,
2019
arg, (int)',');
2020
if(ret_errno != 0){
2021
argp_error(state, "%s", strerror(ret_errno));
2022
}
1797
2023
break;
1798
2024
case 's': /* --seckey */
1799
2025
seckey = arg;
1876
2102
/* Work around Debian bug #633582:
1877
2103
<http://bugs.debian.org/633582> */
1878
2104
1879
/* Re-raise priviliges */
1880
if(raise_privileges() == 0){
2105
/* Re-raise privileges */
2106
ret_errno = raise_privileges();
2107
if(ret_errno != 0){
2108
errno = ret_errno;
2109
perror_plus("Failed to raise privileges");
2110
} else {
1881
2111
struct stat st;
1882
2112
1883
2113
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1923
2153
}
1924
2154
1925
2155
/* Lower privileges */
1926
errno = 0;
1927
ret = seteuid(uid);
1928
if(ret == -1){
1929
perror_plus("seteuid");
2156
ret_errno = lower_privileges();
2157
if(ret_errno != 0){
2158
errno = ret_errno;
2159
perror_plus("Failed to lower privileges");
2160
}
2161
}
2162
}
2163
2164
/* Remove invalid interface names (except "none") */
2165
{
2166
char *interface = NULL;
2167
while((interface = argz_next(mc.interfaces, mc.interfaces_size,
2168
interface))){
2169
if(strcmp(interface, "none") != 0
2170
and if_nametoindex(interface) == 0){
2171
if(interface[0] != '\0'){
2172
fprintf_plus(stderr, "Not using nonexisting interface"
2173
" \"%s\"\n", interface);
2174
}
2175
argz_delete(&mc.interfaces, &mc.interfaces_size, interface);
2176
interface = NULL;
1930
2177
}
1931
2178
}
1932
2179
}
1933
2180
1934
2181
/* Run network hooks */
1935
if(not run_network_hooks("start", interface, delay)){
1936
goto end;
2182
{
2183
if(mc.interfaces != NULL){
2184
interfaces_hooks = malloc(mc.interfaces_size);
2185
if(interfaces_hooks == NULL){
2186
perror_plus("malloc");
2187
goto end;
2188
}
2189
memcpy(interfaces_hooks, mc.interfaces, mc.interfaces_size);
2190
argz_stringify(interfaces_hooks, mc.interfaces_size, (int)',');
2191
}
2192
run_network_hooks("start", interfaces_hooks != NULL ?
2193
interfaces_hooks : "", delay);
1937
2194
}
1938
2195
1939
2196
if(not debug){
1940
2197
avahi_set_log_function(empty_log);
1941
2198
}
1942
2199
1943
if(interface[0] == '\0'){
1944
struct dirent **direntries;
1945
/* First look for interfaces that are up */
1946
ret = scandir(sys_class_net, &direntries, up_interface,
1947
alphasort);
1948
if(ret == 0){
1949
/* No up interfaces, look for any good interfaces */
1950
free(direntries);
1951
ret = scandir(sys_class_net, &direntries, good_interface,
1952
alphasort);
1953
}
1954
if(ret >= 1){
1955
/* Pick the first interface returned */
1956
interface = strdup(direntries[0]->d_name);
1957
if(debug){
1958
fprintf_plus(stderr, "Using interface \"%s\"\n", interface);
1959
}
1960
if(interface == NULL){
1961
perror_plus("malloc");
1962
free(direntries);
1963
exitcode = EXIT_FAILURE;
1964
goto end;
1965
}
1966
free(direntries);
1967
} else {
1968
free(direntries);
1969
fprintf_plus(stderr, "Could not find a network interface\n");
1970
exitcode = EXIT_FAILURE;
1971
goto end;
1972
}
1973
}
1974
1975
2200
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1976
2201
from the signal handler */
1977
2202
/* Initialize the pseudo-RNG for Avahi */
1978
2203
srand((unsigned int) time(NULL));
1979
mc.simple_poll = avahi_simple_poll_new();
1980
if(mc.simple_poll == NULL){
2204
simple_poll = avahi_simple_poll_new();
2205
if(simple_poll == NULL){
1981
2206
fprintf_plus(stderr,
1982
2207
"Avahi: Failed to create simple poll object.\n");
1983
2208
exitcode = EX_UNAVAILABLE;
2047
2272
}
2048
2273
}
2049
2274
2050
/* If the interface is down, bring it up */
2051
if((interface[0] != '\0') and (strcmp(interface, "none") != 0)){
2052
ret = bring_up_interface(interface, delay);
2053
if(ret != 0){
2054
errno = ret;
2055
perror_plus("Failed to bring up interface");
2056
}
2275
/* If no interfaces were specified, make a list */
2276
if(mc.interfaces == NULL){
2277
struct dirent **direntries = NULL;
2278
/* Look for any good interfaces */
2279
ret = scandir(sys_class_net, &direntries, good_interface,
2280
alphasort);
2281
if(ret >= 1){
2282
/* Add all found interfaces to interfaces list */
2283
for(int i = 0; i < ret; ++i){
2284
ret_errno = argz_add(&mc.interfaces, &mc.interfaces_size,
2285
direntries[i]->d_name);
2286
if(ret_errno != 0){
2287
errno = ret_errno;
2288
perror_plus("argz_add");
2289
free(direntries[i]);
2290
continue;
2291
}
2292
if(debug){
2293
fprintf_plus(stderr, "Will use interface \"%s\"\n",
2294
direntries[i]->d_name);
2295
}
2296
free(direntries[i]);
2297
}
2298
free(direntries);
2299
} else {
2300
if(ret == 0){
2301
free(direntries);
2302
}
2303
fprintf_plus(stderr, "Could not find a network interface\n");
2304
exitcode = EXIT_FAILURE;
2305
goto end;
2306
}
2307
}
2308
2309
/* Bring up interfaces which are down, and remove any "none"s */
2310
{
2311
char *interface = NULL;
2312
while((interface = argz_next(mc.interfaces, mc.interfaces_size,
2313
interface))){
2314
/* If interface name is "none", stop bringing up interfaces.
