1
0

Configurator.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  14. */
  15. #include "client/AdminClient.h"
  16. #include "client/Configurator.h"
  17. #include "benc/String.h"
  18. #include "benc/Dict.h"
  19. #include "benc/Int.h"
  20. #include "benc/List.h"
  21. #include "memory/Allocator.h"
  22. #include "util/events/Event.h"
  23. #include "util/events/UDPAddrIface.h"
  24. #include "util/Bits.h"
  25. #include "util/log/Log.h"
  26. #include "util/platform/Sockaddr.h"
  27. #include "util/Defined.h"
  28. #include "util/events/Timeout.h"
  29. #include <stdlib.h>
  30. #include <stdbool.h>
  31. struct Context
  32. {
  33. struct Log* logger;
  34. struct Allocator* alloc;
  35. struct AdminClient* client;
  36. struct Allocator* currentReqAlloc;
  37. struct AdminClient_Result* currentResult;
  38. struct EventBase* base;
  39. };
  40. static void rpcCallback(struct AdminClient_Promise* p, struct AdminClient_Result* res)
  41. {
  42. struct Context* ctx = p->userData;
  43. Allocator_adopt(ctx->alloc, p->alloc);
  44. ctx->currentResult = res;
  45. EventBase_endLoop(ctx->base);
  46. }
  47. static void die(struct AdminClient_Result* res, struct Context* ctx, struct Allocator* alloc)
  48. {
  49. Log_keys(ctx->logger, "message bytes = [%s]", res->messageBytes);
  50. #ifndef Log_KEYS
  51. Log_critical(ctx->logger, "enable Log_LEVEL=KEYS to see message content.");
  52. #endif
  53. Dict d = NULL;
  54. struct AdminClient_Promise* exitPromise =
  55. AdminClient_rpcCall(String_CONST("Core_exit"), &d, ctx->client, alloc);
  56. exitPromise->callback = rpcCallback;
  57. exitPromise->userData = ctx;
  58. EventBase_beginLoop(ctx->base);
  59. if (ctx->currentResult->err) {
  60. Log_critical(ctx->logger, "Failed to stop the core.");
  61. }
  62. Log_critical(ctx->logger, "Aborting.");
  63. exit(1);
  64. }
  65. static int rpcCall0(String* function,
  66. Dict* args,
  67. struct Context* ctx,
  68. struct Allocator* alloc,
  69. Dict** resultP,
  70. bool exitIfError)
  71. {
  72. ctx->currentReqAlloc = Allocator_child(alloc);
  73. ctx->currentResult = NULL;
  74. struct AdminClient_Promise* promise = AdminClient_rpcCall(function, args, ctx->client, alloc);
  75. promise->callback = rpcCallback;
  76. promise->userData = ctx;
  77. EventBase_beginLoop(ctx->base);
  78. struct AdminClient_Result* res = ctx->currentResult;
  79. Assert_true(res);
  80. if (res->err) {
  81. Log_critical(ctx->logger,
  82. "Failed to make function call [%s], error: [%s]",
  83. AdminClient_errorString(res->err),
  84. function->bytes);
  85. die(res, ctx, alloc);
  86. }
  87. String* error = Dict_getString(res->responseDict, String_CONST("error"));
  88. int ret = 0;
  89. if (error && !String_equals(error, String_CONST("none"))) {
  90. if (exitIfError) {
  91. Log_critical(ctx->logger,
  92. "Got error [%s] calling [%s]",
  93. error->bytes,
  94. function->bytes);
  95. die(res, ctx, alloc);
  96. }
  97. Log_warn(ctx->logger, "Got error [%s] calling [%s], ignoring.",
  98. error->bytes, function->bytes);
  99. ret = 1;
  100. }
  101. if (resultP) {
  102. *resultP = res->responseDict;
  103. } else {
  104. Allocator_free(ctx->currentReqAlloc);
  105. }
  106. ctx->currentReqAlloc = NULL;
  107. return ret;
  108. }
  109. static void rpcCall(String* function, Dict* args, struct Context* ctx, struct Allocator* alloc)
  110. {
  111. rpcCall0(function, args, ctx, alloc, NULL, true);
  112. }
  113. static void authorizedPasswords(List* list, struct Context* ctx)
  114. {
