From bd67b41f329702465d1d548ca2144b609e82927a Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 3 Feb 2025 22:37:08 +0300 Subject: [PATCH] nfqws,tpws: check accessibility of list files after droproot --- docs/changes.txt | 1 + nfq/nfqws.c | 27 +++++++++++++++++++++++++++ tpws/tpws.c | 25 ++++++++++++++++++++++++- 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/docs/changes.txt b/docs/changes.txt index 748dc61..89833e7 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod v70.1 nfqws: --dpi-desync-fake-tls-mod=dupsid +nfqws,tpws: test accessibility of list files after privs drop diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 93cfffc..5b7b56c 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat } +static bool test_list_files() +{ + struct hostlist_file *hfile; + struct ipset_file *ifile; + + LIST_FOREACH(hfile, ¶ms.hostlists, next) + if (!file_mod_time(hfile->filename)) + { + DLOG_PERROR("file_mod_time"); + DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); + return false; + } + LIST_FOREACH(ifile, ¶ms.ipsets, next) + if (!file_mod_time(ifile->filename)) + { + DLOG_PERROR("file_mod_time"); + DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); + return false; + } + return true; +} + + #ifdef __linux__ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie) { @@ -260,6 +283,8 @@ static int nfq_main(void) if (params.droproot && !droproot(params.uid, params.gid)) return 1; print_id(); + if (params.droproot && !test_list_files()) + return 1; pre_desync(); @@ -357,6 +382,8 @@ static int dvt_main(void) if (params.droproot && !droproot(params.uid, params.gid)) goto exiterr; print_id(); + if (params.droproot && !test_list_files()) + goto exiterr; pre_desync(); diff --git a/tpws/tpws.c b/tpws/tpws.c index c52a275..ddc7b98 100644 --- a/tpws/tpws.c +++ b/tpws/tpws.c @@ -116,6 +116,27 @@ static int8_t block_sigpipe(void) return 0; } +static bool test_list_files() +{ + struct hostlist_file *hfile; + struct ipset_file *ifile; + + LIST_FOREACH(hfile, ¶ms.hostlists, next) + if (!file_mod_time(hfile->filename)) + { + DLOG_PERROR("file_mod_time"); + DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); + return false; + } + LIST_FOREACH(ifile, ¶ms.ipsets, next) + if (!file_mod_time(ifile->filename)) + { + DLOG_PERROR("file_mod_time"); + DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); + return false; + } + return true; +} static bool is_interface_online(const char *ifname) { @@ -1918,10 +1939,12 @@ int main(int argc, char *argv[]) set_ulimit(); sec_harden(); - if (params.droproot && !droproot(params.uid,params.gid)) goto exiterr; print_id(); + if (params.droproot && !test_list_files()) + goto exiterr; + //splice() causes the process to receive the SIGPIPE-signal if one part (for //example a socket) is closed during splice(). I would rather have splice() //fail and return -1, so blocking SIGPIPE.