tpws, nfqws: clear bounding set

6 years ago · 12f530b287
18 changed files with 82 additions and 24 deletions
--- a/binaries/aarch64/nfqws
+++ b/binaries/aarch64/nfqws
--- a/binaries/aarch64/tpws
+++ b/binaries/aarch64/tpws
--- a/binaries/armhf/nfqws
+++ b/binaries/armhf/nfqws
--- a/binaries/armhf/tpws
+++ b/binaries/armhf/tpws
--- a/binaries/mips32r1-lsb/nfqws
+++ b/binaries/mips32r1-lsb/nfqws
--- a/binaries/mips32r1-lsb/tpws
+++ b/binaries/mips32r1-lsb/tpws
--- a/binaries/mips32r1-msb/nfqws
+++ b/binaries/mips32r1-msb/nfqws
--- a/binaries/mips32r1-msb/tpws
+++ b/binaries/mips32r1-msb/tpws
--- a/binaries/mips64r2-msb/nfqws
+++ b/binaries/mips64r2-msb/nfqws
--- a/binaries/mips64r2-msb/tpws
+++ b/binaries/mips64r2-msb/tpws
--- a/binaries/ppc/nfqws
+++ b/binaries/ppc/nfqws
--- a/binaries/ppc/tpws
+++ b/binaries/ppc/tpws
--- a/binaries/x86/nfqws
+++ b/binaries/x86/nfqws
--- a/binaries/x86/tpws
+++ b/binaries/x86/tpws
--- a/binaries/x86_64/nfqws
+++ b/binaries/x86_64/nfqws
--- a/binaries/x86_64/tpws
+++ b/binaries/x86_64/tpws
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -365,31 +365,52 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
 	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
 }
-bool dropcaps()
+bool setpcap(cap_value_t *caps,int ncaps)
 {
 	cap_value_t cap_values[] = {CAP_NET_ADMIN};
 	cap_t capabilities;
 	if (!(capabilities = cap_init()))
 	{
 		perror("cap_init");
 		return false;
-	}
+	
-	if (cap_set_flag(capabilities, CAP_PERMITTED, sizeof(cap_values)/sizeof(*cap_values), cap_values, CAP_SET) ||
+	if (ncaps && (cap_set_flag(capabilities, CAP_PERMITTED, ncaps, caps, CAP_SET) ||
-	    cap_set_flag(capabilities, CAP_EFFECTIVE, sizeof(cap_values)/sizeof(*cap_values), cap_values, CAP_SET))
+		cap_set_flag(capabilities, CAP_EFFECTIVE, ncaps, caps, CAP_SET)))
 	{
 		perror("cap_set_flag");
 		cap_free(capabilities);
 		return false;
 	}
 	if (cap_set_proc(capabilities))
 	{
 		perror("cap_set_proc");
 		cap_free(capabilities);
 		return false;
 	}
 	cap_free(capabilities);
 	return true;
 }
 bool dropcaps()
 {
 	// must have CAP_SETPCAP at the end. its required to clear bounding set
 	cap_value_t cap_values[] = {CAP_NET_ADMIN,CAP_SETPCAP};
 	int capct=sizeof(cap_values)/sizeof(*cap_values);
 	if (setpcap(cap_values, capct))
 	{
 		for(int cap=0;cap<=CAP_LAST_CAP;cap++)
 		{
 			if (cap_drop_bound(cap))
 			{
 				perror("cap_drop_bound");
 				return false;
 			}
 		}
 	}
 	// now without CAP_SETPCAP
 	if (!setpcap(cap_values, capct - 1))
 	{
 		perror("setpcap");
 		return false;
 	}
 	return true;
 }
 bool droproot(uid_t uid, gid_t gid)
 {
 	if (uid || gid)
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -24,6 +24,7 @@
 #include <pwd.h>
 #include <signal.h>
 #include <sys/capability.h>
 #include <sys/prctl.h>
 #include "tpws.h"
 #include "tpws_conn.h"
@ -102,13 +103,6 @@ size_t send_with_flush(int sockfd, const void *buf, size_t len, int flags)
 	return wr;
 }
 void close_tcp_conn(tproxy_conn_t *conn, struct tailhead *conn_list,
 	struct tailhead *close_list) {
 	conn->state = CONN_CLOSED;
 	TAILQ_REMOVE(conn_list, conn, conn_ptrs);
 	TAILQ_INSERT_TAIL(close_list, conn, conn_ptrs);
 }
 #define RD_BLOCK_SIZE 8192
 // pHost points to "Host: ..."