  115. uint32_t count = List_size(list);
  116. for (uint32_t i = 0; i < count; i++) {
  117. Dict* d = List_getDict(list, i);
  118. Log_info(ctx->logger, "Checking authorized password %d.", i);
  119. if (!d) {
  120. Log_critical(ctx->logger, "Not a dictionary type %d.", i);
  121. exit(-1);
  122. }
  123. String* passwd = Dict_getString(d, String_CONST("password"));
  124. if (!passwd) {
  125. Log_critical(ctx->logger, "Must specify a password %d.", i);
  126. exit(-1);
  127. }
  128. }
  129. for (uint32_t i = 0; i < count; i++) {
  130. struct Allocator* child = Allocator_child(ctx->alloc);
  131. Dict* d = List_getDict(list, i);
  132. String* passwd = Dict_getString(d, String_CONST("password"));
  133. String* user = Dict_getString(d, String_CONST("user"));
  134. if (!user) {
  135. // This is synchronized with cjdnsctl.js
  136. user = String_printf(child, "_noname_%d", i);
  137. }
  138. //String* publicKey = Dict_getString(d, String_CONST("publicKey"));
  139. String* ipv6 = Dict_getString(d, String_CONST("ipv6"));
  140. Log_info(ctx->logger, "Adding authorized password #[%d] for user [%s].", i, user->bytes);
  141. Dict *args = Dict_new(child);
  142. uint32_t i = 1;
  143. Dict_putInt(args, String_CONST("authType"), i, child);
  144. Dict_putString(args, String_CONST("password"), passwd, child);
  145. if (user) {
  146. Dict_putString(args, String_CONST("user"), user, child);
  147. }
  148. if (ipv6) {
  149. Log_info(ctx->logger,
  150. " This connection password restricted to [%s] only.", ipv6->bytes);
  151. Dict_putString(args, String_CONST("ipv6"), ipv6, child);
  152. }
  153. rpcCall(String_CONST("AuthorizedPasswords_add"), args, ctx, child);
  154. Allocator_free(child);
  155. }
  156. }
  157. static void udpInterface(Dict* config, struct Context* ctx)
  158. {
  159. List* ifaces = Dict_getList(config, String_CONST("UDPInterface"));
  160. if (!ifaces) {
  161. ifaces = List_new(ctx->alloc);
  162. List_addDict(ifaces, Dict_getDict(config, String_CONST("UDPInterface")), ctx->alloc);
  163. }
  164. uint32_t count = List_size(ifaces);
  165. for (uint32_t i = 0; i < count; i++) {
  166. Dict *udp = List_getDict(ifaces, i);
  167. if (!udp) {
  168. continue;
  169. }
  170. // Setup the interface.
  171. String* bindStr = Dict_getString(udp, String_CONST("bind"));
  172. Dict* d = Dict_new(ctx->alloc);
  173. if (bindStr) {
  174. Dict_putString(d, String_CONST("bindAddress"), bindStr, ctx->alloc);
  175. }
  176. Dict* resp = NULL;
  177. rpcCall0(String_CONST("UDPInterface_new"), d, ctx, ctx->alloc, &resp, true);
  178. String* ifName = Dict_getString(resp, String_CONST("ifName"));
  179. // Make the connections.
  180. Dict* connectTo = Dict_getDict(udp, String_CONST("connectTo"));
  181. if (connectTo) {
  182. struct Dict_Entry* entry = *connectTo;
  183. struct Allocator* perCallAlloc = Allocator_child(ctx->alloc);
  184. while (entry != NULL) {
  185. String* key = (String*) entry->key;
  186. if (entry->val->type != Object_DICT) {
  187. Log_critical(ctx->logger, "interfaces.UDPInterface.connectTo: entry [%s] "
  188. "is not a dictionary type.", key->bytes);
  189. exit(-1);
  190. }
  191. Dict* value = entry->val->as.dictionary;
  192. Log_keys(ctx->logger, "Attempting to connect to node [%s].", key->bytes);
  193. key = String_clone(key, perCallAlloc);
  194. char* lastColon = CString_strrchr(key->bytes, ':');
  195. if (!Sockaddr_parse(key->bytes, NULL)) {
  196. // it's a sockaddr, fall through
  197. } else if (lastColon) {
  198. // try it as a hostname.
