Commit Graph

695 Commits

Author SHA1 Message Date
Nicholas J. Kain
2420bed259 Accept no command line arguments without error. 2014-04-21 12:04:13 -04:00
Nicholas J. Kain
dbc91b0811 Background option in config files should be a boolval rathe than a value. 2014-04-21 09:02:58 -04:00
Nicholas J. Kain
034e2bb1db When sockd transfers a file descriptor to ndhc, close the fd in sockd.
Since the transfer is conceptually a move, this is the correct thing to
do and prevents sockets from spuriously hanging around forever and
eventually exhausting the per process limit on fds.
2014-04-17 11:04:00 -04:00
Nicholas J. Kain
07cbd88049 Just use raw sockets for listening to DHCP requests. A UDP SO_BROADCAST
socket was previously used only for receiving RENEWING packets, and it
added needless complexity and was somewhat fragile.
2014-04-16 01:00:36 -04:00
Nicholas J. Kain
ca85a6ba9f Style cleanups in dhcp.c. 2014-04-16 00:24:40 -04:00
Nicholas J. Kain
d8260b4e63 Print an error message when bind() fails when creating a UDP socket in sockd. 2014-04-16 00:24:13 -04:00
Nicholas J. Kain
0884d96d1e PR_SET_PDEATHSIG is not fully reliable, so instead maintain a pair of
AF_UNIX SOCK_STREAM sockets between the master processes and each subprocess,
and poll for the HUP event.

At the same time, be specific about the events that are checked in epoll
when dispatching on an event.
2014-04-15 23:19:24 -04:00
Nicholas J. Kain
e526adce19 Make the signal handling code use safe_read() and unify ifchd and sockd
signals code.
2014-04-15 20:55:13 -04:00
Nicholas J. Kain
baa394af9a UDP listen sockets should be requested with 'U' instead of 'u'. 2014-04-15 20:54:35 -04:00
Nicholas J. Kain
b3578737df Update the Makefile to build cfg.c from cfg.rl. 2014-04-15 20:50:54 -04:00
Nicholas J. Kain
b00444ab8b Bound the subprocess lifetime using prctl(PR_SET_PDEATHSIG, ...).
The pipes wouldn't do this job anymore because they were unused and thus
never performed writes that would generate SIGPIPEs, so the pipes are
removed, too.
2014-04-15 18:01:01 -04:00
Nicholas J. Kain
b3ce601f20 state.c: Print error messages if we fail to send DHCP packets. 2014-04-15 17:59:15 -04:00
Nicholas J. Kain
18604c5245 get_udp_unicast_socket() needs to have the client address as an argument
when sending the request to sockd.

Also, print error messages if sockd returns an invalid fd (< 0).
2014-04-15 17:55:28 -04:00
Nicholas J. Kain
a9055b5ca5 Update more message prints to prefix with the interface name. 2014-04-15 15:24:22 -04:00
Nicholas J. Kain
58b4ba768c If the IP header length does not match the size of the UDP packet received
via the raw socket, print both lengths in the warning message.
2014-04-15 15:23:52 -04:00
Nicholas J. Kain
730e5ef310 setpgid() can return EPERM if we are already a process group leader. 2014-04-15 15:02:20 -04:00
Nicholas J. Kain
e5834da6d3 Permit sendmsg in the seccomp syscall whitelist for all daemons. 2014-04-15 14:57:07 -04:00
Nicholas J. Kain
b5f0ccd88d In cfg.rl, when performing clear action, don't clear the cs member in ccfg. 2014-04-15 14:56:35 -04:00
Nicholas J. Kain
a777766cc6 Fix stupid typo in ndhc.c that would cause the clientid option to
corrupt the start of the hostname option if both were specified.
2014-04-15 14:55:50 -04:00
Nicholas J. Kain
8a9fbb6f09 Documentation updates. 2014-04-14 18:32:08 -04:00
Nicholas J. Kain
74ad01a086 Update the manual page. 2014-04-14 15:52:39 -04:00
Nicholas J. Kain
a501789e04 Parse config options with ragel and support a configuration file. 2014-04-14 15:06:31 -04:00
Nicholas J. Kain
51033d3664 Detect the glibc version in CMake and link librt if it is required.
For the Makefile, unconditionally link librt with no detection.
2014-04-07 19:14:31 -04:00
Nicholas J. Kain
d267c2c44b Use the raw capability interface via updated ncmlib rather than linking
to libcap.
2014-04-07 15:05:34 -04:00
Nicholas J. Kain
bb1ff7a506 arp.c: Make logging messages print the associated interface name. 2014-04-07 04:43:21 -04:00
Nicholas J. Kain
74678ef510 Use safe_recvmsg(). 2014-04-07 04:22:32 -04:00
Nicholas J. Kain
6804be2277 Use safe_sendto where necessary, and check for short writes.
Also, change many log_lines to log_errors, mostly in ifset.c.
2014-04-07 04:15:02 -04:00
Nicholas J. Kain
650da6a7fd Add recvfrom to the seccomp syscall whitelist. 2014-04-07 03:54:30 -04:00
Nicholas J. Kain
cab9162d8d Remove socketpair from the seccomp syscall filter whitelist.
socketpair() is called only before privileges are dropped, so it does
not need to be in the whitelist.
2014-04-07 03:44:53 -04:00
Nicholas J. Kain
5fa2030bab Use a socketpair rather than a pair of pipes for communication between
ndhc and ifch, similar to sockd.  A single pipe is also maintained so
that SIGPIPE can bound the lifetime of an orphaned ifch process.
2014-04-07 03:44:02 -04:00
Nicholas J. Kain
e2ee728982 Consolidate all of the global static variables in arp.c into a single
struct, and use booleans where appropriate.
2014-04-06 22:12:31 -04:00
Nicholas J. Kain
a86363f248 Create a new process ID group for ndhc. 2014-04-06 22:07:12 -04:00
Nicholas J. Kain
b761889025 Move source from ndhc/ to src/ since ifchd is no longer a separate program. 2014-04-06 16:57:06 -04:00
Nicholas J. Kain
b511d45c2f Change most error comparisons from == -1 to < 0. Some were not changed,
as the different negative values equate to different errors.

