Gotweb

Blob

Date:: Thu Jun 23 14:58:40 2022 UTC
Message:: use capsicum on FreeBSD Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2019 Stefan Sperling <stsp@openbsd.org>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <sys/types.h>
18 #include <sys/uio.h>
19 #include <sys/time.h>
20 
21 #include <stdint.h>
22 #include <limits.h>
23 #include <signal.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <unistd.h>
28 #include <zlib.h>
29 
30 #include "got_compat.h"
31 
32 #include "got_error.h"
33 #include "got_object.h"
34 #include "got_repository.h"
35 
36 #include "got_lib_delta.h"
37 #include "got_lib_object.h"
38 #include "got_lib_privsep.h"
39 #include "got_lib_gitconfig.h"
40 
41 static volatile sig_atomic_t sigint_received;
42 
43 static void
44 catch_sigint(int signo)
45 {
46 	sigint_received = 1;
47 }
48 
49 static const struct got_error *
50 send_gitconfig_int(struct imsgbuf *ibuf, int value)
51 {
52 	if (imsg_compose(ibuf, GOT_IMSG_GITCONFIG_INT_VAL, 0, 0, -1,
53 	    &value, sizeof(value)) == -1)
54 		return got_error_from_errno("imsg_compose GITCONFIG_INT_VAL");
55 
56 	return got_privsep_flush_imsg(ibuf);
57 }
58 
59 static const struct got_error *
60 gitconfig_num_request(struct imsgbuf *ibuf, struct got_gitconfig *gitconfig,
61     const char *section, const char *tag, int def)
62 {
63 	int value;
64 
65 	if (gitconfig == NULL)
66 		return got_error(GOT_ERR_PRIVSEP_MSG);
67 
68 	value = got_gitconfig_get_num(gitconfig, section, tag, def);
69 	return send_gitconfig_int(ibuf, value);
70 }
71 
72 static const struct got_error *
73 send_gitconfig_str(struct imsgbuf *ibuf, const char *value)
74 {
75 	size_t len = value ? strlen(value) : 0;
76 
77 	if (imsg_compose(ibuf, GOT_IMSG_GITCONFIG_STR_VAL, 0, 0, -1,
78 	    value, len) == -1)
79 		return got_error_from_errno("imsg_compose GITCONFIG_STR_VAL");
80 
81 	return got_privsep_flush_imsg(ibuf);
82 }
83 
84 static const struct got_error *
85 gitconfig_str_request(struct imsgbuf *ibuf, struct got_gitconfig *gitconfig,
86     const char *section, const char *tag)
87 {
88 	char *value;
89 
90 	if (gitconfig == NULL)
91 		return got_error(GOT_ERR_PRIVSEP_MSG);
92 
93 	value = got_gitconfig_get_str(gitconfig, section, tag);
94 	return send_gitconfig_str(ibuf, value);
95 }
96 
97 static const struct got_error *
98 send_gitconfig_remotes(struct imsgbuf *ibuf, struct got_remote_repo *remotes,
99     int nremotes)
100 {
101 	const struct got_error *err = NULL;
102 	struct got_imsg_remotes iremotes;
103 	int i;
104 
105 	iremotes.nremotes = nremotes;
106 	if (imsg_compose(ibuf, GOT_IMSG_GITCONFIG_REMOTES, 0, 0, -1,
107 	    &iremotes, sizeof(iremotes)) == -1)
108 		return got_error_from_errno("imsg_compose GITCONFIG_REMOTES");
109 
110 	err = got_privsep_flush_imsg(ibuf);
111 	imsg_clear(ibuf);
112 	if (err)
113 		return err;
114 
115 	for (i = 0; i < nremotes; i++) {
116 		struct got_imsg_remote iremote;
117 		size_t len = sizeof(iremote);
