Commit Graph

455 Commits

Author SHA1 Message Date
Nicholas J. Kain
1e52914f2e Remove a lot of permitted syscalls from the seccomp filter list.
Probably the most notable is that setsockopt is only allowed from sockd.
This change prevents ndhc and ifch from removing BPF filters that have been
installed onto a socket.
2014-04-06 05:21:56 -04:00
Nicholas J. Kain
812912126e ifch doesn't need to save a pidfile because its lifetime is strictly bounded
by that of ndhc by the shared pipe, so remove that option.
2014-04-06 02:27:52 -04:00
Nicholas J. Kain
6b1d422d6f arp_min_close_fd() and arp_close_fd() can return void. 2014-04-05 23:40:18 -04:00
Nicholas J. Kain
1c30247c36 arp_reopen_fd() can be return void. 2014-04-05 23:37:44 -04:00
Nicholas J. Kain
6750209e12 Have sockd apply BPF filters to ARP sockets. 2014-04-05 21:39:27 -04:00
Nicholas J. Kain
5212e0dfc5 Switch to using a socket for ndhc/sockd IPC so that fd passing works. 2014-04-05 05:25:56 -04:00
Nicholas J. Kain
9622640698 Add command line help for the sockd-user option. 2014-04-05 05:23:37 -04:00
Nicholas J. Kain
ef51971a6d Update to latest ncmlib privilege.[ch]. 2014-04-05 05:23:18 -04:00
Nicholas J. Kain
09d6f7dfb8 Introduce a ndhc-sockd daemon that separates out the remaining elevated
capabilities from the ndhc master process.

Privsep is now complete.  The only notable improvement from before is that
exploitation of ndhc would only allow an attacker to open raw sockets,
bind sockets to ports < port 1024, and create broadcast sockets on the
interface that ndhc is performing dhcp on rather than on all interfaces.

However, this seems like a worthwhile change; note that it was already
impossible for an attacker to sniff packets on any interfaces (as that
requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
Nicholas J. Kain
65c3cd4fd9 Make many more logging prints specify the interface and function, and make
the return checks for safe_(read|write) stricter.
2014-04-04 04:01:49 -04:00
Nicholas J. Kain
2200b68aff Print a warning if the BPF is not installed for an ARP socket. 2014-04-04 03:55:32 -04:00
Nicholas J. Kain
dc2ac46fd4 Update to latest ncmlib and remove some dead preprocessor defines. 2014-03-31 16:06:41 -04:00
Nicholas J. Kain
2f54ff75f3 Use nk_uidgidbyname(). 2014-03-30 22:18:04 -04:00
Nicholas J. Kain
2d8654ae59 Update copyright dates. 2014-03-30 17:23:35 -04:00
Nicholas J. Kain
1abf8462d3 Convert logging messages to suicide() where appropriate and clean up the
logging messages a bit.
2014-03-30 17:21:27 -04:00
Nicholas J. Kain
82d9682ed8 Update to latest ncmlib changes. 2014-03-30 17:02:48 -04:00
Nicholas J. Kain
abda60e0e9 Remove unused defines. 2014-03-28 11:17:52 -04:00
Nicholas J. Kain
1b6b52d2eb Don't background the daemon by default. Process supervision is finally
catching on and becoming the norm.
2014-03-28 00:12:33 -04:00
Nicholas J. Kain
704e414171 Add nl_sendgetaddr and nl_sendgetaddrs variants for v4/v6. 2014-03-28 00:09:53 -04:00
Nicholas J. Kain
77ce7b9a6c printf 'hh' length modifier is a gnu extension. Don't use it. 2014-03-25 05:27:47 -04:00
Nicholas J. Kain
00e7e2a61b Remove an implicit narrowing cast from void* in nl.h.
This cast is fine in C, but if the header is included from C++, even from
an extern "C" block, it will cause an error.
2014-03-24 09:55:55 -04:00
Nicholas J. Kain
4b92b10f32 ifch doesn't need chmod or unlink whitelisted for seccomp-filter. 2014-03-22 23:39:50 -04:00
Nicholas J. Kain
71db577ed5 Replace the remaining calls to rand() with nk_random_u32(). 2014-03-22 02:08:23 -04:00
Nicholas J. Kain
009f80b428 x86 has a slightly different syscall interface, so some changes are
necessary for the seccomp filters to work.

