Browse Source

Add clarifications ("comments") to three places where it wasn't

obvious why it is implemented this way.  The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.
OK rzalamena@
OPENBSD_6_1
reyk 8 years ago
parent
commit
5ec8dcba4c
1 changed files with 19 additions and 2 deletions
  1. +19
    -2
      src/usr.sbin/ntpd/constraint.c

+ 19
- 2
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.30 2016/07/13 16:35:47 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.31 2016/09/14 09:26:10 reyk Exp $ */
/* /*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -320,7 +320,12 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
if (pledge("stdio inet", NULL) == -1) if (pledge("stdio inet", NULL) == -1)
fatal("pledge"); fatal("pledge");
/* Get name and set process title */
/*
* Get the IP address as name and set the process title accordingly.
* This only converts an address into a string and does not trigger
* any DNS operation, so it is safe to be called without the dns
* pledge.
*/
if (getnameinfo((struct sockaddr *)&cstr->addr->ss, if (getnameinfo((struct sockaddr *)&cstr->addr->ss,
SA_LEN((struct sockaddr *)&cstr->addr->ss), SA_LEN((struct sockaddr *)&cstr->addr->ss),
addr, sizeof(addr), NULL, 0, addr, sizeof(addr), NULL, 0,
@ -339,6 +344,12 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
close(pipes[1]); close(pipes[1]);
(void)closefrom(CONSTRAINT_PASSFD + 1); (void)closefrom(CONSTRAINT_PASSFD + 1);
/*
* Set the close-on-exec flag to prevent leaking the communication
* channel to any exec'ed child. In theory this could never happen,
* constraints don't exec children and pledge() prevents it,
* but we keep it as a safety belt; especially for portability.
*/
if (fcntl(CONSTRAINT_PASSFD, F_SETFD, FD_CLOEXEC) == -1) if (fcntl(CONSTRAINT_PASSFD, F_SETFD, FD_CLOEXEC) == -1)
fatal("%s fcntl F_SETFD", __func__); fatal("%s fcntl F_SETFD", __func__);
@ -864,6 +875,12 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
if (tls_configure(httpsdate->tls_ctx, httpsdate->tls_config) == -1) if (tls_configure(httpsdate->tls_ctx, httpsdate->tls_config) == -1)
goto fail; goto fail;
/*
* libtls expects an address string, which can also be a DNS name,
* but we pass a pre-resolved IP address string in tls_addr so it
* does not trigger any DNS operation and is safe to be called
* without the dns pledge.
*/
if (tls_connect_servername(httpsdate->tls_ctx, httpsdate->tls_addr, if (tls_connect_servername(httpsdate->tls_ctx, httpsdate->tls_addr,
httpsdate->tls_port, httpsdate->tls_hostname) == -1) { httpsdate->tls_port, httpsdate->tls_hostname) == -1) {
log_debug("tls connect failed: %s (%s): %s", log_debug("tls connect failed: %s (%s): %s",


Loading…
Cancel
Save