#define _P1003_1B_VISIBLE
#endif
-#ifdef HAVE_SYS_MMAN_H
-#include <sys/mman.h>
-#endif
-
#ifdef HAVE_LZO
#include LZO1X_H
#endif
-#ifdef LZ4_H
-#include LZ4_H
+#ifdef HAVE_LZ4
+#include <lz4.h>
#endif
-#ifndef HAVE_MINGW
+#ifndef HAVE_WINDOWS
#include <pwd.h>
#include <grp.h>
#include <time.h>
#include "utils.h"
#include "xalloc.h"
#include "version.h"
+#include "random.h"
+#include "sandbox.h"
/* If nonzero, display usage information and exit. */
static bool show_help = false;
/* If nonzero, print the version on standard output and exit. */
static bool show_version = false;
-/* If nonzero, use null ciphers and skip all key exchanges. */
-bool bypass_security = false;
-
#ifdef HAVE_MLOCKALL
/* If nonzero, disable swapping for this process. */
static bool do_mlock = false;
#endif
-#ifndef HAVE_MINGW
+#ifndef HAVE_WINDOWS
/* If nonzero, chroot to netdir after startup. */
static bool do_chroot = false;
static const char *switchuser = NULL;
#endif
-/* If nonzero, write log entries to a separate file. */
-bool use_logfile = false;
-
-/* If nonzero, use syslog instead of stderr in no-detach mode. */
-bool use_syslog = false;
-
char **g_argv; /* a copy of the cmdline arguments */
static int status = 1;
+typedef enum option_t {
+ OPT_BAD_OPTION = '?',
+ OPT_LONG_OPTION = 0,
+
+ // Short options
+ OPT_CONFIG_FILE = 'c',
+ OPT_NETNAME = 'n',
+ OPT_NO_DETACH = 'D',
+ OPT_DEBUG = 'd',
+ OPT_MLOCK = 'L',
+ OPT_CHROOT = 'R',
+ OPT_CHANGE_USER = 'U',
+ OPT_SYSLOG = 's',
+ OPT_OPTION = 'o',
+
+ // Long options
+ OPT_HELP = 255,
+ OPT_VERSION,
+ OPT_NO_SECURITY,
+ OPT_LOGFILE,
+ OPT_PIDFILE,
+} option_t;
+
static struct option const long_options[] = {
- {"config", required_argument, NULL, 'c'},
- {"net", required_argument, NULL, 'n'},
- {"help", no_argument, NULL, 1},
- {"version", no_argument, NULL, 2},
- {"no-detach", no_argument, NULL, 'D'},
- {"debug", optional_argument, NULL, 'd'},
- {"bypass-security", no_argument, NULL, 3},
- {"mlock", no_argument, NULL, 'L'},
- {"chroot", no_argument, NULL, 'R'},
- {"user", required_argument, NULL, 'U'},
- {"logfile", optional_argument, NULL, 4},
- {"syslog", no_argument, NULL, 's'},
- {"pidfile", required_argument, NULL, 5},
- {"option", required_argument, NULL, 'o'},
- {NULL, 0, NULL, 0}
+ {"config", required_argument, NULL, OPT_CONFIG_FILE},
+ {"net", required_argument, NULL, OPT_NETNAME},
+ {"no-detach", no_argument, NULL, OPT_NO_DETACH},
+ {"debug", optional_argument, NULL, OPT_DEBUG},
+ {"mlock", no_argument, NULL, OPT_MLOCK},
+ {"chroot", no_argument, NULL, OPT_CHROOT},
+ {"user", required_argument, NULL, OPT_CHANGE_USER},
+ {"syslog", no_argument, NULL, OPT_SYSLOG},
+ {"option", required_argument, NULL, OPT_OPTION},
+ {"help", no_argument, NULL, OPT_HELP},
+ {"version", no_argument, NULL, OPT_VERSION},
+ {"bypass-security", no_argument, NULL, OPT_NO_SECURITY},
+ {"logfile", optional_argument, NULL, OPT_LOGFILE},
+ {"pidfile", required_argument, NULL, OPT_PIDFILE},
+ {NULL, 0, NULL, 0},
};
-#ifdef HAVE_MINGW
+#ifdef HAVE_WINDOWS