118 		struct ibuf *wbuf;
119 
120 		iremote.mirror_references = remotes[i].mirror_references;
121 		iremote.name_len = strlen(remotes[i].name);
122 		len += iremote.name_len;
123 		iremote.fetch_url_len = strlen(remotes[i].fetch_url);
124 		len += iremote.fetch_url_len;
125 		iremote.send_url_len = strlen(remotes[i].send_url);
126 		len += iremote.send_url_len;
127 
128 		wbuf = imsg_create(ibuf, GOT_IMSG_GITCONFIG_REMOTE, 0, 0, len);
129 		if (wbuf == NULL)
130 			return got_error_from_errno(
131 			    "imsg_create GITCONFIG_REMOTE");
132 
133 		if (imsg_add(wbuf, &iremote, sizeof(iremote)) == -1)
134 			return got_error_from_errno(
135 			    "imsg_add GITCONFIG_REMOTE");
136 
137 		if (imsg_add(wbuf, remotes[i].name, iremote.name_len) == -1)
138 			return got_error_from_errno(
139 			    "imsg_add GITCONFIG_REMOTE");
140 		if (imsg_add(wbuf, remotes[i].fetch_url, iremote.fetch_url_len) == -1)
141 			return got_error_from_errno(
142 			    "imsg_add GITCONFIG_REMOTE");
143 		if (imsg_add(wbuf, remotes[i].send_url, iremote.send_url_len) == -1)
144 			return got_error_from_errno(
145 			    "imsg_add GITCONFIG_REMOTE");
146 
147 		wbuf->fd = -1;
148 		imsg_close(ibuf, wbuf);
149 		err = got_privsep_flush_imsg(ibuf);
150 		if (err)
151 			return err;
152 	}
153 
154 	return NULL;
155 }
156 
157 static int
158 get_boolean_val(char *val)
159 {
160     return (strcasecmp(val, "true") == 0 ||
161 	strcasecmp(val, "on") == 0 ||
162 	strcasecmp(val, "yes") == 0 ||
163 	strcmp(val, "1") == 0);
164 }
165 
166 static const struct got_error *
167 gitconfig_remotes_request(struct imsgbuf *ibuf, struct got_gitconfig *gitconfig)
168 {
169 	const struct got_error *err = NULL;
170 	struct got_gitconfig_list *sections;
171 	struct got_gitconfig_list_node *node;
172 	struct got_remote_repo *remotes = NULL;
173 	int nremotes = 0, i;
174 
175 	if (gitconfig == NULL)
176 		return got_error(GOT_ERR_PRIVSEP_MSG);
177 
178 	err = got_gitconfig_get_section_list(&sections, gitconfig);
179 	if (err)
180 		return err;
181 
182 	TAILQ_FOREACH(node, &sections->fields, link) {
183 		if (strncasecmp("remote \"", node->field, 8) != 0)
184 			continue;
185 		nremotes++;
186 	}
187 
188 	if (nremotes == 0) {
189 		err = send_gitconfig_remotes(ibuf, NULL, 0);
190 		goto done;
191 	}
192 
193 	remotes = recallocarray(NULL, 0, nremotes, sizeof(*remotes));
194 	if (remotes == NULL) {
195 		err = got_error_from_errno("recallocarray");
196 		goto done;
197 	}
198 
199 	i = 0;
200 	TAILQ_FOREACH(node, &sections->fields, link) {
201 		char *name, *end, *mirror;
202 
203 		if (strncasecmp("remote \"", node->field, 8) != 0)
204 			continue;
205 
206 		name = strdup(node->field + 8);
207 		if (name == NULL) {
208 			err = got_error_from_errno("strdup");
209 			goto done;
210 		}
211 		end = strrchr(name, '"');
212 		if (end)
213 			*end = '\0';
214 		remotes[i].name = name;
215 
216 		remotes[i].fetch_url = got_gitconfig_get_str(gitconfig,
