X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_setup.c;h=3ac5a6796fd5c453f2527078395fee0db9fa3160;hb=2f2bda4d1953617b945f1222e008cb53edee162a;hp=a829e8228388d7d9d3401b752122d98c8762e968;hpb=0289162552cd85375605044c696e2a3294e7aa9a;p=tinc

diff --git a/src/net_setup.c b/src/net_setup.c
index a829e822..3ac5a679 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -45,6 +45,7 @@
 #include "utils.h"
 #include "xalloc.h"
 #include "keys.h"
+#include "sandbox.h"
 
 #ifdef HAVE_MINIUPNPC
 #include "upnp.h"
@@ -230,11 +231,25 @@ char *get_name(void) {
 	return returned_name;
 }
 
-bool setup_myself_reloadable(void) {
-	free(scriptinterpreter);
-	scriptinterpreter = NULL;
+static void read_interpreter(void) {
+	char *interpreter = NULL;
+	get_config_string(lookup_config(&config_tree, "ScriptsInterpreter"), &interpreter);
+
+	if(!interpreter || (sandbox_can(START_PROCESSES, AFTER_SANDBOX) && sandbox_can(USE_NEW_PATHS, AFTER_SANDBOX))) {
+		free(scriptinterpreter);
+		scriptinterpreter = interpreter;
+		return;
+	}
+
+	if(!string_eq(interpreter, scriptinterpreter)) {
+		logger(DEBUG_ALWAYS, LOG_NOTICE, "Not changing ScriptsInterpreter because of sandbox.");
+	}
+
+	free(interpreter);
+}
 
-	get_config_string(lookup_config(&config_tree, "ScriptsInterpreter"), &scriptinterpreter);
+bool setup_myself_reloadable(void) {
+	read_interpreter();
 
 	free(scriptextension);
 
@@ -264,10 +279,15 @@ bool setup_myself_reloadable(void) {
 		} else if(!strcasecmp(proxy, "http")) {
 			proxytype = PROXY_HTTP;
 		} else if(!strcasecmp(proxy, "exec")) {
-			proxytype = PROXY_EXEC;
+			if(sandbox_can(START_PROCESSES, AFTER_SANDBOX)) {
+				proxytype = PROXY_EXEC;
+			} else {
+				logger(DEBUG_ALWAYS, LOG_ERR, "Cannot use exec proxies with current sandbox level.");
+				return false;
+			}
 		} else {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type %s!", proxy);
-			free(proxy);
+			free_string(proxy);
 			return false;
 		}
 
@@ -277,10 +297,10 @@ bool setup_myself_reloadable(void) {
 		free(proxyport);
 		proxyport = NULL;
 
-		free(proxyuser);
+		free_string(proxyuser);
 		proxyuser = NULL;
 
-		free(proxypass);
+		free_string(proxypass);
 		proxypass = NULL;
 
 		switch(proxytype) {
@@ -291,10 +311,14 @@ bool setup_myself_reloadable(void) {
 		case PROXY_EXEC:
 			if(!space || !*space) {
 				logger(DEBUG_ALWAYS, LOG_ERR, "Argument expected for proxy type exec!");
-				free(proxy);
+				free_string(proxy);
 				return false;
 			}
 
+			if(!sandbox_can(USE_NEW_PATHS, AFTER_SANDBOX)) {
+				logger(DEBUG_ALWAYS, LOG_NOTICE, "Changed exec proxy may fail to work because of sandbox.");
+			}
+
 			proxyhost = xstrdup(space);
 			break;
 
@@ -312,7 +336,7 @@ bool setup_myself_reloadable(void) {
 				logger(DEBUG_ALWAYS, LOG_ERR, "Host and port argument expected for proxy!");
 				proxyport = NULL;
 				proxyhost = NULL;
-				free(proxy);
+				free_string(proxy);
 				return false;
 			}
 
@@ -338,7 +362,7 @@ bool setup_myself_reloadable(void) {
 			break;
 		}
 
-		free(proxy);
+		free_string(proxy);
 	}
 
 	bool choice;
@@ -788,9 +812,11 @@ static bool setup_myself(void) {
 		}
 	}
 
-	myself->connection->rsa = read_rsa_private_key(&config_tree, NULL);
+	rsa_t *rsa = read_rsa_private_key(&config_tree, NULL);
 
-	if(!myself->connection->rsa) {
+	if(rsa) {
+		myself->connection->legacy = new_legacy_ctx(rsa);
+	} else {
 		if(experimental) {
 			logger(DEBUG_ALWAYS, LOG_WARNING, "Support for legacy protocol disabled.");
 		} else {
@@ -901,7 +927,8 @@ static bool setup_myself(void) {
 
 		if(!cipher_open_by_name(myself->incipher, cipher)) {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized cipher type!");
-			cipher_free(&myself->incipher);
+			cipher_free(myself->incipher);
+			myself->incipher = NULL;
 			free(cipher);
 			return false;
 		}
@@ -936,7 +963,8 @@ static bool setup_myself(void) {
 
 		if(!digest_open_by_name(myself->indigest, digest, maclength)) {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized digest type!");
-			digest_free(&myself->indigest);
+			digest_free(myself->indigest);
+			myself->indigest = NULL;
 			free(digest);
 			return false;
 		}
@@ -946,7 +974,11 @@ static bool setup_myself(void) {
 #endif
 
 	/* Compression */
-	if(get_config_int(lookup_config(&config_tree, "Compression"), &myself->incompression)) {
+	int incompression = 0;
+
+	if(get_config_int(lookup_config(&config_tree, "Compression"), &incompression)) {
+		myself->incompression = incompression;
+
 		switch(myself->incompression) {
 		case COMPRESS_LZ4:
 #ifdef HAVE_LZ4
@@ -996,8 +1028,6 @@ static bool setup_myself(void) {
 		myself->incompression = COMPRESS_NONE;
 	}
 
-	myself->connection->outcompression = COMPRESS_NONE;
-
 	/* Done */
 
 	myself->nexthop = myself;
@@ -1016,7 +1046,7 @@ static bool setup_myself(void) {
 	devops = os_devops;
 
 	if(get_config_string(lookup_config(&config_tree, "DeviceType"), &type)) {
-		if(!strcasecmp(type, "dummy")) {
+		if(!strcasecmp(type, DEVICE_DUMMY)) {
 			devops = dummy_devops;
 		} else if(!strcasecmp(type, "raw_socket")) {
 			devops = raw_socket_devops;