static struct WSAData wsa_state;
int main2(int argc, char **argv);
#endif
fprintf(stderr, "Try `%s --help\' for more information.\n",
program_name);
else {
- static const char *message =
+ fprintf(stdout,
"Usage: %s [option]...\n"
"\n"
" -c, --config=DIR Read configuration options from DIR.\n"
" --pidfile=FILENAME Write PID and control socket cookie to FILENAME.\n"
" --bypass-security Disables meta protocol security, for debugging.\n"
" -o, --option[HOST.]KEY=VALUE Set global/host configuration value.\n"
-#ifndef HAVE_MINGW
+#ifndef HAVE_WINDOWS
" -R, --chroot chroot to NET dir at startup.\n"
" -U, --user=USER setuid to given USER at startup.\n"
#endif
" --help Display this help and exit.\n"
" --version Output version information and exit.\n"
"\n"
- "Report bugs to tinc@tinc-vpn.org.\n";
+ "Report bugs to tinc@tinc-vpn.org.\n",
+ program_name);
+ }
+}
+
+// Try to resolve path to absolute, return a copy of the argument if this fails.
+static char *get_path_arg(char *arg) {
+ char *result = absolute_path(arg);
- fprintf(stderr, message, program_name);
+ if(!result) {
+ result = xstrdup(arg);
}
+
+ return result;
}
static bool parse_options(int argc, char **argv) {
int lineno = 0;
while((r = getopt_long(argc, argv, "c:DLd::n:so:RU:", long_options, &option_index)) != EOF) {
- switch(r) {
- case 0: /* long option */
+ switch((option_t) r) {
+ case OPT_LONG_OPTION:
break;
- case 'c': /* config file */
+ case OPT_BAD_OPTION:
+ usage(true);
+ goto exit_fail;
+
+ case OPT_CONFIG_FILE:
+ assert(optarg);
free(confbase);
- confbase = xstrdup(optarg);
+ confbase = get_path_arg(optarg);
break;
- case 'D': /* no detach */
+ case OPT_NO_DETACH:
do_detach = false;
break;
- case 'L': /* no detach */
+ case OPT_MLOCK: /* lock tincd into RAM */
#ifndef HAVE_MLOCKALL
logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]);
goto exit_fail;
break;
#endif
- case 'd': /* increase debug level */
+ case OPT_DEBUG: /* increase debug level */
if(!optarg && optind < argc && *argv[optind] != '-') {
optarg = argv[optind++];
}
break;
- case 'n': /* net name given */
+ case OPT_NETNAME:
+ assert(optarg);
free(netname);
netname = xstrdup(optarg);
break;
- case 's': /* syslog */
+ case OPT_SYSLOG:
use_logfile = false;
use_syslog = true;
break;
- case 'o': /* option */
+ case OPT_OPTION:
cfg = parse_config_line(optarg, NULL, ++lineno);
if(!cfg) {
list_insert_tail(&cmdline_conf, cfg);
break;
-#ifdef HAVE_MINGW
+#ifdef HAVE_WINDOWS
- case 'R':
- case 'U':
+ case OPT_CHANGE_USER:
+ case OPT_CHROOT:
logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]);
goto exit_fail;
#else
- case 'R': /* chroot to NETNAME dir */
+ case OPT_CHROOT:
do_chroot = true;
break;
- case 'U': /* setuid to USER */
+ case OPT_CHANGE_USER:
switchuser = optarg;
break;
#endif
- case 1: /* show help */
+ case OPT_HELP:
show_help = true;
break;
- case 2: /* show version */
+ case OPT_VERSION:
show_version = true;
break;
- case 3: /* bypass security */
+ case OPT_NO_SECURITY:
bypass_security = true;
break;