  199. int port = atoi(lastColon+1);
  200. if (!port) {
  201. Log_critical(ctx->logger, "Couldn't get port number from [%s]", key->bytes);
  202. exit(-1);
  203. }
  204. *lastColon = '\0';
  205. struct Sockaddr* adr = Sockaddr_fromName(key->bytes, perCallAlloc);
  206. if (adr != NULL) {
  207. Sockaddr_setPort(adr, port);
  208. key = String_new(Sockaddr_print(adr, perCallAlloc), perCallAlloc);
  209. } else {
  210. Log_warn(ctx->logger, "Failed to lookup hostname [%s]", key->bytes);
  211. entry = entry->next;
  212. continue;
  213. }
  214. }
  215. Dict_putString(value, String_CONST("ifName"), ifName, perCallAlloc);
  216. Dict_putString(value, String_CONST("address"), key, perCallAlloc);
  217. rpcCall(String_CONST("InterfaceController_connectTo"), value, ctx, perCallAlloc);
  218. // Make a IPTunnel exception for this node
  219. Dict* aed = Dict_new(perCallAlloc);
  220. *lastColon = '\0';
  221. Dict_putString(aed, String_CONST("route"), String_new(key->bytes, perCallAlloc),
  222. perCallAlloc);
  223. *lastColon = ':';
  224. rpcCall(String_CONST("RouteGen_addException"), aed, ctx, perCallAlloc);
  225. entry = entry->next;
  226. }
  227. Allocator_free(perCallAlloc);
  228. }
  229. }
  230. }
  231. static void tunInterface(Dict* ifaceConf, struct Allocator* tempAlloc, struct Context* ctx)
  232. {
  233. String* ifaceType = Dict_getString(ifaceConf, String_CONST("type"));
  234. if (!String_equals(ifaceType, String_CONST("TUNInterface"))) {
  235. return;
  236. }
  237. // Setup the interface.
  238. String* device = Dict_getString(ifaceConf, String_CONST("tunDevice"));
  239. Dict* args = Dict_new(tempAlloc);
  240. if (device) {
  241. Dict_putString(args, String_CONST("desiredTunName"), device, tempAlloc);
  242. }
  243. rpcCall0(String_CONST("Core_initTunnel"), args, ctx, tempAlloc, NULL, false);
  244. }
  245. static void ipTunnel(Dict* ifaceConf, struct Allocator* tempAlloc, struct Context* ctx)
  246. {
  247. List* incoming = Dict_getList(ifaceConf, String_CONST("allowedConnections"));
  248. if (incoming) {
  249. Dict* d;
  250. for (int i = 0; (d = List_getDict(incoming, i)) != NULL; i++) {
  251. String* key = Dict_getString(d, String_CONST("publicKey"));
  252. String* ip4 = Dict_getString(d, String_CONST("ip4Address"));
  253. // Note that the prefix length has to be a proper int in the config
  254. // (not quoted!)
  255. int64_t* ip4Prefix = Dict_getInt(d, String_CONST("ip4Prefix"));
  256. String* ip6 = Dict_getString(d, String_CONST("ip6Address"));
  257. int64_t* ip6Prefix = Dict_getInt(d, String_CONST("ip6Prefix"));
  258. if (!key) {
  259. Log_critical(ctx->logger, "In router.ipTunnel.allowedConnections[%d]"
  260. "'publicKey' required.", i);
  261. exit(1);
  262. }
  263. if (!ip4 && !ip6) {
  264. Log_critical(ctx->logger, "In router.ipTunnel.allowedConnections[%d]"
  265. "either 'ip4Address' or 'ip6Address' required.", i);
  266. exit(1);
  267. } else if (ip4Prefix && !ip4) {
  268. Log_critical(ctx->logger, "In router.ipTunnel.allowedConnections[%d]"
  269. "'ip4Address' required with 'ip4Prefix'.", i);
  270. exit(1);
  271. } else if (ip6Prefix && !ip6) {
  272. Log_critical(ctx->logger, "In router.ipTunnel.allowedConnections[%d]"
  273. "'ip6Address' required with 'ip6Prefix'.", i);
  274. exit(1);
  275. }
  276. Log_debug(ctx->logger, "Allowing IpTunnel connections from [%s]", key->bytes);
  277. if (ip4) {
  278. Log_debug(ctx->logger, "Issue IPv4 address %s", ip4->bytes);
  279. if (ip4Prefix) {
  280. Log_debug(ctx->logger, "Issue IPv4 netmask/prefix length /%d",
  281. (int) *ip4Prefix);
  282. } else {
  283. Log_debug(ctx->logger, "Use default netmask/prefix length /0");
  284. }
  285. }
  286. if (ip6) {
  287. Log_debug(ctx->logger, "Issue IPv6 address [%s]", ip6->bytes);
  288. if (ip6Prefix) {
  289. Log_debug(ctx->logger, "Issue IPv6 netmask/prefix length /%d",
  290. (int) *ip6Prefix);
  291. } else {
  292. Log_debug(ctx->logger, "Use default netmask/prefix length /0");
  293. }
  294. }
  295. Dict_putString(d, String_CONST("publicKeyOfAuthorizedNode"), key, tempAlloc);
  296. rpcCall0(String_CONST("IpTunnel_allowConnection"), d, ctx, tempAlloc, NULL, true);
  297. }
  298. }
  299. List* outgoing = Dict_getList(ifaceConf, String_CONST("outgoingConnections"));
  300. if (outgoing) {
  301. String* s;
  302. for (int i = 0; (s = List_getString(outgoing, i)) != NULL; i++) {
  303. Log_debug(ctx->logger, "Initiating IpTunnel connection to [%s]", s->bytes);
  304. Dict requestDict =
  305. Dict_CONST(String_CONST("publicKeyOfNodeToConnectTo"), String_OBJ(s), NULL);
  306. rpcCall0(String_CONST("IpTunnel_connectTo"), &requestDict, ctx, tempAlloc, NULL, true);
  307. }
  308. }
  309. }
  310. static void routerConfig(Dict* routerConf, struct Allocator* tempAlloc, struct Context* ctx)
  311. {
  312. tunInterface(Dict_getDict(routerConf, String_CONST("interface")), tempAlloc, ctx);
  313. ipTunnel(Dict_getDict(routerConf, String_CONST("ipTunnel")), tempAlloc, ctx);
  314. }
  315. static void ethInterfaceSetBeacon(String* ifName, Dict* eth, struct Context* ctx)
  316. {
  317. int64_t* beaconP = Dict_getInt(eth, String_CONST("beacon"));
  318. if (beaconP) {
  319. int64_t beacon = *beaconP;
  320. if (beacon > 3 || beacon < 0) {
  321. Log_error(ctx->logger, "interfaces.ETHInterface.beacon may only be 0, 1,or 2");
  322. } else {
  323. // We can cast beacon to an int here because we know it's small enough
  324. Log_info(ctx->logger, "Setting beacon mode on ETHInterface to [%d].", (int) beacon);
  325. Dict d = Dict_CONST(String_CONST("ifName"), String_OBJ(ifName),
  326. Dict_CONST(String_CONST("state"), Int_OBJ(beacon), NULL));
  327. rpcCall(String_CONST("InterfaceController_beacon"), &d, ctx, ctx->alloc);
  328. }
  329. }
  330. }
  331. static void ethInterface(Dict* config, struct Context* ctx)
  332. {
  333. List* ifaces = Dict_getList(config, String_CONST("ETHInterface"));
  334. if (!ifaces) {
  335. ifaces = List_new(ctx->alloc);
  336. List_addDict(ifaces, Dict_getDict(config, String_CONST("ETHInterface")), ctx->alloc);
  337. }
  338. uint32_t count = List_size(ifaces);
  339. for (uint32_t i = 0; i < count; i++) {
  340. Dict *eth = List_getDict(ifaces, i);
  341. if (!eth) { continue; }
  342. String* deviceStr = Dict_getString(eth, String_CONST("bind"));
  343. if (!deviceStr || !String_equals(String_CONST("all"), deviceStr)) { continue; }
  344. Log_info(ctx->logger, "Setting up all ETHInterfaces...");
  345. Dict* res = NULL;
  346. Dict* d = Dict_new(ctx->alloc);
  347. if (rpcCall0(String_CONST("ETHInterface_listDevices"), d, ctx, ctx->alloc, &res, false)) {
  348. Log_info(ctx->logger, "Getting device list failed");
  349. break;
  350. }
  351. List* devs = Dict_getList(res, String_CONST("devices"));
  352. uint32_t devCount = List_size(devs);
  353. for (uint32_t j = 0; j < devCount; j++) {
  354. Dict* d = Dict_new(ctx->alloc);
  355. String* deviceName = List_getString(devs, j);
  356. // skip loopback...