@ -278,7 +272,8 @@ void modify_tcp_segment(char *segment,size_t *size,size_t *split_pos)
 }
-bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred) {
+bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred)
 {
 	int numbytes;
 	int fd_in, fd_out;
 	bool bOutgoing;
@ -351,7 +346,8 @@ bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred) {
 	return rd != -1 && wr != -1;
 }
-void remove_closed_connections(struct tailhead *close_list) {
+void remove_closed_connections(struct tailhead *close_list)
 {
 	tproxy_conn_t *conn = NULL;
 	while (close_list->tqh_first != NULL) {
@ -367,7 +363,15 @@ void remove_closed_connections(struct tailhead *close_list) {
 	}
 }
-int event_loop(int listen_fd) {
+void close_tcp_conn(tproxy_conn_t *conn, struct tailhead *conn_list, struct tailhead *close_list)
 {
 	conn->state = CONN_CLOSED;
 	TAILQ_REMOVE(conn_list, conn, conn_ptrs);
 	TAILQ_INSERT_TAIL(close_list, conn, conn_ptrs);
 }
 int event_loop(int listen_fd)
 {
 	int retval = 0, num_events = 0;
 	int tmp_fd = 0; //Used to temporarily hold the accepted file descriptor
 	tproxy_conn_t *conn = NULL;
@ -483,7 +487,8 @@ int event_loop(int listen_fd) {
 	return retval;
 }
-int8_t block_sigpipe() {
+int8_t block_sigpipe()
 {
 	sigset_t sigset;
 	memset(&sigset, 0, sizeof(sigset));
@ -790,29 +795,61 @@ void daemonize()
 	/* stderror */
 }
-bool dropcaps()
+bool setpcap(cap_value_t *caps,int ncaps)
 {
 	cap_t capabilities;
-
+	
 	if (!(capabilities = cap_init()))
 		return false;
 	if (ncaps && (cap_set_flag(capabilities, CAP_PERMITTED, ncaps, caps, CAP_SET) ||
 		cap_set_flag(capabilities, CAP_EFFECTIVE, ncaps, caps, CAP_SET)))
 	{
-		perror("cap_init");
+		cap_free(capabilities);
 		return false;
 	}
 	if (cap_set_proc(capabilities))
 	{
 		perror("cap_set_proc");
 		cap_free(capabilities);
 		return false;
 	}
 	cap_free(capabilities);
 	return true;
 }
 bool dropcaps()
 {
 	// must have CAP_SETPCAP at the end. its required to clear bounding set
 	cap_value_t cap_values[] = {CAP_SETPCAP};
 	int capct=sizeof(cap_values)/sizeof(*cap_values);
 	if (setpcap(cap_values, capct))
 	{
 		for(int cap=0;cap<=CAP_LAST_CAP;cap++)
 		{
 			if (cap_drop_bound(cap))
 			{
 				perror("cap_drop_bound");
 				return false;
 			}
 		}
 	}
 	// now without CAP_SETPCAP
 	if (!setpcap(cap_values, capct - 1))
 	{
 		perror("setpcap");
 		return false;
 	}
 	return true;
 }
 bool droproot()
 {
 	if (params.uid || params.gid)
 	{
 		if (prctl(PR_SET_KEEPCAPS, 1L))
 		{
 			perror("prctl(PR_SET_KEEPCAPS): ");
 			return false;
 		}
 		if (setgid(params.gid))
 		{
 			perror("setgid: ");