- case 4: /* write log entries to a file */
+ case OPT_LOGFILE:
use_syslog = false;
use_logfile = true;
if(optarg) {
free(logfilename);
- logfilename = xstrdup(optarg);
+ logfilename = get_path_arg(optarg);
}
break;
- case 5: /* open control socket here */
+ case OPT_PIDFILE:
+ assert(optarg);
free(pidfilename);
- pidfilename = xstrdup(optarg);
+ pidfilename = get_path_arg(optarg);
break;
- case '?': /* wrong options */
- usage(true);
- goto exit_fail;
-
default:
break;
}
return false;
}
+static bool read_sandbox_level(void) {
+ sandbox_level_t level;
+ char *value = NULL;
+
+ if(get_config_string(lookup_config(&config_tree, "Sandbox"), &value)) {
+ if(!strcasecmp("off", value)) {
+ level = SANDBOX_NONE;
+ } else if(!strcasecmp("normal", value)) {
+ level = SANDBOX_NORMAL;
+ } else if(!strcasecmp("high", value)) {
+ level = SANDBOX_HIGH;
+ } else {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Bad sandbox value %s!", value);
+ free(value);
+ return false;
+ }
+
+ free(value);
+ } else {
+#ifdef HAVE_SANDBOX
+ level = SANDBOX_NORMAL;
+#else
+ level = SANDBOX_NONE;
+#endif
+ }
+
+#ifndef HAVE_SANDBOX
+
+ if(level > SANDBOX_NONE) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Sandbox is used but is not supported on this platform");
+ return false;
+ }
+
+#endif
+ sandbox_set_level(level);
+ return true;
+}
+
static bool drop_privs(void) {
-#ifndef HAVE_MINGW
+#ifndef HAVE_WINDOWS
uid_t uid = 0;
if(switchuser) {
}
#endif
- return true;
+
+ return sandbox_enter();
}
-#ifdef HAVE_MINGW
+#ifdef HAVE_WINDOWS
# define setpriority(level) !SetPriorityClass(GetCurrentProcess(), (level))
static void stop_handler(void *data, int flags) {
}
if(show_version) {
- static const char *message =
+ fprintf(stdout,
"%s version %s (built %s %s, protocol %d.%d)\n"
"Features:"
#ifdef HAVE_OPENSSL
#ifdef HAVE_MINIUPNPC
" miniupnpc"
#endif
+#ifdef HAVE_SANDBOX
+ " sandbox"
+#endif
#ifdef ENABLE_UML
" uml"
#endif
"\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"
- "see the file COPYING for details.\n";
-
- printf(message, PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR);
+ "see the file COPYING for details.\n",
+ PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR);
return 0;
}
return 1;
}
-#ifdef HAVE_MINGW
+#ifdef HAVE_WINDOWS
if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) {
logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError()));
char *umbstr = getenv("TINC_UMBILICAL");
if(umbstr) {
- umbilical = atoi(umbstr);
+ int colorize = 0;
+ sscanf(umbstr, "%d %d", &umbilical, &colorize);
+ umbilical_colorize = colorize;
if(fcntl(umbilical, F_GETFL) < 0) {
umbilical = 0;
#endif
gettimeofday(&now, NULL);
+ random_init();
crypto_init();
prng_init();
return 1;
}
+ if(!read_sandbox_level()) {
+ return 1;
+ }
+
if(debug_level == DEBUG_NOTHING) {
int level = 0;
#endif
-#ifdef HAVE_MINGW
+#ifdef HAVE_WINDOWS
io_add_event(&stop_io, stop_handler, NULL, WSACreateEvent());
if(stop_io.event == FALSE) {
free(priority);
- crypto_exit();
+ random_exit();
return status;
}