reuse ipmappings where possible. Documentation improvements

.travis.yml

@@ -2,7 +2,6 @@ language: c
 
 os:
   - linux
-  - osx
 
 compiler:
   - clang

README.md

@@ -143,10 +143,11 @@ You can specify 'match modifiers' for a function. The config line will only be u
 ```
 path          perform match against first arg of the function. This is usually a file path, but for 'connect' and 'bind' it can be a URL
 basename      peform a match against the basename (leading directory removed) of the first arg of the function
-family        for 'connect', 'bind' and 'accept' this is the url type. It can be 'tcp6', 'tcp', 'udp', or 'unix'
-peer          for 'connect' and 'accept' this is the remote host ip
-user          match against username
-group         match against groupname
+family        for 'connect', 'bind' and 'accept' this is the url type. It can be 'ip4', 'ip6', 'net', or 'unix'. 'net' matches both 'ip4' and 'ip6'
+peer          for 'connect' and 'accept' this is the remote host ip, extracted from 'path' which will be url
+port          for 'connect' and 'bind' this will be the port to bind or connect to
+user          match against username current process is running as
+group         match against primary groupname current process is running as
 arg           match if any arg in the programs arguments matches
 ```
 
@@ -281,9 +282,18 @@ Will map the hostname lookup to a false ipaddress in the form '0.0.0.x' When the
 
 ```
 gethostip ipmap
-connect family=tcp redirect socks:127.0.0.1:9090
+connect path=tcp:* redirect socks:127.0.0.1:9090
 ```
 
+It's a good idea to at least specify `path=tcp:` to prevent trying to redirect, say, a connection for syslog logging to socks. You can be more specific if you only want to map certain hosts. e.g. if local hosts are in the domain '.local' then we might use:
+
+```
+gethostip path!=*.local ipmap
+connect path=tcp:0.* redirect socks:127.0.0.1:9090
+```
+
+The use of `path=tcp:0.*` in this case ensures that only IP addresses that have been mapped with ipmap are redirected to socks. The use of `path!=*.local` in the 'gethostip' rule means that local addresses are not ipmapped.
+
 
 UNSHARE
 =======

common.c

@@ -24,6 +24,7 @@ const char **enhancer_argv;
 void enhancer_fail_die(const char *FuncName)
 {
   fprintf(stderr, "FATAL: %s failed!\n", FuncName);
+  syslog(LOG_CRIT, "FATAL: %s failed!\n", FuncName);
   exit(1);
 }
 

config.c

@@ -9,17 +9,8 @@ extern char *enhancer_prog_name;
 
 
 
-#define MATCH_ALL  0
-#define MATCH_PATH 1
-#define MATCH_BASENAME 2
-#define MATCH_FAMILY   3
-#define MATCH_PORT  4
-#define MATCH_USER  5
-#define MATCH_GROUP 6
-#define MATCH_FD 7
-#define MATCH_ARG 8
-#define MATCH_PEER 9
-#define MATCH_CHROOTED 10
+typedef enum {MATCH_ALL, MATCH_PATH, MATCH_BASENAME, MATCH_FAMILY, MATCH_PROTO, MATCH_PEER, MATCH_PORT, MATCH_USER, MATCH_GROUP, MATCH_FD, MATCH_ARG, MATCH_CHROOTED} EMatchTypes;
+
 
 #define OP_EQ  0
 #define OP_NOT 1
@@ -30,9 +21,9 @@ extern char *enhancer_prog_name;
 char *EnhancerFuncNames[]={"all","main", "onexit", "arg", "open", "close", "read", "write", "uname", "socket", "connect", "bind", "listen", "accept", "gethostip", "sprintf", "fork", "exec", "system", "sysexec", "unlink", "setuid", "setgid", "chown", "chmod", "chdir", "chroot", "time","settime","mprotect", "fsync", "fdatasync", "select", "XMapWindow","XRaiseWindow", "XLowerWindow", "XSendEvent", "XLoadFont", "XChangeProperty", NULL};
 
 
-char *EnhancerTokNames[]={"deny","allow","die","abort","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL};
+char *EnhancerTokNames[]={"deny","allow","die","abort","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","port","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL};
 
-typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAYABOVE, TOK_X11_STAYBELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions;
+typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_PORT, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAYABOVE, TOK_X11_STAYBELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions;
 
 char *EnhancerFamilyNames[]={"unix","raw","netlink","net","ip4","ip6",NULL};
 typedef enum {FAMILY_UNIX, FAMILY_RAW, FAMILY_NETLINK, FAMILY_NET, FAMILY_IP4, FAMILY_IP6} E_NETFAM;
@@ -334,9 +325,24 @@ case FUNC_XLoadFont:
 	}
 break;
 