  357. if (String_equals(String_CONST("lo"), deviceName)) { continue; }
  358. Dict_putString(d, String_CONST("bindDevice"), deviceName, ctx->alloc);
  359. Dict* resp;
  360. Log_info(ctx->logger, "Creating new ETHInterface [%s]", deviceName->bytes);
  361. if (rpcCall0(String_CONST("ETHInterface_new"), d, ctx, ctx->alloc, &resp, false)) {
  362. Log_warn(ctx->logger, "Failed to create ETHInterface.");
  363. continue;
  364. }
  365. String* ifName = Dict_getString(resp, String_CONST("ifName"));
  366. ethInterfaceSetBeacon(ifName, eth, ctx);
  367. }
  368. return;
  369. }
  370. for (uint32_t i = 0; i < count; i++) {
  371. Dict *eth = List_getDict(ifaces, i);
  372. if (!eth) { continue; }
  373. // Setup the interface.
  374. String* deviceStr = Dict_getString(eth, String_CONST("bind"));
  375. Log_info(ctx->logger, "Setting up ETHInterface [%d].", i);
  376. Dict* d = Dict_new(ctx->alloc);
  377. if (deviceStr) {
  378. Log_info(ctx->logger, "Binding to device [%s].", deviceStr->bytes);
  379. Dict_putString(d, String_CONST("bindDevice"), deviceStr, ctx->alloc);
  380. }
  381. Dict* resp = NULL;
  382. if (rpcCall0(String_CONST("ETHInterface_new"), d, ctx, ctx->alloc, &resp, false)) {
  383. Log_warn(ctx->logger, "Failed to create ETHInterface.");
  384. continue;
  385. }
  386. String* ifName = Dict_getString(resp, String_CONST("ifName"));
  387. ethInterfaceSetBeacon(ifName, eth, ctx);
  388. // Make the connections.
  389. Dict* connectTo = Dict_getDict(eth, String_CONST("connectTo"));
  390. if (connectTo) {
  391. Log_info(ctx->logger, "ETHInterface should connect to a specific node.");
  392. struct Dict_Entry* entry = *connectTo;
  393. while (entry != NULL) {
  394. String* key = (String*) entry->key;
  395. if (entry->val->type != Object_DICT) {
  396. Log_critical(ctx->logger, "interfaces.ETHInterface.connectTo: entry [%s] "
  397. "is not a dictionary type.", key->bytes);
  398. exit(-1);
  399. }
  400. Dict* value = entry->val->as.dictionary;
  401. Log_keys(ctx->logger, "Attempting to connect to node [%s].", key->bytes);
  402. struct Allocator* perCallAlloc = Allocator_child(ctx->alloc);
  403. // Turn the dict from the config into our RPC args dict by filling in all
  404. // the arguments,
  405. Dict_putString(value, String_CONST("address"), key, perCallAlloc);
  406. Dict_putString(value, String_CONST("ifName"), ifName, perCallAlloc);
  407. rpcCall(String_CONST("InterfaceController_connectTo"), value, ctx, perCallAlloc);
  408. Allocator_free(perCallAlloc);
  409. entry = entry->next;
  410. }
  411. }
  412. }
  413. }
  414. static void security(struct Allocator* tempAlloc, List* conf, struct Log* log, struct Context* ctx)
  415. {
  416. int seccomp = 1;
  417. int nofiles = 0;
  418. int noforks = 1;
  419. int chroot = 1;
  420. int setupComplete = 1;
  421. int setuser = 1;
  422. if (Defined(win32)) {
  423. setuser = 0;
  424. }
  425. int uid = -1;
  426. int64_t* group = NULL;
  427. int keepNetAdmin = 1;
  428. do {
  429. Dict* d = Dict_new(tempAlloc);
  430. Dict_putString(d, String_CONST("user"), String_CONST("nobody"), tempAlloc);
  431. if (!Defined(win32)) {
  432. Dict* ret = NULL;
  433. rpcCall0(String_CONST("Security_getUser"), d, ctx, tempAlloc, &ret, true);
