#include "xalloc.h"
#include "version.h"
#include "random.h"
+#include "sandbox.h"
+#include "watchdog.h"
+#include "fs.h"
/* If nonzero, display usage information and exit. */
static bool show_help = false;
static int status = 1;
+typedef enum option_t {
+ OPT_BAD_OPTION = '?',
+ OPT_LONG_OPTION = 0,
+
+ // Short options
+ OPT_CONFIG_FILE = 'c',
+ OPT_NETNAME = 'n',
+ OPT_NO_DETACH = 'D',
+ OPT_DEBUG = 'd',
+ OPT_MLOCK = 'L',
+ OPT_CHROOT = 'R',
+ OPT_CHANGE_USER = 'U',
+ OPT_SYSLOG = 's',
+ OPT_OPTION = 'o',
+
+ // Long options
+ OPT_HELP = 255,
+ OPT_VERSION,
+ OPT_NO_SECURITY,
+ OPT_LOGFILE,
+ OPT_PIDFILE,
+} option_t;
+
static struct option const long_options[] = {
- {"config", required_argument, NULL, 'c'},
- {"net", required_argument, NULL, 'n'},
- {"help", no_argument, NULL, 1},
- {"version", no_argument, NULL, 2},
- {"no-detach", no_argument, NULL, 'D'},
- {"debug", optional_argument, NULL, 'd'},
- {"bypass-security", no_argument, NULL, 3},
- {"mlock", no_argument, NULL, 'L'},
- {"chroot", no_argument, NULL, 'R'},
- {"user", required_argument, NULL, 'U'},
- {"logfile", optional_argument, NULL, 4},
- {"syslog", no_argument, NULL, 's'},
- {"pidfile", required_argument, NULL, 5},
- {"option", required_argument, NULL, 'o'},
- {NULL, 0, NULL, 0}
+ {"config", required_argument, NULL, OPT_CONFIG_FILE},
+ {"net", required_argument, NULL, OPT_NETNAME},
+ {"no-detach", no_argument, NULL, OPT_NO_DETACH},
+ {"debug", optional_argument, NULL, OPT_DEBUG},
+ {"mlock", no_argument, NULL, OPT_MLOCK},
+ {"chroot", no_argument, NULL, OPT_CHROOT},
+ {"user", required_argument, NULL, OPT_CHANGE_USER},
+ {"syslog", no_argument, NULL, OPT_SYSLOG},
+ {"option", required_argument, NULL, OPT_OPTION},
+ {"help", no_argument, NULL, OPT_HELP},
+ {"version", no_argument, NULL, OPT_VERSION},
+ {"bypass-security", no_argument, NULL, OPT_NO_SECURITY},
+ {"logfile", optional_argument, NULL, OPT_LOGFILE},
+ {"pidfile", required_argument, NULL, OPT_PIDFILE},
+ {NULL, 0, NULL, 0},
};
#ifdef HAVE_WINDOWS
fprintf(stderr, "Try `%s --help\' for more information.\n",
program_name);
else {
- static const char *message =
+ fprintf(stdout,
"Usage: %s [option]...\n"
"\n"
" -c, --config=DIR Read configuration options from DIR.\n"
" --help Display this help and exit.\n"
" --version Output version information and exit.\n"
"\n"
- "Report bugs to tinc@tinc-vpn.org.\n";
+ "Report bugs to tinc@tinc-vpn.org.\n",
+ program_name);
+ }
+}
+
+// Try to resolve path to absolute, return a copy of the argument if this fails.
