Archives
/
xmppipe
mirror of https://github.com/msantos/xmppipe
2
0
Fork 0
Code Issues Releases Wiki Activity
254 Commits
1 Branch
7 Tags
962 KiB
master
0.14.2
0.14.3
0.14.5
0.14.8
0.14.9
0.15.0
0.16.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff574f6412'
${ noResults }
Commit Graph

254 Commits (ff574f6412e6b289ed86b52d9f44398e4e0bc1d0)
 

Author SHA1 Message Date
Michael Santos 9fa747fd5c seccomp: allow llseek(2) for TLS verification 
libstrophe 0.9.2 uses OpenSSL to validate TLS certs by checking against
the system cert store.

Allow llseek(2). Probably a better way of handling syscalls is to allow
classes of syscalls based on OpenBSD's pledge.
 7 years ago
Michael Santos a6b81e9fbb Merge branch 'pasis-uuid' 7 years ago
Dmitry Podgorny ef78dc7deb Replace libuuid with xmpp_uuid_gen() 
xmpp_uuid_gen() appeared in libstrophe-0.9.0 and solves issues with
libuuid across different systems.
 7 years ago
Michael Santos f201c6a483 Add support for long options 7 years ago
Michael Santos 41a6897bc1 Use native strtonum(3) on BSDs 7 years ago
Michael Santos 78978f725d sandbox: ignore return value of cap_rights_init(3) 7 years ago
Michael Santos 70423ab6a7 capsicum: remove duplicated process rlimit 7 years ago
Michael Santos 26ef980678 makefile: env vars to pass extra build flags 7 years ago
Michael Santos db0769c1fd makefile: fix static target 7 years ago
Michael Santos 3e9f34f1fb openbsd/freebsd: cc hardening flags 7 years ago
Michael Santos e98a6b24fa Increment version for pre-connect sandbox 7 years ago
Michael Santos 20f8b5904c Increment version for pre-connect sandbox 7 years ago
Michael Santos 81b4c2f4db seccomp sandbox: allow sendmmsg(2) 7 years ago
Michael Santos e3e3d0bcf9 seccomp: pre-connect sandbox 
Preliminary pre-connect sandbox for Linux. Tested on 32-bit ARM,
requires testing on other platforms.
 7 years ago
Michael Santos 140470458f makefile: ensure compile before tests 7 years ago
Michael Santos f734b5b77b freebsd: disable forking in preconnect sandbox 7 years ago
Michael Santos 6aa2cb528e sandbox: enforce rlimit restrictions before connect 
Basic pre-connect sandbox: disable the ability for the xmppipe process
to fork.
 7 years ago
Michael Santos 90c57630b6 openbsd: pre-connect pledge sandbox 7 years ago
Michael Santos c17b196053 sandbox: add a pre-connect sandbox 
Add a sandbox enforced before options are parsed and the connection is
established to the XMPP server. This sandbox will allow network
operations.

The post-connect sandbox is unchanged and restricts operations to stdio.

The commit just adds the infrastructure for the pre-connect sandbox.
 7 years ago
Michael Santos 9a87cd4e1b openbsd: fix compile error 7 years ago
Michael Santos 899e988a6f roomname: use UID in default roomname 
Use the UID of the xmppipe process instead of the PID in the default
name. This allows many processes running under the same user on a host
to share the same output channel and makes it easier to pre-create the
MUC if the xmppipe XMPP user does not have MUC creation privs.
 7 years ago
Michael Santos be90386d6e stream management: check h value in server response 7 years ago
Michael Santos f4d9184bac Add wrapper around strtonum(3) for options 7 years ago
Michael Santos cee9094fc8 options: use strtonum(3) to convert numbers 
Limit the ranges for integers accepted as command line options.
 7 years ago
Michael Santos f30f666d87 Convert last handled stanza using strtonum(3) 7 years ago
Michael Santos 58cb075664 state: set room name/resource before options 7 years ago
Michael Santos ad56bab3cc xmppipe_roomname: use define for hostname 7 years ago
Michael Santos 5cb6364cd0 Check gethostname(2) for error 
Whether gethostname(2) returns an error depends on the implementation.
Some implementations:

* truncate the hostname if length is less than the hostname, with or
  without a trailing NULL

* return -1 if length is less than hostname

* return -1 if length is 0

Set a default name if gethostanme() returns error.
 7 years ago
Michael Santos 0296f2fbbd readme: running tests 7 years ago
Michael Santos b9c446a928 test: error message for environment variables 7 years ago
Michael Santos ad39d23c05 test: base64 encode/decode 7 years ago
Michael Santos 7d1fb8fdb8 makefile: add target for test 7 years ago
Michael Santos e4fcd47b20 test: send using FIFOs between parent/child 7 years ago
Michael Santos ff86eb8f9a test: send a message using stdin 7 years ago
Michael Santos 6c4a14c712 sandbox/seccomp: fake close(2) return value 
Some errors will cause the XMPP file descriptor to be closed before
xmppipe exits. Return EBADF if close is called since the process will
terminate anyway.
 7 years ago
Michael Santos f51377428f Ignore invalid base64 messages 
When base64 encoding is enabled, ignore any messages that fail base64
decoding.