  434. uid = *Dict_getInt(ret, String_CONST("uid"));
  435. group = Dict_getInt(ret, String_CONST("gid"));
  436. }
  437. } while (0);
  438. for (int i = 0; conf && i < List_size(conf); i++) {
  439. Dict* elem = List_getDict(conf, i);
  440. String* s;
  441. if (elem && (s = Dict_getString(elem, String_CONST("setuser")))) {
  442. if (setuser == 0) { continue; }
  443. Dict* d = Dict_new(tempAlloc);
  444. Dict_putString(d, String_CONST("user"), s, tempAlloc);
  445. Dict* ret = NULL;
  446. rpcCall0(String_CONST("Security_getUser"), d, ctx, tempAlloc, &ret, true);
  447. uid = *Dict_getInt(ret, String_CONST("uid"));
  448. group = Dict_getInt(ret, String_CONST("gid"));
  449. int64_t* nka = Dict_getInt(elem, String_CONST("keepNetAdmin"));
  450. int64_t* exemptAngel = Dict_getInt(elem, String_CONST("exemptAngel"));
  451. keepNetAdmin = ((nka) ? *nka : ((exemptAngel) ? *exemptAngel : 0));
  452. continue;
  453. }
  454. if (elem && (s = Dict_getString(elem, String_CONST("chroot")))) {
  455. Log_debug(log, "Security_chroot(%s)", s->bytes);
  456. Dict* d = Dict_new(tempAlloc);
  457. Dict_putString(d, String_CONST("root"), s, tempAlloc);
  458. rpcCall0(String_CONST("Security_chroot"), d, ctx, tempAlloc, NULL, false);
  459. chroot = 0;
  460. continue;
  461. }
  462. uint64_t* x;
  463. if (elem && (x = Dict_getInt(elem, String_CONST("nofiles")))) {
  464. if (!*x) { continue; }
  465. nofiles = 1;
  466. continue;
  467. }
  468. if (elem && (x = Dict_getInt(elem, String_CONST("setuser")))) {
  469. if (!*x) { setuser = 0; }
  470. continue;
  471. }
  472. if (elem && (x = Dict_getInt(elem, String_CONST("seccomp")))) {
  473. if (!*x) { seccomp = 0; }
  474. continue;
  475. }
  476. if (elem && (x = Dict_getInt(elem, String_CONST("noforks")))) {
  477. if (!*x) { noforks = 0; }
  478. continue;
  479. }
  480. if (elem && (x = Dict_getInt(elem, String_CONST("chroot")))) {
  481. if (!*x) { chroot = 0; }
  482. continue;
  483. }
  484. if (elem && (x = Dict_getInt(elem, String_CONST("setupComplete")))) {
  485. if (!*x) { setupComplete = 0; }
  486. continue;
  487. }
  488. Log_info(ctx->logger, "Unrecognized entry in security at index [%d]", i);
  489. }
  490. if (chroot) {
  491. Log_debug(log, "Security_chroot(/var/run)");
  492. Dict* d = Dict_new(tempAlloc);
  493. Dict_putString(d, String_CONST("root"), String_CONST("/var/run/"), tempAlloc);
  494. rpcCall0(String_CONST("Security_chroot"), d, ctx, tempAlloc, NULL, false);
  495. }
  496. /* FIXME(sdg): moving noforks after setuser might make nproc <- 0,0 work
  497. on older kernels, where doing it before causes setuid to fail w EAGAIN. */
  498. if (noforks) {
  499. Log_debug(log, "Security_noforks()");
  500. Dict* d = Dict_new(tempAlloc);
  501. rpcCall(String_CONST("Security_noforks"), d, ctx, tempAlloc);
  502. }
  503. if (setuser) {
  504. Log_debug(log, "Security_setUser(uid:%d, keepNetAdmin:%d)", uid, keepNetAdmin);
  505. Dict* d = Dict_new(tempAlloc);
  506. Dict_putInt(d, String_CONST("uid"), uid, tempAlloc);
  507. if (group) {
  508. Dict_putInt(d, String_CONST("gid"), (int)*group, tempAlloc);
  509. }
  510. Dict_putInt(d, String_CONST("keepNetAdmin"), keepNetAdmin, tempAlloc);
