From 150650c7e97f455247492fa60a744a29b99a0aee Mon Sep 17 00:00:00 2001 From: Daniel Roethlisberger Date: Fri, 14 Nov 2014 16:20:07 +0100 Subject: [PATCH] Make local procinfo run-time optional (-i) and use src host:port --- main.c | 27 +++++++++++++++++++------ opts.h | 4 ++++ proc.c | 26 ++++++++++++------------ pxyconn.c | 59 ++++++++++++++++++++++++++++++++++--------------------- 4 files changed, 75 insertions(+), 41 deletions(-) diff --git a/main.c b/main.c index b4e9c66..5164e77 100644 --- a/main.c +++ b/main.c @@ -35,6 +35,7 @@ #include "proxy.h" #include "ssl.h" #include "nat.h" +#include "proc.h" #include "cachemgr.h" #include "sys.h" #include "log.h" @@ -144,12 +145,21 @@ main_usage(void) " %%T - initial connection time as an ISO 8601 UTC timestamp\n" " %%d - dest address:port\n" " %%s - source address:port\n" -" %%x - base name of local process (skipped if unavailable)\n" -" %%X - full path to local process (skipped if unavailable)\n" -" %%u - user name or id of local process (skipped if unavailable)\n" -" %%g - group name or id of local process (skipped if unavailable)\n" +#ifdef HAVE_LOCAL_PROCINFO +" %%x - base name of local process (requires -i)\n" +" %%X - full path to local process (requires -i)\n" +" %%u - user name or id of local process (requires -i)\n" +" %%g - group name or id of local process (requires -i)\n" +#endif /* HAVE_LOCAL_PROCINFO */ " %%%% - literal '%%'\n" -" e.g. \"/var/log/sslsplit/%%X/%%u-%%s-%%d-%%T\"\n" +#ifdef HAVE_LOCAL_PROCINFO +" e.g. \"/var/log/sslsplit/%%X/%%u-%%s-%%d-%%T.log\"\n" +" -i look up local process owning each connection for logging\n" +#define OPT_i "i" +#else /* !HAVE_LOCAL_PROCINFO */ +" e.g. \"/var/log/sslsplit/%%T-%%s-%%d.log\"\n" +#define OPT_i +#endif /* HAVE_LOCAL_PROCINFO */ " -d daemon mode: run in background, log error messages to syslog\n" " -D debug mode: run in foreground, log debug messages on stderr\n" " -V print version information and exit\n" @@ -258,7 +268,7 @@ main(int argc, char *argv[]) natengine = NULL; } - while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z + while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVh")) != -1) { switch (ch) { case 'c': @@ -503,6 +513,11 @@ main(int argc, char *argv[]) opts->contentlogdir = 0; opts->contentlogspec = 1; break; +#ifdef HAVE_LOCAL_PROCINFO + case 'i': + opts->lprocinfo = 1; + break; +#endif /* HAVE_LOCAL_PROCINFO */ case 'd': opts->detach = 1; break; diff --git a/opts.h b/opts.h index 6b88e18..6a145da 100644 --- a/opts.h +++ b/opts.h @@ -29,6 +29,7 @@ #ifndef OPTS_H #define OPTS_H +#include "proc.h" #include "nat.h" #include "ssl.h" #include "attrib.h" @@ -76,6 +77,9 @@ typedef struct opts { unsigned int deny_ocsp : 1; unsigned int contentlogdir : 1; unsigned int contentlogspec : 1; +#ifdef HAVE_LOCAL_PROCINFO + unsigned int lprocinfo : 1; +#endif /* HAVE_LOCAL_PROCINFO */ char *ciphers; char *tgcrtdir; char *dropuser; diff --git a/proc.c b/proc.c index 43f1a98..a65561a 100644 --- a/proc.c +++ b/proc.c @@ -49,8 +49,8 @@ #ifdef HAVE_DARWIN_LIBPROC int -proc_pid_for_addr(pid_t *result, struct sockaddr *dst_addr, - UNUSED socklen_t dst_addrlen) +proc_pid_for_addr(pid_t *result, struct sockaddr *src_addr, + UNUSED socklen_t src_addrlen) { pid_t *pids = NULL; struct proc_fdinfo *fds = NULL; @@ -109,25 +109,25 @@ proc_pid_for_addr(pid_t *result, struct sockaddr *dst_addr, continue; } - uint16_t sock_fport = sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_fport; + uint16_t sock_lport = sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_lport; if (sinfo.psi.soi_family == AF_INET && - dst_addr->sa_family == AF_INET) { - struct sockaddr_in *dst_sai = (struct sockaddr_in *)dst_addr; - if (dst_sai->sin_addr.s_addr != sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_faddr.ina_46.i46a_addr4.s_addr) { + src_addr->sa_family == AF_INET) { + struct sockaddr_in *src_sai = (struct sockaddr_in *)src_addr; + if (src_sai->sin_addr.s_addr != sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_laddr.ina_46.i46a_addr4.s_addr) { continue; } - if (dst_sai->sin_port != sock_fport) { + if (src_sai->sin_port != sock_lport) { continue; } } else if (sinfo.psi.soi_family == AF_INET6 && - dst_addr->sa_family == AF_INET6) { - struct sockaddr_in6 *dst_sai = (struct sockaddr_in6 *)dst_addr; - if (memcmp(dst_sai->sin6_addr.s6_addr, sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_faddr.ina_6.s6_addr, 16) != 0) { + src_addr->sa_family == AF_INET6) { + struct sockaddr_in6 *src_sai = (struct sockaddr_in6 *)src_addr; + if (memcmp(src_sai->sin6_addr.s6_addr, sinfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_laddr.ina_6.s6_addr, 16) != 0) { continue; } - if (dst_sai->sin6_port != sock_fport) { + if (src_sai->sin6_port != sock_lport) { continue; } } @@ -147,8 +147,8 @@ errout1: } #else /* !HAVE_DARWIN_LIBPROC */ int -proc_pid_for_addr(pid_t *result, UNUSED struct sockaddr *dst_addr, - UNUSED socklen_t dst_addrlen) { +proc_pid_for_addr(pid_t *result, UNUSED struct sockaddr *src_addr, + UNUSED socklen_t src_addrlen) { *result = -1; return 0; } diff --git a/pxyconn.c b/pxyconn.c index 24f5aa5..c1438c1 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -97,6 +97,9 @@ typedef struct pxy_conn_desc { #ifdef HAVE_LOCAL_PROCINFO /* local process data - filled in iff pid != -1 */ typedef struct pxy_conn_lproc_desc { + struct sockaddr_storage srcaddr; + socklen_t srcaddrlen; + pid_t pid; uid_t uid; gid_t gid; @@ -1591,30 +1594,36 @@ pxy_bev_eventcb(struct bufferevent *bev, short events, void *arg) pxy_conn_terminate_free(ctx); return; } + #ifdef HAVE_LOCAL_PROCINFO - /* fetch process info */ - if (proc_pid_for_addr(&ctx->lproc.pid, - (struct sockaddr*)&ctx->addr, - ctx->addrlen) == 0 && - ctx->lproc.pid != -1 && - proc_get_info(ctx->lproc.pid, - &ctx->lproc.exec_path, - &ctx->lproc.uid, - &ctx->lproc.gid) == 0) { - /* fetch user/group names */ - ctx->lproc.user = sys_user_str(ctx->lproc.uid); - ctx->lproc.group = sys_group_str(ctx->lproc.gid); - if (!ctx->lproc.user || !ctx->lproc.group) { - ctx->enomem = 1; - pxy_conn_terminate_free(ctx); - return; + if (ctx->opts->lprocinfo) { + /* fetch process info */ + if (proc_pid_for_addr(&ctx->lproc.pid, + (struct sockaddr*)&ctx->lproc.srcaddr, + ctx->lproc.srcaddrlen) == 0 && + ctx->lproc.pid != -1 && + proc_get_info(ctx->lproc.pid, + &ctx->lproc.exec_path, + &ctx->lproc.uid, + &ctx->lproc.gid) == 0) { + /* fetch user/group names */ + ctx->lproc.user = sys_user_str( + ctx->lproc.uid); + ctx->lproc.group = sys_group_str( + ctx->lproc.gid); + if (!ctx->lproc.user || + !ctx->lproc.group) { + ctx->enomem = 1; + pxy_conn_terminate_free(ctx); + return; + } + log_dbg_printf("Local process " + "%s %i %s:%s\n", + ctx->lproc.exec_path, + ctx->lproc.pid, + ctx->lproc.user, + ctx->lproc.group); } - log_dbg_printf("Local process " - "%s %i %s:%s\n", - ctx->lproc.exec_path, - ctx->lproc.pid, - ctx->lproc.user, - ctx->lproc.group); } #endif /* HAVE_LOCAL_PROCINFO */ } @@ -2016,6 +2025,12 @@ pxy_conn_setup(evutil_socket_t fd, ctx->src_str = sys_sockaddr_str(peeraddr, peeraddrlen); if (!ctx->src_str) goto memout; +#ifdef HAVE_LOCAL_PROCINFO + if (ctx->opts->lprocinfo) { + memcpy(&ctx->lproc.srcaddr, peeraddr, peeraddrlen); + ctx->lproc.srcaddrlen = peeraddrlen; + } +#endif /* HAVE_LOCAL_PROCINFO */ } /* for SSL, defer dst connection setup to initial_readcb */