|
|
@ -1,4 +1,4 @@ |
|
|
/* $OpenBSD: constraint.c,v 1.34 2016/10/18 22:05:47 rzalamena Exp $ */ |
|
|
|
|
|
|
|
|
/* $OpenBSD: constraint.c,v 1.35 2016/12/05 10:41:33 rzalamena Exp $ */ |
|
|
|
|
|
|
|
|
/* |
|
|
/* |
|
|
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> |
|
|
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> |
|
|
@ -321,8 +321,8 @@ priv_constraint_readquery(struct constraint *cstr, struct ntp_addr_msg *am, |
|
|
void |
|
|
void |
|
|
priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
{ |
|
|
{ |
|
|
struct constraint *cstr; |
|
|
|
|
|
struct ntp_addr_msg *am; |
|
|
|
|
|
|
|
|
struct constraint cstr; |
|
|
|
|
|
struct ntp_addr_msg am; |
|
|
uint8_t *data; |
|
|
uint8_t *data; |
|
|
static char addr[NI_MAXHOST]; |
|
|
static char addr[NI_MAXHOST]; |
|
|
struct timeval rectv, xmttv; |
|
|
struct timeval rectv, xmttv; |
|
|
@ -336,10 +336,6 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
if (setpriority(PRIO_PROCESS, 0, 0) == -1) |
|
|
if (setpriority(PRIO_PROCESS, 0, 0) == -1) |
|
|
log_warn("could not set priority"); |
|
|
log_warn("could not set priority"); |
|
|
|
|
|
|
|
|
if ((cstr = calloc(1, sizeof(*cstr))) == NULL || |
|
|
|
|
|
(am = calloc(1, sizeof(*am))) == NULL) |
|
|
|
|
|
fatal("%s: calloc", __func__); |
|
|
|
|
|
|
|
|
|
|
|
/* Init TLS and load CA certs before chroot() */ |
|
|
/* Init TLS and load CA certs before chroot() */ |
|
|
if (tls_init() == -1) |
|
|
if (tls_init() == -1) |
|
|
fatalx("tls_init"); |
|
|
fatalx("tls_init"); |
|
|
@ -368,9 +364,9 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
if (pledge("stdio inet", NULL) == -1) |
|
|
if (pledge("stdio inet", NULL) == -1) |
|
|
fatal("pledge"); |
|
|
fatal("pledge"); |
|
|
|
|
|
|
|
|
cstr->fd = CONSTRAINT_PASSFD; |
|
|
|
|
|
imsg_init(&cstr->ibuf, cstr->fd); |
|
|
|
|
|
priv_constraint_readquery(cstr, am, &data); |
|
|
|
|
|
|
|
|
cstr.fd = CONSTRAINT_PASSFD; |
|
|
|
|
|
imsg_init(&cstr.ibuf, cstr.fd); |
|
|
|
|
|
priv_constraint_readquery(&cstr, &am, &data); |
|
|
|
|
|
|
|
|
/* |
|
|
/* |
|
|
* Get the IP address as name and set the process title accordingly. |
|
|
* Get the IP address as name and set the process title accordingly. |
|
|
@ -378,8 +374,8 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
* any DNS operation, so it is safe to be called without the dns |
|
|
* any DNS operation, so it is safe to be called without the dns |
|
|
* pledge. |
|
|
* pledge. |
|
|
*/ |
|
|
*/ |
|
|
if (getnameinfo((struct sockaddr *)&cstr->addr->ss, |
|
|
|
|
|
SA_LEN((struct sockaddr *)&cstr->addr->ss), |
|
|
|
|
|
|
|
|
if (getnameinfo((struct sockaddr *)&cstr.addr->ss, |
|
|
|
|
|
SA_LEN((struct sockaddr *)&cstr.addr->ss), |