Previously signed-unsigned integer conversion would cause the return
value of b64_pton() on error (a negative integer) to be converted to a
large value. The attempt to allocate this value would force xmppipe to
exit.
 7 years ago
Michael Santos 85917f8ec4 sandbox/seccomp: print error message using err(3) 7 years ago
Michael Santos 417176cddb tests: add some basic tests 
Check the the basic functionality of xmppipe:

    # https://github.com/sstephenson/bats
    # apt-get install bats
    bats test
 7 years ago
Michael Santos 7f0b5863c0 handle_stdin: use fd for nfds 7 years ago
Michael Santos 15926183a6 sandbox/seccomp: add more syscalls 7 years ago
Michael Santos 25f3441b33 README: add information about sandbox 7 years ago
Michael Santos 4a440def98 Enforce sandboxing 7 years ago
Michael Santos 2bf9415683 sandbox: enable capabilities sandbox on FreeBSD 7 years ago
Michael Santos 707d7cf19d Display enforced sandbox in verbose mode 8 years ago
Michael Santos 5917d03137 sandbox: Linux seccomp syscall filter 
Add a BPF seccomp syscall filter on Linux. Not enabled by default. To
compile:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_SECCOMP make

The sandbox is derived from OpenSSH's seccomp sandbox by Will Drewry and
Kees Cook's tutorial on seccomp:

    http://outflux.net/teach-seccomp/
 8 years ago
Michael Santos c346c863e4 sandbox: set number of allowed fd's 
The number of file descriptors enforced by setrlimit() can now be set at
compile time using a flag. The flag defaults to 0 on Linux and -1
everywhere else:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT \
    XMPPIPE_SANDBOX_RLIMIT_NOFILE=-1 \
    make

The meaning of the XMPPIPE_SANDBOX_RLIMIT_NOFILE is:

* -1 : set rlim_cur/rlim_max to the lowest allocated file desciptor

* >=0: set rlim_cur/rlim_max to this number

On some platforms, setting rlim_cur below the value of the highest
allocated fd may interfere with polling. See commit a34d5766c5 for
details.
 8 years ago
Michael Santos a34d5766c5 sandbox: basic rlimit sandbox 
The rlimit sandbox disables forking processes and opening files.

The rlimit sandbox is not used by default yet. To compile it:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT make

The rlimit sandbox should work on any platform. However the interaction
of RLIMIT_NOFILE with poll(2) (and select(2)?) on some platforms (FreeBSD
but really any OS besides Linux) is problematic:

* opening a number of fd's, setting RLIMIT_NOFILE to 0, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: fails

* opening a number of fd's, setting RLIMIT_NOFILE to maxfd+1, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: works

The issue with the second option is that a library may have opened a
sequence of file descriptors then closed the lower numbered fd's:

    open() => 3
    open() => 4
    open() => 5
    close(3)
    close(4)
    maxfd = 5

RLIMIT_NOFILE would be set to 6 (stdin, stdout, stderr, 3, 4, 5) and the
sandbox would allow re-opening fd's 3 and 4.

One possible fix would be to run through the sequence of fd's before
entering the rlimit sandbox:

* test if the fd is closed
* if the fd is closed, dup2(STDIN_FILENO, fd)

Since the closed fd's are not part of the pollset, they will not be
polled and should be ignored.

Note we can't simply move maxfd to the lowest unused fd because
libstrophe maintains the fd number as internal, opaque state.

Empirically, the xmpp fd is always 3. Another option would be to abort
the process if the fd does not equal 3.
 8 years ago
Michael Santos cc665538cb sandbox: stdio mode using pledge(2) on OpenBSD 8 years ago
Michael Santos a7d0ca7e47 Initial support for sandboxing 
Prepare for sandboxing the xmppipe process by adding a function called
after all file descriptors are allocated.

The intent of the sandbox is to limit the xmppipe process to the role
of a component in a shell pipeline: reading from stdin, reading/writing
to the XMPP socket and writing to stdout. Any activity not involved with
using stdio should force the process to exit.

The sandbox function will vary based on the capabilities of the
platform. The default sandbox function does nothing.

Limitations of the sandbox:

Probably the biggest risk is in session establishment:
* the TLS handshake
* the XML parsing

The sandbox is enforced after the TLS connection is established, i.e.,
after the file descriptor for the XMPP session is allocated and so has no
effect on the TLS handshake or the initial XMPP handshake.

Possibly an initial sandbox could be setup for the connection phase
followed by a stricter sandbox for the stdio phase.
 8 years ago
Michael Santos 7cf7562bb1 Update readme 8 years ago