From nobody Mon Mar 25 22:28:56 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V3SJm3F6Mz5FRfD; Mon, 25 Mar 2024 22:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V3SJm2ddMz49ty; Mon, 25 Mar 2024 22:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711405736; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b05uBCDZNzgBtuzJjWOb/0D6dqTlQN9cnBGZDBz+InY=; b=qflUNQ+ZopXdsX//qDUf+c1023eZB9izKbOzGxm68Z0ndjLwL9jwnsNIPSPtoOUY87dUR1 geKdCnM/kDNnRmGhqeGIrMBaGO4YOTObL2+c7HCAx+PvAvjBeuhbQi3OtvRgIqz/GjreDD 1yYBaGI8EHEx+tYFXqmLLHSPb3iPc5FhjlcV4KSx2HmVKbglJFu/CArzKEWw5Ju1ziwdye z9HmZcY2LxDvLkuayU7ZxZUS4ZcaJRBRSGMY3NqqZ6UMSXWRKu4SnKYZF6P0DFFtbUvivk fUk/kFUIHqSK192KVhx2upYBzjqGoyVB2JwQY970BSy8mlUdnqhKX+XyjCD5Fg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711405736; a=rsa-sha256; cv=none; b=wXl3+tiJlfqto9AslR+ixphDXW1W4ku2bLwnDcljr/e6JF5Ms0Fg75cIstgjYmvEYa40PD 65wK3OJZMwHQMgkKXVVoo+hV0M9IyyUfioc3F1hhqxPexg8UX0UnzyeewGryYRa916gKk8 zNyxGFII/c9v9tsb/34GEu1FlgExMtia/wWlMsqLPHXmbsfu37tegRWyUcc6U2CLvFl4br r64RH+KJfWS2z1bb0LZhjCrbYxQKAYsfxVk1/lcEEXZpWydcgTsMN9QFGQ7KYgOVT8tSR4 8LJKd9uDc6h3+ju8Eil1rIaPtoASgLVY5xTIfxzD31oMCAyZTuEJp2XHceK3MA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711405736; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b05uBCDZNzgBtuzJjWOb/0D6dqTlQN9cnBGZDBz+InY=; b=BCPU08ppQsgdeu88rhIFg/4H/oJP/vVfQ7elbjzPoD+owkHzVventzSEHEVxemCrRjEjMf V6pP8jImwKuAwFwyidNlRIf1FFfCOr9qIDwlRzXL9eKjsi1TmbaHFhoq0UPHjlc5yTKECj 724pvVu4GIiAzvCSzKMlEI+7qR5ZgAZZwLMaKO8izVODCGNOeFix7xpftFvA3ocE+z7Bih 1b9Wsyc3ZJXNi9oxw8HghjEkKcc3zK4wpFqychrmkxQOnLgEjB+fc7ofZugiHuWEXhUply 73KfVGgvH/HXDBh5LmwizgMmvkPx/6ZK6bmOPWpU1Hp4bMCyHVoaQHPdJ3dt8Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V3SJm1P0jzZYm; Mon, 25 Mar 2024 22:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42PMSulW043720; Mon, 25 Mar 2024 22:28:56 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42PMSuDI043717; Mon, 25 Mar 2024 22:28:56 GMT (envelope-from git) Date: Mon, 25 Mar 2024 22:28:56 GMT Message-Id: <202403252228.42PMSuDI043717@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 3f8927179476 - stable/14 - blacklistd: Handle fds that are pointing to routing sockets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 3f89271794763da1200ee4182b5fe030570f72ba Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=3f89271794763da1200ee4182b5fe030570f72ba commit 3f89271794763da1200ee4182b5fe030570f72ba Author: Jose Luis Duran AuthorDate: 2022-10-12 16:14:44 +0000 Commit: Ed Maste CommitDate: 2024-03-25 22:28:30 +0000 blacklistd: Handle fds that are pointing to routing sockets If the fd has access to make changes via the routing socket, grant full permission to make filter changes. Obtained from: https://github.com/zoulasc/blocklist/commit/1b9475b2c8e0be2b9adc4d88e521ed488ac3c43c (cherry picked from commit b73612a34259a478c53eab408362d7bf879fefa6) --- contrib/blocklist/bin/conf.c | 113 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 95 insertions(+), 18 deletions(-) diff --git a/contrib/blocklist/bin/conf.c b/contrib/blocklist/bin/conf.c index 6eadf6b2ac8c..8f7e75a56be1 100644 --- a/contrib/blocklist/bin/conf.c +++ b/contrib/blocklist/bin/conf.c @@ -46,6 +46,7 @@ __RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); #include #include #include +#include #include #include #include @@ -55,6 +56,7 @@ __RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); #include #include #include +#include #include #include "bl.h" @@ -1000,32 +1002,72 @@ confset_match(const struct confset *cs, struct conf *c, return i; } -const struct conf * -conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, - struct conf *cr) +#ifdef AF_ROUTE +static int +conf_route_perm(int fd) { +#if defined(RTM_IFANNOUNCE) && defined(SA_SIZE) + /* + * Send a routing message that is not supported to check for access + * We expect EOPNOTSUPP for having access, since we are sending a + * request the system does not understand and EACCES if we don't have + * access. + */ + static struct sockaddr_in sin = { +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + .sin_len = sizeof(sin), +#endif + .sin_family = AF_INET, + }; + char buf[4096]; + struct rt_msghdr *rtm = (void *)buf; + char *cp = (char *)(rtm + 1); + size_t l; + +#define NEXTADDR(s) \ + l = SA_SIZE(sizeof(*s)); memmove(cp, s, l); cp += l; + memset(buf, 0, sizeof(buf)); + rtm->rtm_type = RTM_IFANNOUNCE; + rtm->rtm_flags = 0; + rtm->rtm_addrs = RTA_DST|RTA_GATEWAY; + rtm->rtm_version = RTM_VERSION; + rtm->rtm_seq = 666; + NEXTADDR(&sin); + NEXTADDR(&sin); + rtm->rtm_msglen = (u_short)((char *)cp - (char *)rtm); + if (write(fd, rtm, rtm->rtm_msglen) != -1) { + (*lfun)(LOG_ERR, "Writing to routing socket succeeded!"); + return 0; + } + switch (errno) { + case EACCES: + return 0; + case EOPNOTSUPP: + return 1; + default: + (*lfun)(LOG_ERR, + "Unexpected error writing to routing socket (%m)"); + return 0; + } +#else + return 0; +#endif +} +#endif + +static int +conf_handle_inet(int fd, const void *lss, struct conf *cr) { - int proto; - socklen_t slen; - struct sockaddr_storage lss; - size_t i; char buf[BUFSIZ]; + int proto; + socklen_t slen = sizeof(proto); - memset(cr, 0, sizeof(*cr)); - slen = sizeof(lss); - memset(&lss, 0, slen); - if (getsockname(fd, (void *)&lss, &slen) == -1) { - (*lfun)(LOG_ERR, "getsockname failed (%m)"); - return NULL; - } - - slen = sizeof(proto); if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &proto, &slen) == -1) { (*lfun)(LOG_ERR, "getsockopt failed (%m)"); - return NULL; + return -1; } if (debug) { - sockaddr_snprintf(buf, sizeof(buf), "%a:%p", (void *)&lss); + sockaddr_snprintf(buf, sizeof(buf), "%a:%p", lss); (*lfun)(LOG_DEBUG, "listening socket: %s", buf); } @@ -1038,16 +1080,51 @@ conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, break; default: (*lfun)(LOG_ERR, "unsupported protocol %d", proto); + return -1; + } + return 0; +} + +const struct conf * +conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, + struct conf *cr) +{ + socklen_t slen; + struct sockaddr_storage lss; + size_t i; + char buf[BUFSIZ]; + + memset(cr, 0, sizeof(*cr)); + slen = sizeof(lss); + memset(&lss, 0, slen); + if (getsockname(fd, (void *)&lss, &slen) == -1) { + (*lfun)(LOG_ERR, "getsockname failed (%m)"); return NULL; } switch (lss.ss_family) { case AF_INET: cr->c_port = ntohs(((struct sockaddr_in *)&lss)->sin_port); + if (conf_handle_inet(fd, &lss, cr) == -1) + return NULL; break; case AF_INET6: cr->c_port = ntohs(((struct sockaddr_in6 *)&lss)->sin6_port); + if (conf_handle_inet(fd, &lss, cr) == -1) + return NULL; break; +#ifdef AF_ROUTE + case AF_ROUTE: + if (!conf_route_perm(fd)) { + (*lfun)(LOG_ERR, + "permission denied to routing socket (%m)"); + return NULL; + } + cr->c_proto = FSTAR; + cr->c_port = FSTAR; + memcpy(&lss, rss, sizeof(lss)); + break; +#endif default: (*lfun)(LOG_ERR, "unsupported family %d", lss.ss_family); return NULL;