2315
Also remove all instances of "none" from the list */
2316
if(strcmp(interface, "none") == 0){
2317
argz_delete(&mc.interfaces, &mc.interfaces_size,
2318
interface);
2319
interface = NULL;
2320
while((interface = argz_next(mc.interfaces,
2321
mc.interfaces_size, interface))){
2322
if(strcmp(interface, "none") == 0){
2323
argz_delete(&mc.interfaces, &mc.interfaces_size,
2324
interface);
2325
interface = NULL;
2326
}
2327
}
2328
break;
2329
}
2330
bool interface_was_up = interface_is_up(interface);
2331
errno = bring_up_interface(interface, delay);
2332
if(not interface_was_up){
2333
if(errno != 0){
2334
perror_plus("Failed to bring up interface");
2335
} else {
2336
errno = argz_add(&interfaces_to_take_down,
2337
&interfaces_to_take_down_size,
2338
interface);
2339
if(errno != 0){
2340
perror_plus("argz_add");
2341
}
2342
}
2343
}
2344
}
2345
if(debug and (interfaces_to_take_down == NULL)){
2346
fprintf_plus(stderr, "No interfaces were brought up\n");
2347
}
2348
}
2349
2350
/* If we only got one interface, explicitly use only that one */
2351
if(argz_count(mc.interfaces, mc.interfaces_size) == 1){
2352
if(debug){
2353
fprintf_plus(stderr, "Using only interface \"%s\"\n",
2354
mc.interfaces);
2355
}
2356
if_index = (AvahiIfIndex)if_nametoindex(mc.interfaces);
2057
2357
}
2058
2358
2059
2359
if(quit_now){
2060
2360
goto end;
2061
2361
}
2062
2362
2063
ret = init_gnutls_global(pubkey, seckey);
2363
ret = init_gnutls_global(pubkey, seckey, &mc);
2064
2364
if(ret == -1){
2065
2365
fprintf_plus(stderr, "init_gnutls_global failed\n");
2066
2366
exitcode = EX_UNAVAILABLE;
2073
2373
goto end;
2074
2374
}
2075
2375
2076
if(mkdtemp(tempdir) == NULL){
2376
/* Try /run/tmp before /tmp */
2377
tempdir = mkdtemp(run_tempdir);
2378
if(tempdir == NULL and errno == ENOENT){
2379
if(debug){
2380
fprintf_plus(stderr, "Tempdir %s did not work, trying %s\n",
2381
run_tempdir, old_tempdir);
2382
}
2383
tempdir = mkdtemp(old_tempdir);
2384
}
2385
if(tempdir == NULL){
2077
2386
perror_plus("mkdtemp");
2078
2387
goto end;
2079
2388
}
2080
tempdir_created = true;
2081
2389
2082
2390
if(quit_now){
2083
2391
goto end;
2084
2392
}
2085
2393
2086
if(not init_gpgme(pubkey, seckey, tempdir)){
2394
if(not init_gpgme(pubkey, seckey, tempdir, &mc)){
2087
2395
fprintf_plus(stderr, "init_gpgme failed\n");
2088
2396
exitcode = EX_UNAVAILABLE;
2089
2397
goto end;
2110
2418
goto end;
2111
2419
}
2112
2420
2113
uint16_t port;
2421
in_port_t port;
2114
2422
errno = 0;
2115
2423
tmpmax = strtoimax(address+1, &tmp, 10);
2116
2424
if(errno != 0 or tmp == address+1 or *tmp != '\0'
2117
or tmpmax != (uint16_t)tmpmax){
2425
or tmpmax != (in_port_t)tmpmax){
2118
2426
fprintf_plus(stderr, "Bad port number\n");
2119
2427
exitcode = EX_USAGE;
2120
2428
goto end;
2121
2429
}
2122
2430
2123
2431
if(quit_now){
2124
2432
goto end;
2125
2433
}
2126
2434
2127
port = (uint16_t)tmpmax;
2435
port = (in_port_t)tmpmax;
2128
2436
*address = '\0';
2129
2437
/* Colon in address indicates IPv6 */
2130
2438
int af;
2146
2454
}
2147
2455
2148
2456
while(not quit_now){
2149
ret = start_mandos_communication(address, port, if_index, af);
2457
ret = start_mandos_communication(address, port, if_index, af,
2458
&mc);
2150
2459
if(quit_now or ret == 0){
2151
2460
break;