217 		    node->field, "url");
218 		if (remotes[i].fetch_url == NULL) {
219 			err = got_error(GOT_ERR_GITCONFIG_SYNTAX);
220 			goto done;
221 		}
222 
223 		remotes[i].send_url = got_gitconfig_get_str(gitconfig,
224 		    node->field, "pushurl");
225 		if (remotes[i].send_url == NULL)
226 			remotes[i].send_url = got_gitconfig_get_str(gitconfig,
227 			    node->field, "url");
228 		if (remotes[i].send_url == NULL) {
229 			err = got_error(GOT_ERR_GITCONFIG_SYNTAX);
230 			goto done;
231 		}
232 
233 		remotes[i].mirror_references = 0;
234 		mirror = got_gitconfig_get_str(gitconfig, node->field,
235 		    "mirror");
236 		if (mirror != NULL && get_boolean_val(mirror))
237 			remotes[i].mirror_references = 1;
238 
239 		i++;
240 	}
241 
242 	err = send_gitconfig_remotes(ibuf, remotes, nremotes);
243 done:
244 	for (i = 0; i < nremotes; i++)
245 		free(remotes[i].name);
246 	free(remotes);
247 	got_gitconfig_free_list(sections);
248 	return err;
249 }
250 
251 static const struct got_error *
252 gitconfig_owner_request(struct imsgbuf *ibuf, struct got_gitconfig *gitconfig)
253 {
254 	char *value;
255 
256 	if (gitconfig == NULL)
257 		return got_error(GOT_ERR_PRIVSEP_MSG);
258 
259 	value = got_gitconfig_get_str(gitconfig, "gotweb", "owner");
260 	if (value)
261 		return send_gitconfig_str(ibuf, value);
262 	value = got_gitconfig_get_str(gitconfig, "gitweb", "owner");
263 	return send_gitconfig_str(ibuf, value);
264 }
265 
266 static const struct got_error *
267 gitconfig_extensions_request(struct imsgbuf *ibuf,
268     struct got_gitconfig *gitconfig)
269 {
270 	const struct got_error *err = NULL;
271 	struct got_gitconfig_list *tags;
272 	struct got_gitconfig_list_node *node;
273 	int nextensions = 0;
274 	char *val;
275 
276 	if (gitconfig == NULL)
277 		return got_error(GOT_ERR_PRIVSEP_MSG);
278 
279 	tags = got_gitconfig_get_tag_list(gitconfig, "extensions");
280 	if (tags == NULL)
281 		return send_gitconfig_int(ibuf, 0);
282 
283 	TAILQ_FOREACH(node, &tags->fields, link) {
284 		val = got_gitconfig_get_str(gitconfig, "extensions",
285 		    node->field);
286 		if (get_boolean_val(val))
287 			nextensions++;
288 	}
289 
290 	err = send_gitconfig_int(ibuf, nextensions);
291 	if (err)
292 		goto done;
293 
294 	TAILQ_FOREACH(node, &tags->fields, link) {
295 		val = got_gitconfig_get_str(gitconfig, "extensions",
296 		    node->field);
297 		if (get_boolean_val(val)) {
298 			err = send_gitconfig_str(ibuf, node->field);
299 			if (err)
300 				goto done;
301 		}
302 	}
303 done:
304 	got_gitconfig_free_list(tags);
305 	return err;
306 }
307 
308 int
309 main(int argc, char *argv[])
310 {
311 	const struct got_error *err = NULL;
312 	struct imsgbuf ibuf;
313 	size_t datalen;
314 	struct got_gitconfig *gitconfig = NULL;
315 #if 0
316 	static int attached;
317 
318 	while (!attached)
319 		sleep(1);
320 #endif
321 	signal(SIGINT, catch_sigint);
322 
323 	imsg_init(&ibuf, GOT_IMSG_FD_CHILD);
324 
