2
0
mirror of https://github.com/msantos/xmppipe synced 2024-11-16 00:12:59 +00:00
Commit Graph

246 Commits

Author SHA1 Message Date
Michael Santos
db0769c1fd makefile: fix static target 2017-04-23 09:55:09 -04:00
Michael Santos
3e9f34f1fb openbsd/freebsd: cc hardening flags 2017-04-20 11:33:25 -04:00
Michael Santos
e98a6b24fa Increment version for pre-connect sandbox 2017-04-19 10:28:47 -04:00
Michael Santos
20f8b5904c Increment version for pre-connect sandbox 2017-04-19 10:22:16 -04:00
Michael Santos
81b4c2f4db seccomp sandbox: allow sendmmsg(2) 2017-04-18 08:54:11 -04:00
Michael Santos
e3e3d0bcf9 seccomp: pre-connect sandbox
Preliminary pre-connect sandbox for Linux. Tested on 32-bit ARM,
requires testing on other platforms.
2017-04-17 08:59:18 -04:00
Michael Santos
140470458f makefile: ensure compile before tests 2017-04-16 15:24:01 -04:00
Michael Santos
f734b5b77b freebsd: disable forking in preconnect sandbox 2017-04-15 11:35:57 -04:00
Michael Santos
6aa2cb528e sandbox: enforce rlimit restrictions before connect
Basic pre-connect sandbox: disable the ability for the xmppipe process
to fork.
2017-04-13 10:02:29 -04:00
Michael Santos
90c57630b6 openbsd: pre-connect pledge sandbox 2017-04-11 08:36:30 -04:00
Michael Santos
c17b196053 sandbox: add a pre-connect sandbox
Add a sandbox enforced before options are parsed and the connection is
established to the XMPP server. This sandbox will allow network
operations.

The post-connect sandbox is unchanged and restricts operations to stdio.

The commit just adds the infrastructure for the pre-connect sandbox.
2017-04-10 11:25:01 -04:00
Michael Santos
9a87cd4e1b openbsd: fix compile error 2017-04-09 08:16:11 -04:00
Michael Santos
899e988a6f roomname: use UID in default roomname
Use the UID of the xmppipe process instead of the PID in the default
name. This allows many processes running under the same user on a host
to share the same output channel and makes it easier to pre-create the
MUC if the xmppipe XMPP user does not have MUC creation privs.
2017-04-08 08:26:14 -04:00
Michael Santos
be90386d6e stream management: check h value in server response 2017-03-19 09:44:59 -04:00
Michael Santos
f4d9184bac Add wrapper around strtonum(3) for options 2017-03-18 08:00:59 -04:00
Michael Santos
cee9094fc8 options: use strtonum(3) to convert numbers
Limit the ranges for integers accepted as command line options.
2017-03-17 08:13:23 -04:00
Michael Santos
f30f666d87 Convert last handled stanza using strtonum(3) 2017-03-05 09:21:58 -05:00
Michael Santos
58cb075664 state: set room name/resource before options 2017-02-26 14:51:44 -05:00
Michael Santos
ad56bab3cc xmppipe_roomname: use define for hostname 2017-02-25 09:18:04 -05:00
Michael Santos
5cb6364cd0 Check gethostname(2) for error
Whether gethostname(2) returns an error depends on the implementation.
Some implementations:

* truncate the hostname if length is less than the hostname, with or
  without a trailing NULL

* return -1 if length is less than hostname

* return -1 if length is 0

Set a default name if gethostanme() returns error.
2017-02-24 10:13:55 -05:00
Michael Santos
0296f2fbbd readme: running tests 2017-02-22 10:27:02 -05:00
Michael Santos
b9c446a928 test: error message for environment variables 2017-02-19 10:32:19 -05:00
Michael Santos
ad39d23c05 test: base64 encode/decode 2017-02-18 09:56:22 -05:00
Michael Santos
7d1fb8fdb8 makefile: add target for test 2017-02-17 09:57:32 -05:00
Michael Santos
e4fcd47b20 test: send using FIFOs between parent/child 2017-02-16 10:42:46 -05:00
Michael Santos
ff86eb8f9a test: send a message using stdin 2017-02-15 08:39:03 -05:00
Michael Santos
6c4a14c712 sandbox/seccomp: fake close(2) return value
Some errors will cause the XMPP file descriptor to be closed before
xmppipe exits. Return EBADF if close is called since the process will
terminate anyway.
2017-02-14 10:23:57 -05:00
Michael Santos
f51377428f Ignore invalid base64 messages
When base64 encoding is enabled, ignore any messages that fail base64
decoding.