+static char *get_path_arg(char *arg) {
+ char *result = absolute_path(arg);
- printf(message, program_name);
+ if(!result) {
+ result = xstrdup(arg);
}
+
+ return result;
}
static bool parse_options(int argc, char **argv) {
int lineno = 0;
while((r = getopt_long(argc, argv, "c:DLd::n:so:RU:", long_options, &option_index)) != EOF) {
- switch(r) {
- case 0: /* long option */
+ switch((option_t) r) {
+ case OPT_LONG_OPTION:
break;
- case 'c': /* config file */
+ case OPT_BAD_OPTION:
+ usage(true);
+ goto exit_fail;
+
+ case OPT_CONFIG_FILE:
+ assert(optarg);
free(confbase);
- confbase = xstrdup(optarg);
+ confbase = get_path_arg(optarg);
break;
- case 'D': /* no detach */
+ case OPT_NO_DETACH:
do_detach = false;
break;
- case 'L': /* no detach */
+ case OPT_MLOCK: /* lock tincd into RAM */
#ifndef HAVE_MLOCKALL
logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]);
goto exit_fail;
break;
#endif
- case 'd': /* increase debug level */
+ case OPT_DEBUG: /* increase debug level */
if(!optarg && optind < argc && *argv[optind] != '-') {
optarg = argv[optind++];
}
break;
- case 'n': /* net name given */
+ case OPT_NETNAME:
+ assert(optarg);
free(netname);
netname = xstrdup(optarg);
break;
- case 's': /* syslog */
+ case OPT_SYSLOG:
use_logfile = false;
use_syslog = true;
break;
- case 'o': /* option */
+ case OPT_OPTION:
cfg = parse_config_line(optarg, NULL, ++lineno);
if(!cfg) {
#ifdef HAVE_WINDOWS
- case 'R':
- case 'U':
+ case OPT_CHANGE_USER:
+ case OPT_CHROOT:
logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]);
goto exit_fail;
#else
- case 'R': /* chroot to NETNAME dir */
+ case OPT_CHROOT:
do_chroot = true;
break;
- case 'U': /* setuid to USER */
+ case OPT_CHANGE_USER:
switchuser = optarg;
break;
#endif
- case 1: /* show help */
+ case OPT_HELP:
show_help = true;
break;
- case 2: /* show version */
+ case OPT_VERSION:
show_version = true;
break;
- case 3: /* bypass security */
+ case OPT_NO_SECURITY:
bypass_security = true;
break;
- case 4: /* write log entries to a file */
+ case OPT_LOGFILE:
use_syslog = false;
use_logfile = true;
if(optarg) {
free(logfilename);
- logfilename = xstrdup(optarg);
+ logfilename = get_path_arg(optarg);
}
break;
- case 5: /* open control socket here */
+ case OPT_PIDFILE:
+ assert(optarg);
free(pidfilename);
- pidfilename = xstrdup(optarg);
+ pidfilename = get_path_arg(optarg);
break;
- case '?': /* wrong options */
- usage(true);
- goto exit_fail;
-
default:
break;
}
return false;
}
+static bool read_sandbox_level(void) {
+ sandbox_level_t level;
+ char *value = NULL;
+
+ if(get_config_string(lookup_config(&config_tree, "Sandbox"), &value)) {
+ if(!strcasecmp("off", value)) {
+ level = SANDBOX_NONE;
+ } else if(!strcasecmp("normal", value)) {
+ level = SANDBOX_NORMAL;
+ } else if(!strcasecmp("high", value)) {
+ level = SANDBOX_HIGH;
+ } else {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Bad sandbox value %s!", value);
+ free(value);
+ return false;
+ }
+
+ free(value);
+ } else {
+#ifdef HAVE_SANDBOX
+ level = SANDBOX_NORMAL;
+#else
+ level = SANDBOX_NONE;
+#endif
+ }
+
+#ifndef HAVE_SANDBOX
+
+ if(level > SANDBOX_NONE) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Sandbox is used but is not supported on this platform");
+ return false;
+ }
+
+#endif
+ sandbox_set_level(level);
+ return true;
+}
+
static bool drop_privs(void) {
#ifndef HAVE_WINDOWS
uid_t uid = 0;
return false;
}
-#endif
- return true;
+#endif // HAVE_WINDOWS
+
+ makedirs(DIR_CACHE | DIR_HOSTS | DIR_INVITATIONS);
+
+ return sandbox_enter();
}
#ifdef HAVE_WINDOWS
}
if(show_version) {
- static const char *message =
+ fprintf(stdout,
"%s version %s (built %s %s, protocol %d.%d)\n"
"Features:"
#ifdef HAVE_OPENSSL
#ifdef HAVE_MINIUPNPC
" miniupnpc"
#endif
+#ifdef HAVE_SANDBOX
+ " sandbox"
+#endif
#ifdef ENABLE_UML
" uml"
#endif
"\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"
- "see the file COPYING for details.\n";
-
- printf(message, PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR);
+ "see the file COPYING for details.\n",
+ PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR);
return 0;
}
char *umbstr = getenv("TINC_UMBILICAL");
if(umbstr) {
- umbilical = atoi(umbstr);
+ int colorize = 0;
+ sscanf(umbstr, "%d %d", &umbilical, &colorize);
+ umbilical_colorize = colorize;
if(fcntl(umbilical, F_GETFL) < 0) {
umbilical = 0;
return 1;
}
+ if(!read_sandbox_level()) {
+ return 1;
+ }
+
if(debug_level == DEBUG_NOTHING) {
int level = 0;
try_outgoing_connections();
+#ifdef HAVE_WATCHDOG
+ watchdog_start();
+#endif
+
status = main_loop();
+#ifdef HAVE_WATCHDOG
+ watchdog_stop();
+#endif
+
/* Shutdown properly. */
end: