tpws: fix seccomp tgkill, do not interrupt write pipe

2024-11-11 17:29:16 +05:00 · 2024-04-03 10:34:03 +03:00 · 2024-04-03 10:34:03 +03:00 · 103419302f
commit 103419302f
parent 5805b04bba
12 changed files with 11 additions and 8 deletions
--- a/binaries/aarch64/tpws
+++ b/binaries/aarch64/tpws
--- a/binaries/arm/tpws
+++ b/binaries/arm/tpws
--- a/binaries/mips32r1-lsb/tpws
+++ b/binaries/mips32r1-lsb/tpws
--- a/binaries/mips32r1-msb/tpws
+++ b/binaries/mips32r1-msb/tpws
--- a/binaries/mips64r2-msb/tpws
+++ b/binaries/mips64r2-msb/tpws
--- a/binaries/ppc/tpws
+++ b/binaries/ppc/tpws
--- a/binaries/x86/tpws
+++ b/binaries/x86/tpws
--- a/binaries/x86_64/tpws
+++ b/binaries/x86_64/tpws
--- a/binaries/x86_64/tpws_wsl.tgz
+++ b/binaries/x86_64/tpws_wsl.tgz
--- a/tpws/resolver.c
+++ b/tpws/resolver.c
@ -46,6 +46,10 @@ int resolver_thread_count(void)
 static void *resolver_thread(void *arg)
 {
 	int r;
+	sigset_t signal_mask;
+
+	sigemptyset(&signal_mask);
+	sigaddset(&signal_mask, SIG_BREAK);

 	//printf("resolver_thread %d start\n",syscall(SYS_gettid));
 	for(;;)
@ -80,14 +84,17 @@ static void *resolver_thread(void *arg)
 				snprintf(sport,sizeof(sport),"%u",ri->port);
 				memset(&hints, 0, sizeof(struct addrinfo));
 				hints.ai_socktype = SOCK_STREAM;
+				// unfortunately getaddrinfo cannot be interrupted with a signal. we cannot cancel a query
 				ri->ga_res = getaddrinfo(ri->dom,sport,&hints,&ai);
 				if (!ri->ga_res)
 				{
 					memcpy(&ri->ss, ai->ai_addr, ai->ai_addrlen);
 					freeaddrinfo(ai);
 				}
-
 				//printf("THREAD %d END JOB %s  FIRST=%p\n", syscall(SYS_gettid), ri->dom, TAILQ_FIRST(&resolver.resolve_list));
+
+				// never interrupt this
+				pthread_sigmask(SIG_BLOCK, &signal_mask, NULL);
 				wr = write(resolver.fd_signal_pipe,&ri,sizeof(void*));
 				if (wr<0)
 				{
@ -101,6 +108,7 @@ static void *resolver_thread(void *arg)
 					fprintf(stderr,"write resolve_pipe : not full write\n");
 					exit(1000);
 				}
+				pthread_sigmask(SIG_UNBLOCK, &signal_mask, NULL);
 			}
 		}
 	}
--- a/tpws/sec.c
+++ b/tpws/sec.c
@ -115,12 +115,6 @@ SYS_process_vm_writev,
 #ifdef SYS_process_madvise
 SYS_process_madvise,
 #endif
-#ifdef SYS_tkill
-SYS_tkill,
-#endif
-#ifdef SYS_tgkill
-SYS_tgkill,
-#endif
 SYS_kill, SYS_ptrace
 };
 #define BLOCKED_SYSCALL_COUNT (sizeof(blocked_syscalls)/sizeof(*blocked_syscalls))
--- a/tpws/tpws_conn.c
+++ b/tpws/tpws_conn.c
@ -705,8 +705,9 @@ bool proxy_mode_connect_remote(const struct sockaddr *sa, tproxy_conn_t *conn, s
 	bool bConnFooling=true;
 	if (conn->track.hostname && params.mss)
 	{
-		VPRINT("0-phase desync hostlist check")
 		bConnFooling=HostlistCheck(conn->track.hostname, NULL);
+		if (!bConnFooling)
+			VPRINT("0-phase desync hostlist check negative. not acting on this connection.")
 	}

 	if ((remote_fd = connect_remote(sa, bConnFooling)) < 0)