2152
2461
}
2154
2463
fprintf_plus(stderr, "Retrying in %d seconds\n",
2155
2464
(int)retry_interval);
2156
2465
}
2157
sleep((int)retry_interval);
2466
sleep((unsigned int)retry_interval);
2158
2467
}
2159
2468
2160
if (not quit_now){
2469
if(not quit_now){
2161
2470
exitcode = EXIT_SUCCESS;
2162
2471
}
2163
2472
2178
2487
config.publish_domain = 0;
2179
2488
2180
2489
/* Allocate a new server */
2181
mc.server = avahi_server_new(avahi_simple_poll_get
2182
(mc.simple_poll), &config, NULL,
2183
NULL, &error);
2490
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
2491
&config, NULL, NULL, &ret_errno);
2184
2492
2185
2493
/* Free the Avahi configuration data */
2186
2494
avahi_server_config_free(&config);
2189
2497
/* Check if creating the Avahi server object succeeded */
2190
2498
if(mc.server == NULL){
2191
2499
fprintf_plus(stderr, "Failed to create Avahi server: %s\n",
2192
avahi_strerror(error));
2500
avahi_strerror(ret_errno));
2193
2501
exitcode = EX_UNAVAILABLE;
2194
2502
goto end;
2195
2503
}
2201
2509
/* Create the Avahi service browser */
2202
2510
sb = avahi_s_service_browser_new(mc.server, if_index,
2203
2511
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2204
NULL, 0, browse_callback, NULL);
2512
NULL, 0, browse_callback,
2513
(void *)&mc);
2205
2514
if(sb == NULL){
2206
2515
fprintf_plus(stderr, "Failed to create service browser: %s\n",
2207
2516
avahi_strerror(avahi_server_errno(mc.server)));
2218
2527
if(debug){
2219
2528
fprintf_plus(stderr, "Starting Avahi loop search\n");
2220
2529
}
2221
2222
ret = avahi_loop_with_timeout(mc.simple_poll,
2223
(int)(retry_interval * 1000));
2530
2531
ret = avahi_loop_with_timeout(simple_poll,
2532
(int)(retry_interval * 1000), &mc);
2224
2533
if(debug){
2225
2534
fprintf_plus(stderr, "avahi_loop_with_timeout exited %s\n",
2226
2535
(ret == 0) ? "successfully" : "with error");
2233
2542
}
2234
2543
2235
2544
/* Cleanup things */
2545
free(mc.interfaces);
2546
2236
2547
if(sb != NULL)
2237
2548
avahi_s_service_browser_free(sb);
2238
2549
2239
2550
if(mc.server != NULL)
2240
2551
avahi_server_free(mc.server);
2241
2552
2242
if(mc.simple_poll != NULL)
2243
avahi_simple_poll_free(mc.simple_poll);
2553
if(simple_poll != NULL)
2554
avahi_simple_poll_free(simple_poll);
2244
2555
2245
2556
if(gnutls_initialized){
2246
2557
gnutls_certificate_free_credentials(mc.cred);
2258
2569
mc.current_server->prev->next = NULL;
2259
2570
while(mc.current_server != NULL){
2260
2571
server *next = mc.current_server->next;
2572
#ifdef __GNUC__
2573
#pragma GCC diagnostic push
2574
#pragma GCC diagnostic ignored "-Wcast-qual"
2575
#endif
2576
free((char *)(mc.current_server->ip));
2577
#ifdef __GNUC__
2578
#pragma GCC diagnostic pop
2579
#endif
2261
2580
free(mc.current_server);
2262
2581
mc.current_server = next;
2263
2582
}
2264
2583
}
2265
2584
2266
/* Run network hooks */
2267
run_network_hooks("stop", interface, delay);
2268
2269
/* Re-raise priviliges */
2585
/* Re-raise privileges */
2270
2586
{
2271
raise_privileges();
2587
ret_errno = raise_privileges();
2588
if(ret_errno != 0){
2589
errno = ret_errno;
2590
perror_plus("Failed to raise privileges");
2591
} else {
2592
2593
/* Run network hooks */
2594
run_network_hooks("stop", interfaces_hooks != NULL ?