+case FUNC_GETHOSTIP:
+	switch (action)
+	{
+		case ACT_TTL:
+		case ACT_CMOD:
+		case ACT_WRITEJAIL: 
+		case ACT_FALLBACK:
+		case ACT_SEARCHPATH:
+			return(FALSE);
+		break;
+
+		default:
+			return(TRUE);
+		break;
+	}
+break;
 
 case FUNC_UNAME:
-case FUNC_GETHOSTIP:
 case FUNC_TIME:
 case FUNC_SETTIME:
 case FUNC_SETUID:
@@ -474,20 +480,43 @@ enhancer_add_action(Combined, Act->Type, "", Act->IntArg, Act->StrArg);
 static int ConfigStrMatch(TConfigItem *Config, const char *MatchStr)
 {
 int result;
-char *Peer=NULL;
+char *Item=NULL;
 const char *ptr, *p_MatchStr;
 
-	if (Config->Type==MATCH_PEER)
+	switch(Config->Type)
 	{
-		ptr=enhancer_strtok(MatchStr, ":", &Peer);
-		ptr=enhancer_strtok(ptr, ":", &Peer);
-		p_MatchStr=Peer;
+		case MATCH_BASENAME:
+		p_MatchStr=basename(MatchStr);
+		break;
+
+
+		case MATCH_PROTO:
+		ptr=enhancer_strtok(MatchStr, ":", &Item);
+		ptr=enhancer_strtok(ptr, ":", &Item);
+		p_MatchStr=Item;
+		break;
+
+
+		case MATCH_PEER:
+		ptr=enhancer_strtok(MatchStr, ":", &Item);
+		ptr=enhancer_strtok(ptr, ":", &Item);
+		p_MatchStr=Item;
+		break;
+
+		case MATCH_PORT:
+		ptr=enhancer_strtok(MatchStr, ":", &Item);
+		ptr=enhancer_strtok(ptr, ":", &Item);
+		ptr=enhancer_strtok(ptr, ":", &Item);
+		p_MatchStr=Item;
+		break;
+
+		default:
+		p_MatchStr=MatchStr;
+		break;
 	}
-	else if (Config->Type==MATCH_BASENAME) p_MatchStr=basename(MatchStr);
-	else p_MatchStr=MatchStr;
 
 	result=StrListMatch(p_MatchStr, Config->StrArg);
-	destroy(Peer);
+	destroy(Item);
 
 	if (Config->Op==OP_NOT) result = !result;
 
@@ -514,6 +543,7 @@ for (i=0; i < Config->NoOfMatches; i++)
 		case MATCH_ARG:
 		case MATCH_PATH:
 		case MATCH_PEER:
+		case MATCH_PORT:
 		case MATCH_BASENAME:
 		if (ConfigStrMatch(Match, MatchStr)) return(TRUE);
 		break;
@@ -541,7 +571,6 @@ for (i=0; i < Config->NoOfMatches; i++)
 			if (Match->IntArg == getgid()) return(TRUE);
 		break;
 
-		case MATCH_PORT:
 		case MATCH_FD:
 			if (Match->IntArg == MatchInt) return(TRUE);
 		break;

iplist.c

@@ -17,10 +17,17 @@ if (! IPList) return("");
 return(enhancer_getvarlist(IPList, ip_addr));
 }
 
-
 char *enhancer_map_ip(const char *RetStr, const char *name)
 {
 uint32_t ip_nbo;
+const char *ptr;
+
+if (IPList)
+{
+ptr=enhancer_varlist_find_value(IPList, name);
+printf("IPMAP: %s\n", ptr);
+if (strvalid(ptr)) return(enhancer_strcpy(RetStr, ptr));
+}
 
 ip_maps++;
 

socks.c

@@ -82,6 +82,7 @@ char *Auth=NULL;
 const char *ptr;
 int fd;
 
+if (! DestHost) return(-1);
 Auth=enhancer_strcpy(Auth, "");
 if (strchr(ProxyURL, '@'))
 {
@@ -95,8 +96,6 @@ if (fd > -1)
 	ptr=enhancer_iplist_get(DestHost);
 	if (! strvalid(ptr)) ptr=DestHost;
 
-	fprintf(stderr, "SOCKS: %s %s\n", DestHost, ptr);
-
 	if (
 				(! socks_request(fd, Auth, ptr, DestPort)) ||
 				(! socks_reply(fd))

vars.c

@@ -82,6 +82,22 @@ for (i=0; i < list->max; i++)
 return("");
 }
 
+const char *enhancer_varlist_find_value(TVarList *list, const char *value)
+{
+TVar *Var;
+int i;
+
+for (i=0; i < list->max; i++)
+{
+	Var=&(list->vars[i]);
+	if (Var && (strcmp(Var->value,value)==0) ) return(Var->name);
+}
+
+return("");
+}
+
+
+
 const char *enhancer_getvar(const char *name)
 {
 if (! enhancer_varlist) return("");

vars.h

@@ -23,6 +23,7 @@ const char *enhancer_getvarlist(TVarList *list, const char *name);
 void enhancer_setvar(const char *name, const char *value);
 const char *enhancer_getvar(const char *name);
 void enhancer_func_setvar(const char *Arg, const char *FuncName, const char *Str1, const char *Str2);
+const char *enhancer_varlist_find_value(TVarList *list, const char *value);
 
 
 #endif