ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-02-05 06:44:19 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

nfqws,tpws: check accessibility of list files after droproot

Browse Source
This commit is contained in:
bol-van 2025-02-03 22:37:08 +03:00
parent 00619c8dab
commit bd67b41f32
3 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/changes.txt
View File

@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod
v70.1 v70.1
nfqws: --dpi-desync-fake-tls-mod=dupsid nfqws: --dpi-desync-fake-tls-mod=dupsid
nfqws,tpws: test accessibility of list files after privs drop

27
nfq/nfqws.c
View File

@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat
} }
static bool test_list_files()
{
struct hostlist_file *hfile;
struct ipset_file *ifile;
LIST_FOREACH(hfile, &params.hostlists, next)
if (!file_mod_time(hfile->filename))
{
DLOG_PERROR("file_mod_time");
DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
return false;
}
LIST_FOREACH(ifile, &params.ipsets, next)
if (!file_mod_time(ifile->filename))
{
DLOG_PERROR("file_mod_time");
DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
return false;
}
return true;
}
#ifdef __linux__ #ifdef __linux__
static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie) static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie)
{ {
@ -260,6 +283,8 @@ static int nfq_main(void)
if (params.droproot && !droproot(params.uid, params.gid)) if (params.droproot && !droproot(params.uid, params.gid))
return 1; return 1;
print_id(); print_id();
if (params.droproot && !test_list_files())
return 1;
pre_desync(); pre_desync();
@ -357,6 +382,8 @@ static int dvt_main(void)
if (params.droproot && !droproot(params.uid, params.gid)) if (params.droproot && !droproot(params.uid, params.gid))
goto exiterr; goto exiterr;
print_id(); print_id();
if (params.droproot && !test_list_files())
goto exiterr;
pre_desync(); pre_desync();

25
tpws/tpws.c
View File

@ -116,6 +116,27 @@ static int8_t block_sigpipe(void)
return 0; return 0;
} }
static bool test_list_files()
{
struct hostlist_file *hfile;
struct ipset_file *ifile;
LIST_FOREACH(hfile, &params.hostlists, next)
if (!file_mod_time(hfile->filename))
{
DLOG_PERROR("file_mod_time");
DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
return false;
}
LIST_FOREACH(ifile, &params.ipsets, next)
if (!file_mod_time(ifile->filename))
{
DLOG_PERROR("file_mod_time");
DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
return false;
}
return true;
}
static bool is_interface_online(const char *ifname) static bool is_interface_online(const char *ifname)
{ {
@ -1918,10 +1939,12 @@ int main(int argc, char *argv[])
set_ulimit(); set_ulimit();
sec_harden(); sec_harden();
if (params.droproot && !droproot(params.uid,params.gid)) if (params.droproot && !droproot(params.uid,params.gid))
goto exiterr; goto exiterr;
print_id(); print_id();
if (params.droproot && !test_list_files())
goto exiterr;
//splice() causes the process to receive the SIGPIPE-signal if one part (for //splice() causes the process to receive the SIGPIPE-signal if one part (for
//example a socket) is closed during splice(). I would rather have splice() //example a socket) is closed during splice(). I would rather have splice()
//fail and return -1, so blocking SIGPIPE. //fail and return -1, so blocking SIGPIPE.