Tests against syscall returns and fds are very common and mostly fit
the pattern of this change.

The gain is increased range-exclusion.
2014-04-06 06:33:14 -04:00
Nicholas J. Kain
c03be059f5 writeordie() was buggy; delete the == 1 which makes no sense. 2014-04-06 06:31:40 -04:00
Nicholas J. Kain
3d76fbeedc Make sure that all safe_* return values use ssize_t. 2014-04-06 06:24:13 -04:00
Nicholas J. Kain
745e9e8923 If we encounter read errors reading the duid or iaid after successfully
opening the file, print an error and exit.
2014-04-06 06:06:53 -04:00
Nicholas J. Kain
7b0db5b8d3 arp.c: If the safe_read that fetches arp responses encounters a
return of -1 with errno == EAGAIN or EWOULDBLOCK, then report the
error, as it should never happen given that the function is called
only once after polling for ready-reads.

Further, the old code was buggy; it would subtract from the arpreply_offset
the return value of -1 in that case, which is just wrong.
2014-04-06 06:02:03 -04:00
Nicholas J. Kain
8b4c7f05b2 arp.c: Check for < 0 for invalid fds and function errors instead of == -1. 2014-04-06 05:54:21 -04:00
Nicholas J. Kain
8af6bee46d arp_switch_state() was far too confusing and buggy. Pass the target state as
an argument, and only switch the global state after a change is successfully
made.
2014-04-06 05:51:52 -04:00
Nicholas J. Kain
1e52914f2e Remove a lot of permitted syscalls from the seccomp filter list.
Probably the most notable is that setsockopt is only allowed from sockd.
This change prevents ndhc and ifch from removing BPF filters that have been
installed onto a socket.
2014-04-06 05:21:56 -04:00
Nicholas J. Kain
812912126e ifch doesn't need to save a pidfile because its lifetime is strictly bounded
by that of ndhc by the shared pipe, so remove that option.
2014-04-06 02:27:52 -04:00
Nicholas J. Kain
6b1d422d6f arp_min_close_fd() and arp_close_fd() can return void. 2014-04-05 23:40:18 -04:00
Nicholas J. Kain
1c30247c36 arp_reopen_fd() can be return void. 2014-04-05 23:37:44 -04:00
Nicholas J. Kain
6750209e12 Have sockd apply BPF filters to ARP sockets. 2014-04-05 21:39:27 -04:00
Nicholas J. Kain
5212e0dfc5 Switch to using a socket for ndhc/sockd IPC so that fd passing works. 2014-04-05 05:25:56 -04:00
Nicholas J. Kain
9622640698 Add command line help for the sockd-user option. 2014-04-05 05:23:37 -04:00
Nicholas J. Kain
ef51971a6d Update to latest ncmlib privilege.[ch]. 2014-04-05 05:23:18 -04:00
Nicholas J. Kain
09d6f7dfb8 Introduce a ndhc-sockd daemon that separates out the remaining elevated
capabilities from the ndhc master process.

Privsep is now complete.  The only notable improvement from before is that
exploitation of ndhc would only allow an attacker to open raw sockets,
bind sockets to ports < port 1024, and create broadcast sockets on the
interface that ndhc is performing dhcp on rather than on all interfaces.

However, this seems like a worthwhile change; note that it was already
impossible for an attacker to sniff packets on any interfaces (as that
requires CAP_NET_ADMIN, which was always separated to ifch).
2014-04-04 04:12:25 -04:00
Nicholas J. Kain
65c3cd4fd9 Make many more logging prints specify the interface and function, and make
the return checks for safe_(read|write) stricter.
2014-04-04 04:01:49 -04:00