2595
interfaces_hooks : "", delay);
2596
2597
/* Take down the network interfaces which were brought up */
2598
{
2599
char *interface = NULL;
2600
while((interface=argz_next(interfaces_to_take_down,
2601
interfaces_to_take_down_size,
2602
interface))){
2603
ret_errno = take_down_interface(interface);
2604
if(ret_errno != 0){
2605
errno = ret_errno;
2606
perror_plus("Failed to take down interface");
2607
}
2608
}
2609
if(debug and (interfaces_to_take_down == NULL)){
2610
fprintf_plus(stderr, "No interfaces needed to be taken"
2611
" down\n");
2612
}
2613
}
2614
}
2272
2615
2273
/* Take down the network interface */
2274
if(take_down_interface and geteuid() == 0){
2275
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2276
if(ret == -1){
2277
perror_plus("ioctl SIOCGIFFLAGS");
2278
} else if(network.ifr_flags & IFF_UP){
2279
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2280
ret = ioctl(sd, SIOCSIFFLAGS, &network);
2281
if(ret == -1){
2282
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
2283
}
2284
}
2285
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2286
if(ret == -1){
2287
perror_plus("close");
2288
}
2616
ret_errno = lower_privileges_permanently();
2617
if(ret_errno != 0){
2618
errno = ret_errno;
2619
perror_plus("Failed to lower privileges permanently");
2289
2620
}
2290
2621
}
2291
/* Lower privileges permanently */
2292
errno = 0;
2293
ret = setuid(uid);
2294
if(ret == -1){
2295
perror_plus("setuid");
2296
}
2622
2623
free(interfaces_to_take_down);
2624
free(interfaces_hooks);
2297
2625
2298
2626
/* Removes the GPGME temp directory and all files inside */
2299
if(tempdir_created){
2627
if(tempdir != NULL){
2300
2628
struct dirent **direntries = NULL;
2301
struct dirent *direntry = NULL;
2302
int numentries = scandir(tempdir, &direntries, notdotentries,
2303
alphasort);
2304
if (numentries > 0){
2305
for(int i = 0; i < numentries; i++){
2306
direntry = direntries[i];
2307
char *fullname = NULL;
2308
ret = asprintf(&fullname, "%s/%s", tempdir,
2309
direntry->d_name);
2310
if(ret < 0){
2311
perror_plus("asprintf");
2312
continue;
2313
}
2314
ret = remove(fullname);
2315
if(ret == -1){
2316
fprintf_plus(stderr, "remove(\"%s\"): %s\n", fullname,
2317
strerror(errno));
2318
}
2319
free(fullname);
2629
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY |
2630
O_NOFOLLOW));
2631
if(tempdir_fd == -1){
2632
perror_plus("open");
2633
} else {
2634
#ifdef __GLIBC__
2635
#if __GLIBC_PREREQ(2, 15)
2636
int numentries = scandirat(tempdir_fd, ".", &direntries,
2637
notdotentries, alphasort);
2638
#else /* not __GLIBC_PREREQ(2, 15) */
2639
int numentries = scandir(tempdir, &direntries, notdotentries,
2640
alphasort);
2641
#endif /* not __GLIBC_PREREQ(2, 15) */
2642
#else /* not __GLIBC__ */
2643
int numentries = scandir(tempdir, &direntries, notdotentries,
2644
alphasort);
2645
#endif /* not __GLIBC__ */
2646
if(numentries >= 0){
2647
for(int i = 0; i < numentries; i++){
2648
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2649
if(ret == -1){
2650
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2651
" \"%s\", 0): %s\n", tempdir,
2652
direntries[i]->d_name, strerror(errno));
2653
}
2654
free(direntries[i]);
2655
}
2656
2657
/* need to clean even if 0 because man page doesn't specify */
2658
free(direntries);
2659
if(numentries == -1){
2660
perror_plus("scandir");
2661
}
2662
ret = rmdir(tempdir);
2663
if(ret == -1 and errno != ENOENT){
2664
perror_plus("rmdir");
2665
}
2320
2666
}
2321
}
2322
2323
/* need to clean even if 0 because man page doesn't specify */
2324
free(direntries);
2325
if (numentries == -1){
2326
perror_plus("scandir");
2327
}
2328
ret = rmdir(tempdir);
2329
if(ret == -1 and errno != ENOENT){
2330
perror_plus("rmdir");
2667
TEMP_FAILURE_RETRY(close(tempdir_fd));
2331
2668
}
2332
2669
}
2333
2670
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0