Previously signed-unsigned integer conversion would cause the return
value of b64_pton() on error (a negative integer) to be converted to a
large value. The attempt to allocate this value would force xmppipe to
exit.
2017-02-13 10:07:06 -05:00
Michael Santos
85917f8ec4 sandbox/seccomp: print error message using err(3) 2017-02-12 10:17:05 -05:00
Michael Santos
417176cddb tests: add some basic tests
Check the the basic functionality of xmppipe:

    # https://github.com/sstephenson/bats
    # apt-get install bats
    bats test
2017-02-11 10:35:01 -05:00
Michael Santos
7f0b5863c0 handle_stdin: use fd for nfds 2017-02-10 10:18:01 -05:00
Michael Santos
15926183a6 sandbox/seccomp: add more syscalls 2017-02-07 15:20:29 -05:00
Michael Santos
25f3441b33 README: add information about sandbox 2017-02-06 10:03:06 -05:00
Michael Santos
4a440def98 Enforce sandboxing 2017-02-05 09:18:56 -05:00
Michael Santos
2bf9415683 sandbox: enable capabilities sandbox on FreeBSD 2017-02-04 09:00:49 -05:00
Michael Santos
707d7cf19d Display enforced sandbox in verbose mode 2017-02-03 09:47:12 -05:00
Michael Santos
5917d03137 sandbox: Linux seccomp syscall filter
Add a BPF seccomp syscall filter on Linux. Not enabled by default. To
compile:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_SECCOMP make

The sandbox is derived from OpenSSH's seccomp sandbox by Will Drewry and
Kees Cook's tutorial on seccomp:

    http://outflux.net/teach-seccomp/
2017-02-02 10:13:33 -05:00
Michael Santos
c346c863e4 sandbox: set number of allowed fd's
The number of file descriptors enforced by setrlimit() can now be set at
compile time using a flag. The flag defaults to 0 on Linux and -1
everywhere else:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT \
    XMPPIPE_SANDBOX_RLIMIT_NOFILE=-1 \
    make

The meaning of the XMPPIPE_SANDBOX_RLIMIT_NOFILE is:

* -1 : set rlim_cur/rlim_max to the lowest allocated file desciptor

* >=0: set rlim_cur/rlim_max to this number

On some platforms, setting rlim_cur below the value of the highest
allocated fd may interfere with polling. See commit a34d5766c5 for
details.
2017-02-01 10:25:38 -05:00
Michael Santos
a34d5766c5 sandbox: basic rlimit sandbox
The rlimit sandbox disables forking processes and opening files.

The rlimit sandbox is not used by default yet. To compile it:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT make

The rlimit sandbox should work on any platform. However the interaction
of RLIMIT_NOFILE with poll(2) (and select(2)?) on some platforms (FreeBSD
but really any OS besides Linux) is problematic:

* opening a number of fd's, setting RLIMIT_NOFILE to 0, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: fails

* opening a number of fd's, setting RLIMIT_NOFILE to maxfd+1, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: works

The issue with the second option is that a library may have opened a
sequence of file descriptors then closed the lower numbered fd's:

    open() => 3
    open() => 4
    open() => 5
    close(3)
    close(4)
    maxfd = 5

RLIMIT_NOFILE would be set to 6 (stdin, stdout, stderr, 3, 4, 5) and the
sandbox would allow re-opening fd's 3 and 4.

One possible fix would be to run through the sequence of fd's before
entering the rlimit sandbox:

* test if the fd is closed
* if the fd is closed, dup2(STDIN_FILENO, fd)

Since the closed fd's are not part of the pollset, they will not be
polled and should be ignored.

Note we can't simply move maxfd to the lowest unused fd because
libstrophe maintains the fd number as internal, opaque state.

Empirically, the xmpp fd is always 3. Another option would be to abort
the process if the fd does not equal 3.
2017-01-31 08:17:02 -05:00
Michael Santos
cc665538cb sandbox: stdio mode using pledge(2) on OpenBSD 2017-01-30 10:17:54 -05:00
Michael Santos
a7d0ca7e47 Initial support for sandboxing
Prepare for sandboxing the xmppipe process by adding a function called
after all file descriptors are allocated.

The intent of the sandbox is to limit the xmppipe process to the role
of a component in a shell pipeline: reading from stdin, reading/writing
to the XMPP socket and writing to stdout. Any activity not involved with
using stdio should force the process to exit.

The sandbox function will vary based on the capabilities of the
platform. The default sandbox function does nothing.

Limitations of the sandbox:

Probably the biggest risk is in session establishment:
* the TLS handshake
* the XML parsing

The sandbox is enforced after the TLS connection is established, i.e.,
after the file descriptor for the XMPP session is allocated and so has no
effect on the TLS handshake or the initial XMPP handshake.

Possibly an initial sandbox could be setup for the connection phase
followed by a stricter sandbox for the stdio phase.
2017-01-29 09:44:12 -05:00
Michael Santos
7cf7562bb1 Update readme 2017-01-26 10:32:10 -05:00
Michael Santos
eef6074dd5 Add a LICENSE file
Uses the ISC license. License is also in the source code.
2017-01-25 07:58:34 -05:00
Michael Santos
e20bca9bd1 const'ify all the things 2017-01-18 06:31:24 -05:00
Michael Santos
550eaf4e59 Check message id has been allocated 2016-10-28 10:14:40 -04:00
Michael Santos
04c05bd5f2 xmppipe: avoid memory leak from duplicate options 2016-10-08 11:10:15 -04:00
Michael Santos
ee32002c2f ssh-over-xmpp: clean up example 2016-09-23 10:07:22 -04:00
Michael Santos
04f0641df1 Add example of terminal sharing using script(1) 2016-09-18 08:35:30 -04:00
Michael Santos
9410df9d78 bot.sh: clean up 2016-09-17 10:24:50 -04:00
Michael Santos
34efc88484 Mention tested XMPP servers 2016-09-15 10:34:39 -04:00