Specifically, x86 has the old catch-all socketcall and the non-legacy
fnctl64 system calls.
2014-03-22 01:32:55 -04:00
Nicholas J. Kain
22dcfc00ee Enable seccomp-filter if CMake detects that host is x86_64 or x86. 2014-03-21 23:52:15 -04:00
Nicholas J. Kain
2d79465eed Enforce field width for MAC address prints. 2014-03-21 21:29:25 -04:00
Nicholas J. Kain
ab68966442 ifchange.c: Fix ifcmd_iplist so that it works properly.
Also, add some extra diagnostic prints to ifcmd_raw.
2014-03-20 23:50:58 -04:00
Nicholas J. Kain
6cfb1eb340 duiaid.c: Fix trivial errors found from testing so that it works. 2014-03-20 23:26:19 -04:00
Nicholas J. Kain
a73a28588f Factor out copy_cmdarg() to common ncmlib header. 2014-03-20 05:25:40 -04:00
Nicholas J. Kain
f365498188 Convert the remaining strnk* calls to use snprintf instead, and make sure
to detect truncations and failures in all cases.
2014-03-20 04:07:12 -04:00
Nicholas J. Kain
daadae0bf5 Switch to using snprintf in dhcp.c and ifch.c so that truncations can be
easily detected.
2014-03-19 19:32:45 -04:00
Nicholas J. Kain
f5281ee7ab ifchange.c: inet_ntop won't fail so long as we always use a statically
determined valid address family and sufficiently long destination buffer.
2014-03-19 19:14:38 -04:00
Nicholas J. Kain
fa801fbec4 ifchange.c doesn't need strl.h included anymore. 2014-03-19 06:42:39 -04:00
Nicholas J. Kain
17f1889d4d ifchd_cmd() had a lot of helper macros that were more obfuscating than
helpful.  Remove them.
2014-03-19 06:40:42 -04:00
Nicholas J. Kain
db6169e099 Rename ifchd_cmd_* to ifcmd_*. 2014-03-19 06:34:29 -04:00
Nicholas J. Kain
4b78acb65a Remove an intermediate buffer in options.c after all of the functions
operating on that buffer now always leave the buffer so that it has
a valid list of commands.
2014-03-19 06:32:13 -04:00
Nicholas J. Kain
2de848f2c7 If the snprintf in ifcmd_raw() fails, then we can restore the buffer to
its original state by zeroing out the data that was appended to the buffer
by the failed snprintf.

This trick allows ifcmd_raw() to never fail in a way that would attach
corrupt commands to the output buffer.
2014-03-19 06:14:50 -04:00
Nicholas J. Kain
a2e8136bc9 options.c: Rewrite the ifchd_cmd_* options command generation functions.
The old functions were harder to audit.  The new ones factor out most
of the work into a common ifcmd_raw() helper, and make sure to perform
the updates atomically wrt the output buffer.

snprintf is used heavily, as the C99 semantics should be on any targetted
system.

The atomicity will be improved in the next patch, allowing the number
of command buffers to be reduced.
2014-03-19 06:07:01 -04:00
Nicholas J. Kain
89d4649439 options.c: Conditionalize some functions to only be compiled for ndhs, as
ndhc does not use them.
2014-03-19 06:00:45 -04:00
Nicholas J. Kain
861ab28186 Reduce the scope of a static variable, and zero-initialize a structure just
to satisfy cppcheck even though it should be safe.
2014-03-19 06:00:08 -04:00
Nicholas J. Kain
597c858f44 duiaid.c: Trivial style cleanups. No functional change. 2014-03-19 05:58:29 -04:00
Nicholas J. Kain
e188658c4c Store the leasefile in the state directory by default, since a state
directory is now the normal mode of operation because of RFC4361.
2014-03-19 04:12:24 -04:00
Nicholas J. Kain
b1e1ccf7c3 Add support for setting the metric for the default GW route. 2014-03-19 01:13:11 -04:00
Nicholas J. Kain
ce99b0a6d7 Update documentation and add '-s' switch to change the state directory. 2014-03-19 00:46:54 -04:00
Nicholas J. Kain
15598c9207 Support RFC4361.
RFC4361 requires clients to send a clientid, and specifies that by default
that clientid should be a combination of a machine-static DUID and an
interface-static IAID.

There are several RFC-compliant DUIDs.  ndhc uses RFC6355's DUID-UUID,
but chooses not to follow RFC4122 for the UUID and instead simply uses
random bytes from its combined Tausworthe PRNG.

RFC4122 is excessively complex, and 128-bit random values are more than
sufficiently collision-resistant on even large DHCP segments.

ndhc requires a read/writable directory to store the DUID/IAID states.  By
default this directory is /etc/ndhc.  It exists outside the chroot.  The DUID
will be stored in a single file, DUID.  The IAIDs exist per-interface and are
stored in files with names similar to IAID-xx:xx:xx:xx:xx:xx, where the xx
values are replaced by the Ethernet hardware address of the interface.

If it is impossible to read or store the DUIDs or IAIDs, ndhc will
fail at start time before it performs any network activity or forks any
subprocesses.

If the host system lacks volatile storage, then a clientid should manually
be specified using the -c or --clientid command arguments.
2014-03-19 00:42:32 -04:00
Nicholas J. Kain
aad83608d1 Add a lot of const annotations to options.[ch]. 2014-03-18 03:38:32 -04:00
Nicholas J. Kain
cd269c7261 Make ndhc RFC6842-compliant.
All this entails is that ndhc needs to check to make sure that if the remote
server sends a dhcp packet with a client identifier, the client identifier
of that packet matches the client identifier that ndhc uses to identify
itself.

If the remote server does not attach a client identifier to its dhcp packets,
then the behavior of ndhc does not change.
2014-03-18 03:13:51 -04:00
Nicholas J. Kain
3d0f46580a options.c: Add an add_option_clientid() variant for ndhs to use, and silence
an unused function warning that triggers when compiling ndhs.
2014-03-18 01:51:58 -04:00
Nicholas J. Kain
742baf6d7b get_end_option_idx() has a useless conditional that always evaluates to
the same value.  Remove it, and introduce a slightly less useless
conditional that prevents a possible one-byte-read past the end of
packet.

This bug could possibly cause ndhc to segfault on some architectures
with extremely unlikely memory layouts and a very pathological crafted
input packet.
2014-03-18 01:38:58 -04:00
Nicholas J. Kain
e8687ba29f Make validate_dhcp_packet()'s magic cookie length check clearer by using
offsetof().
2014-03-18 01:36:14 -04:00