325 #ifndef PROFILE
326 	/* revoke access to most system calls */
327 	if (pledge("stdio recvfd", NULL) == -1) {
328 		err = got_error_from_errno("pledge");
329 		got_privsep_send_error(&ibuf, err);
330 		return 1;
331 	}
332 
333 	/* revoke fs access */
334 	if (landlock_no_fs() == -1) {
335 		err = got_error_from_errno("landlock_no_fs");
336 		got_privsep_send_error(&ibuf, err);
337 		return 1;
338 	}
339 	if (cap_enter() == -1) {
340 		err = got_error_from_errno("cap_enter");
341 		got_privsep_send_error(&ibuf, err);
342 		return 1;
343 	}
344 #endif
345 
346 	for (;;) {
347 		struct imsg imsg;
348 
349 		memset(&imsg, 0, sizeof(imsg));
350 		imsg.fd = -1;
351 
352 		if (sigint_received) {
353 			err = got_error(GOT_ERR_CANCELLED);
354 			break;
355 		}
356 
357 		err = got_privsep_recv_imsg(&imsg, &ibuf, 0);
358 		if (err) {
359 			if (err->code == GOT_ERR_PRIVSEP_PIPE)
360 				err = NULL;
361 			break;
362 		}
363 
364 		if (imsg.hdr.type == GOT_IMSG_STOP)
365 			break;
366 
367 		switch (imsg.hdr.type) {
368 		case GOT_IMSG_GITCONFIG_PARSE_REQUEST:
369 			datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
370 			if (datalen != 0) {
371 				err = got_error(GOT_ERR_PRIVSEP_LEN);
372 				break;
373 			}
374 			if (imsg.fd == -1){
375 				err = got_error(GOT_ERR_PRIVSEP_NO_FD);
376 				break;
377 			}
378 
379 			if (gitconfig)
380 				got_gitconfig_close(gitconfig);
381 			err = got_gitconfig_open(&gitconfig, imsg.fd);
382 			break;
383 		case GOT_IMSG_GITCONFIG_REPOSITORY_FORMAT_VERSION_REQUEST:
384 			err = gitconfig_num_request(&ibuf, gitconfig, "core",
385 			    "repositoryformatversion", 0);
386 			break;
387 		case GOT_IMSG_GITCONFIG_REPOSITORY_EXTENSIONS_REQUEST:
388 			err = gitconfig_extensions_request(&ibuf, gitconfig);
389 			break;
390 		case GOT_IMSG_GITCONFIG_AUTHOR_NAME_REQUEST:
391 			err = gitconfig_str_request(&ibuf, gitconfig, "user",
392 			    "name");
393 			break;
394 		case GOT_IMSG_GITCONFIG_AUTHOR_EMAIL_REQUEST:
395 			err = gitconfig_str_request(&ibuf, gitconfig, "user",
396 			    "email");
397 			break;
398 		case GOT_IMSG_GITCONFIG_REMOTES_REQUEST:
399 			err = gitconfig_remotes_request(&ibuf, gitconfig);
400 			break;
401 		case GOT_IMSG_GITCONFIG_OWNER_REQUEST:
402 			err = gitconfig_owner_request(&ibuf, gitconfig);
403 			break;
404 		default:
405 			err = got_error(GOT_ERR_PRIVSEP_MSG);
406 			break;
407 		}
408 
409 		if (imsg.fd != -1) {
410 			if (close(imsg.fd) == -1 && err == NULL)
411 				err = got_error_from_errno("close");
412 		}
413 
414 		imsg_free(&imsg);
415 		if (err)
416 			break;
417 	}
418 
419 	imsg_clear(&ibuf);
420 	if (err) {
421 		if (!sigint_received && err->code != GOT_ERR_PRIVSEP_PIPE) {
422 			fprintf(stderr, "%s: %s\n", getprogname(), err->msg);
423 			got_privsep_send_error(&ibuf, err);
424 		}
425 	}
426 	if (close(GOT_IMSG_FD_CHILD) == -1 && err == NULL)
427 		err = got_error_from_errno("close");
428 	return err ? 1 : 0;
429 }