X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_setup.c;h=7b4c741f0fe55ce1bd5daefcf39e2d990fa8867e;hb=refs%2Fheads%2F1.1;hp=40cdaf6cfa1a88e4a3d34e1a20db45b7bbcee50f;hpb=c44b08613508c993e7fd9f625e0b1b4775efffed;p=tinc diff --git a/src/net_setup.c b/src/net_setup.c index 40cdaf6c..dd6c58f1 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -45,6 +45,7 @@ #include "utils.h" #include "xalloc.h" #include "keys.h" +#include "sandbox.h" #ifdef HAVE_MINIUPNPC #include "upnp.h" @@ -183,8 +184,7 @@ void load_all_nodes(void) { read_host_config(&config, ent->d_name, true); if(!n) { - n = new_node(); - n->name = xstrdup(ent->d_name); + n = new_node(ent->d_name); node_add(n); } @@ -230,11 +230,25 @@ char *get_name(void) { return returned_name; } -bool setup_myself_reloadable(void) { - free(scriptinterpreter); - scriptinterpreter = NULL; +static void read_interpreter(void) { + char *interpreter = NULL; + get_config_string(lookup_config(&config_tree, "ScriptsInterpreter"), &interpreter); + + if(!interpreter || (sandbox_can(START_PROCESSES, AFTER_SANDBOX) && sandbox_can(USE_NEW_PATHS, AFTER_SANDBOX))) { + free(scriptinterpreter); + scriptinterpreter = interpreter; + return; + } + + if(!string_eq(interpreter, scriptinterpreter)) { + logger(DEBUG_ALWAYS, LOG_NOTICE, "Not changing ScriptsInterpreter because of sandbox."); + } - get_config_string(lookup_config(&config_tree, "ScriptsInterpreter"), &scriptinterpreter); + free(interpreter); +} + +bool setup_myself_reloadable(void) { + read_interpreter(); free(scriptextension); @@ -264,7 +278,12 @@ bool setup_myself_reloadable(void) { } else if(!strcasecmp(proxy, "http")) { proxytype = PROXY_HTTP; } else if(!strcasecmp(proxy, "exec")) { - proxytype = PROXY_EXEC; + if(sandbox_can(START_PROCESSES, AFTER_SANDBOX)) { + proxytype = PROXY_EXEC; + } else { + logger(DEBUG_ALWAYS, LOG_ERR, "Cannot use exec proxies with current sandbox level."); + return false; + } } else { logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type %s!", proxy); free_string(proxy); @@ -295,6 +314,10 @@ bool setup_myself_reloadable(void) { return false; } + if(!sandbox_can(USE_NEW_PATHS, AFTER_SANDBOX)) { + logger(DEBUG_ALWAYS, LOG_NOTICE, "Changed exec proxy may fail to work because of sandbox."); + } + proxyhost = xstrdup(space); break; @@ -651,6 +674,7 @@ static bool add_listen_address(char *address, bool bindto) { } if(listen_sockets >= MAXSOCKETS) { + listen_sockets = MAXSOCKETS; logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets"); freeaddrinfo(ai); return false; @@ -740,10 +764,9 @@ static bool setup_myself(void) { } myname = xstrdup(name); - myself = new_node(); + myself = new_node(name); myself->connection = new_connection(); - myself->name = name; - myself->connection->name = xstrdup(name); + myself->connection->name = name; read_host_config(&config_tree, name, true); if(!get_config_string(lookup_config(&config_tree, "Port"), &myport.tcp)) { @@ -903,7 +926,8 @@ static bool setup_myself(void) { if(!cipher_open_by_name(myself->incipher, cipher)) { logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized cipher type!"); - cipher_free(&myself->incipher); + cipher_free(myself->incipher); + myself->incipher = NULL; free(cipher); return false; } @@ -938,7 +962,8 @@ static bool setup_myself(void) { if(!digest_open_by_name(myself->indigest, digest, maclength)) { logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized digest type!"); - digest_free(&myself->indigest); + digest_free(myself->indigest); + myself->indigest = NULL; free(digest); return false; } @@ -1020,7 +1045,7 @@ static bool setup_myself(void) { devops = os_devops; if(get_config_string(lookup_config(&config_tree, "DeviceType"), &type)) { - if(!strcasecmp(type, "dummy")) { + if(!strcasecmp(type, DEVICE_DUMMY)) { devops = dummy_devops; } else if(!strcasecmp(type, "raw_socket")) { devops = raw_socket_devops; @@ -1061,16 +1086,19 @@ static bool setup_myself(void) { /* Open sockets */ - if(!do_detach && getenv("LISTEN_FDS")) { + const char *listen_fds = getenv("LISTEN_FDS"); + + if(!do_detach && listen_fds) { sockaddr_t sa; socklen_t salen; - listen_sockets = atoi(getenv("LISTEN_FDS")); + listen_sockets = atoi(listen_fds); #ifdef HAVE_UNSETENV unsetenv("LISTEN_FDS"); #endif if(listen_sockets > MAXSOCKETS) { + listen_sockets = MAXSOCKETS; logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets"); return false; }