  511. rpcCall0(String_CONST("Security_setUser"), d, ctx, tempAlloc, NULL, false);
  512. }
  513. if (nofiles) {
  514. Log_debug(log, "Security_nofiles()");
  515. Dict* d = Dict_new(tempAlloc);
  516. rpcCall(String_CONST("Security_nofiles"), d, ctx, tempAlloc);
  517. }
  518. if (seccomp) {
  519. Log_debug(log, "Security_seccomp()");
  520. Dict* d = Dict_new(tempAlloc);
  521. rpcCall(String_CONST("Security_seccomp"), d, ctx, tempAlloc);
  522. }
  523. if (setupComplete) {
  524. Log_debug(log, "Security_setupComplete()");
  525. Dict* d = Dict_new(tempAlloc);
  526. rpcCall(String_CONST("Security_setupComplete"), d, ctx, tempAlloc);
  527. }
  528. }
  529. static int tryPing(struct Allocator* tempAlloc, struct Context* ctx)
  530. {
  531. Dict* resp = NULL;
  532. Dict* d = Dict_new(tempAlloc);
  533. rpcCall0(String_CONST("ping"), d, ctx, tempAlloc, &resp, false);
  534. if (!resp) { return -1; }
  535. String* q = Dict_getString(resp, String_CONST("q"));
  536. if (String_equals(q, String_CONST("pong"))) {
  537. return true;
  538. }
  539. return false;
  540. }
  541. static void awaken(void* vcontext)
  542. {
  543. struct Context* ctx = vcontext;
  544. EventBase_endLoop(ctx->base);
  545. }
  546. static void sleep(int milliseconds, struct Context* ctx, struct Allocator* temp)
  547. {
  548. Timeout_setTimeout(awaken, ctx, milliseconds, ctx->base, temp);
  549. EventBase_beginLoop(ctx->base);
  550. }
  551. static void waitUntilPong(struct Context* ctx)
  552. {
  553. for (int i = 0; i < 10; i++) {
  554. struct Allocator* temp = Allocator_child(ctx->alloc);
  555. if (tryPing(temp, ctx)) {
  556. Allocator_free(temp);
  557. return;
  558. }
  559. sleep(200, ctx, temp);
  560. Allocator_free(temp);
  561. }
  562. Assert_failure("Failed connecting to core (perhaps you have a firewall on loopback device?)");
  563. }
  564. void Configurator_config(Dict* config,
  565. struct Sockaddr* sockAddr,
  566. String* adminPassword,
  567. struct EventBase* eventBase,
  568. struct Log* logger,
  569. struct Allocator* alloc)
  570. {
  571. struct Allocator* tempAlloc = Allocator_child(alloc);
  572. struct UDPAddrIface* udp = UDPAddrIface_new(eventBase, NULL, alloc, NULL, logger);
  573. struct AdminClient* client =
  574. AdminClient_new(&udp->generic, sockAddr, adminPassword, eventBase, logger, tempAlloc);
  575. struct Context ctx = {
  576. .logger = logger,
  577. .alloc = tempAlloc,
  578. .client = client,
  579. .base = eventBase,
  580. };
  581. waitUntilPong(&ctx);
  582. List* authedPasswords = Dict_getList(config, String_CONST("authorizedPasswords"));
  583. if (authedPasswords) {
  584. authorizedPasswords(authedPasswords, &ctx);
  585. }
  586. Dict* ifaces = Dict_getDict(config, String_CONST("interfaces"));
  587. udpInterface(ifaces, &ctx);
  588. if (Defined(HAS_ETH_INTERFACE)) {
  589. ethInterface(ifaces, &ctx);
  590. }
  591. Dict* routerConf = Dict_getDict(config, String_CONST("router"));
  592. routerConfig(routerConf, tempAlloc, &ctx);
  593. List* secList = Dict_getList(config, String_CONST("security"));
  594. security(tempAlloc, secList, logger, &ctx);
  595. Log_debug(logger, "Cjdns started in the background");
  596. Allocator_free(tempAlloc);
  597. }