|
|
addr, sizeof(addr), NULL, 0, |
|
|
addr, sizeof(addr), NULL, 0, |
|
|
NI_NUMERICHOST) != 0) |
|
|
NI_NUMERICHOST) != 0) |
|
|
fatalx("%s getnameinfo", __func__); |
|
|
fatalx("%s getnameinfo", __func__); |
|
|
@ -398,21 +394,21 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
fatal("%s fcntl F_SETFD", __func__); |
|
|
fatal("%s fcntl F_SETFD", __func__); |
|
|
|
|
|
|
|
|
/* Get remaining data from imsg in the unpriv child */ |
|
|
/* Get remaining data from imsg in the unpriv child */ |
|
|
if (am->namelen) { |
|
|
|
|
|
if ((cstr->addr_head.name = |
|
|
|
|
|
get_string(data, am->namelen)) == NULL) |
|
|
|
|
|
|
|
|
if (am.namelen) { |
|
|
|
|
|
if ((cstr.addr_head.name = |
|
|
|
|
|
get_string(data, am.namelen)) == NULL) |
|
|
fatalx("invalid IMSG_CONSTRAINT_QUERY name"); |
|
|
fatalx("invalid IMSG_CONSTRAINT_QUERY name"); |
|
|
data += am->namelen; |
|
|
|
|
|
|
|
|
data += am.namelen; |
|
|
} |
|
|
} |
|
|
if (am->pathlen) { |
|
|
|
|
|
if ((cstr->addr_head.path = |
|
|
|
|
|
get_string(data, am->pathlen)) == NULL) |
|
|
|
|
|
|
|
|
if (am.pathlen) { |
|
|
|
|
|
if ((cstr.addr_head.path = |
|
|
|
|
|
get_string(data, am.pathlen)) == NULL) |
|
|
fatalx("invalid IMSG_CONSTRAINT_QUERY path"); |
|
|
fatalx("invalid IMSG_CONSTRAINT_QUERY path"); |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
/* Run! */ |
|
|
/* Run! */ |
|
|
if ((ctx = httpsdate_query(addr, |
|
|
if ((ctx = httpsdate_query(addr, |
|
|
CONSTRAINT_PORT, cstr->addr_head.name, cstr->addr_head.path, |
|
|
|
|
|
|
|
|
CONSTRAINT_PORT, cstr.addr_head.name, cstr.addr_head.path, |
|
|
conf->ca, conf->ca_len, &rectv, &xmttv)) == NULL) { |
|
|
conf->ca, conf->ca_len, &rectv, &xmttv)) == NULL) { |
|
|
/* Abort with failure but without warning */ |
|
|
/* Abort with failure but without warning */ |
|
|
exit(1); |
|
|
exit(1); |
|
|
@ -422,10 +418,10 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) |
|
|
iov[0].iov_len = sizeof(rectv); |
|
|
iov[0].iov_len = sizeof(rectv); |
|
|
iov[1].iov_base = &xmttv; |
|
|
iov[1].iov_base = &xmttv; |
|
|
iov[1].iov_len = sizeof(xmttv); |
|
|
iov[1].iov_len = sizeof(xmttv); |
|
|
imsg_composev(&cstr->ibuf, |
|
|
|
|
|
|
|
|
imsg_composev(&cstr.ibuf, |
|
|
IMSG_CONSTRAINT_RESULT, 0, 0, -1, iov, 2); |
|
|
IMSG_CONSTRAINT_RESULT, 0, 0, -1, iov, 2); |
|
|
do { |
|
|
do { |
|
|
rv = imsg_flush(&cstr->ibuf); |
|
|
|
|
|
|
|
|
rv = imsg_flush(&cstr.ibuf); |
|
|
} while (rv == -1 && errno == EAGAIN); |
|
|
} while (rv == -1 && errno == EAGAIN); |
|
|
|
|
|
|
|
|
/* Tear down the TLS connection after sending the result */ |
|
|
/* Tear down the TLS connection after sending the result */ |
|
|
|
rzalamena
8 years ago