diff --git a/.travis.yml b/.travis.yml index 1b95c5c..f8a7e67 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,7 +2,6 @@ language: c os: - linux - - osx compiler: - clang diff --git a/README.md b/README.md index 9a01504..62a07f6 100644 --- a/README.md +++ b/README.md @@ -143,10 +143,11 @@ You can specify 'match modifiers' for a function. The config line will only be u ``` path perform match against first arg of the function. This is usually a file path, but for 'connect' and 'bind' it can be a URL basename peform a match against the basename (leading directory removed) of the first arg of the function -family for 'connect', 'bind' and 'accept' this is the url type. It can be 'tcp6', 'tcp', 'udp', or 'unix' -peer for 'connect' and 'accept' this is the remote host ip -user match against username -group match against groupname +family for 'connect', 'bind' and 'accept' this is the url type. It can be 'ip4', 'ip6', 'net', or 'unix'. 'net' matches both 'ip4' and 'ip6' +peer for 'connect' and 'accept' this is the remote host ip, extracted from 'path' which will be url +port for 'connect' and 'bind' this will be the port to bind or connect to +user match against username current process is running as +group match against primary groupname current process is running as arg match if any arg in the programs arguments matches ``` @@ -281,9 +282,18 @@ Will map the hostname lookup to a false ipaddress in the form '0.0.0.x' When the ``` gethostip ipmap -connect family=tcp redirect socks:127.0.0.1:9090 +connect path=tcp:* redirect socks:127.0.0.1:9090 ``` +It's a good idea to at least specify `path=tcp:` to prevent trying to redirect, say, a connection for syslog logging to socks. You can be more specific if you only want to map certain hosts. e.g. if local hosts are in the domain '.local' then we might use: + +``` +gethostip path!=*.local ipmap +connect path=tcp:0.* redirect socks:127.0.0.1:9090 +``` + +The use of `path=tcp:0.*` in this case ensures that only IP addresses that have been mapped with ipmap are redirected to socks. The use of `path!=*.local` in the 'gethostip' rule means that local addresses are not ipmapped. + UNSHARE ======= diff --git a/common.c b/common.c index d73570d..f639ad3 100755 --- a/common.c +++ b/common.c @@ -24,6 +24,7 @@ const char **enhancer_argv; void enhancer_fail_die(const char *FuncName) { fprintf(stderr, "FATAL: %s failed!\n", FuncName); + syslog(LOG_CRIT, "FATAL: %s failed!\n", FuncName); exit(1); } diff --git a/config.c b/config.c index 6344dc0..40a71dc 100755 --- a/config.c +++ b/config.c @@ -9,17 +9,8 @@ extern char *enhancer_prog_name; -#define MATCH_ALL 0 -#define MATCH_PATH 1 -#define MATCH_BASENAME 2 -#define MATCH_FAMILY 3 -#define MATCH_PORT 4 -#define MATCH_USER 5 -#define MATCH_GROUP 6 -#define MATCH_FD 7 -#define MATCH_ARG 8 -#define MATCH_PEER 9 -#define MATCH_CHROOTED 10 +typedef enum {MATCH_ALL, MATCH_PATH, MATCH_BASENAME, MATCH_FAMILY, MATCH_PROTO, MATCH_PEER, MATCH_PORT, MATCH_USER, MATCH_GROUP, MATCH_FD, MATCH_ARG, MATCH_CHROOTED} EMatchTypes; + #define OP_EQ 0 #define OP_NOT 1 @@ -30,9 +21,9 @@ extern char *enhancer_prog_name; char *EnhancerFuncNames[]={"all","main", "onexit", "arg", "open", "close", "read", "write", "uname", "socket", "connect", "bind", "listen", "accept", "gethostip", "sprintf", "fork", "exec", "system", "sysexec", "unlink", "setuid", "setgid", "chown", "chmod", "chdir", "chroot", "time","settime","mprotect", "fsync", "fdatasync", "select", "XMapWindow","XRaiseWindow", "XLowerWindow", "XSendEvent", "XLoadFont", "XChangeProperty", NULL}; -char *EnhancerTokNames[]={"deny","allow","die","abort","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL}; +char *EnhancerTokNames[]={"deny","allow","die","abort","setvar","setbasename","log","syslog","syslogcrit","echo", "debug", "send", "exec", "die-on-fail", "collect", "sleep", "usleep", "deny-links","deny-symlinks","redirect","fallback","chrooted","if-chrooted","path","basename","peer","port","user","group","family","fd", "arg", "keepalive", "localnet", "reuseport", "tcp-qack", "tcp-nodelay", "ttl", "freebind", "cmod", "lock", "fdcache","create", "shred", "searchpath", "xstayabove", "xstaybelow", "xiconized", "xunmanaged", "xfullscreen", "xtransparent", "xnormal","pidfile","lockfile", "xtermtitle","backup", "nosync", "fsync", "fdatasync", "writejail", "unshare", "setenv", "getip", "cd", "chroot", "copyclone", "linkclone", "ipmap", "fadv_seq", "fadv_rand", "fadv_nocache", "qlen", "sanitise", "die-on-taint", "deny-on-taint", NULL}; -typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAYABOVE, TOK_X11_STAYBELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions; +typedef enum {TOK_DENY, TOK_ALLOW, TOK_DIE, TOK_ABORT, TOK_SETVAR, TOK_SETBASENAME, TOK_LOG, TOK_SYSLOG, TOK_SYSLOGCRIT, TOK_ECHO, TOK_DEBUG, TOK_SEND, TOK_EXEC, TOK_FAILDIE, TOK_COLLECT, TOK_SLEEP, TOK_USLEEP, TOK_DENYLINKS, TOK_DENYSYMLINKS, TOK_REDIRECT, TOK_FALLBACK, TOK_CHROOTED, TOK_CHROOTED2, TOK_PATH, TOK_BASENAME, TOK_PEER, TOK_PORT, TOK_USER, TOK_GROUP, TOK_FAMILY, TOK_FD, TOK_ARG, TOK_KEEPALIVE, TOK_LOCALNET, TOK_REUSEPORT, TOK_TCP_QACK, TOK_TCP_NODELAY, TOK_TTL, TOK_FREEBIND, TOK_CMOD, TOK_LOCK, TOK_FDCACHE, TOK_CREATE, TOK_SHRED, TOK_SEARCHPATH, TOK_X11_STAYABOVE, TOK_X11_STAYBELOW, TOK_X11_ICONIZED, TOK_X11_UNMANAGED, TOK_X11_FULLSCREEN, TOK_X11_TRANSPARENT, TOK_X11_NORMAL, TOK_PIDFILE, TOK_LOCKFILE, TOK_XTERM_TITLE, TOK_BACKUP, TOK_NOSYNC, TOK_FSYNC, TOK_FDATASYNC, TOK_WRITEJAIL, TOK_UNSHARE, TOK_SETENV, TOK_GETIP, TOK_CHDIR, TOK_CHROOT, TOK_COPY_CLONE, TOK_LINK_CLONE, TOK_IPMAP, TOK_FADV_SEQU, TOK_FADV_RAND, TOK_FADV_NOCACHE, TOK_QLEN, TOK_SANITISE, TOK_DIE_ON_TAINT, TOK_DENY_ON_TAINT} TActions; char *EnhancerFamilyNames[]={"unix","raw","netlink","net","ip4","ip6",NULL}; typedef enum {FAMILY_UNIX, FAMILY_RAW, FAMILY_NETLINK, FAMILY_NET, FAMILY_IP4, FAMILY_IP6} E_NETFAM; @@ -334,9 +325,24 @@ case FUNC_XLoadFont: } break; +case FUNC_GETHOSTIP: + switch (action) + { + case ACT_TTL: + case ACT_CMOD: + case ACT_WRITEJAIL: + case ACT_FALLBACK: + case ACT_SEARCHPATH: + return(FALSE); + break; + + default: + return(TRUE); + break; + } +break; case FUNC_UNAME: -case FUNC_GETHOSTIP: case FUNC_TIME: case FUNC_SETTIME: case FUNC_SETUID: @@ -474,20 +480,43 @@ enhancer_add_action(Combined, Act->Type, "", Act->IntArg, Act->StrArg); static int ConfigStrMatch(TConfigItem *Config, const char *MatchStr) { int result; -char *Peer=NULL; +char *Item=NULL; const char *ptr, *p_MatchStr; - if (Config->Type==MATCH_PEER) + switch(Config->Type) { - ptr=enhancer_strtok(MatchStr, ":", &Peer); - ptr=enhancer_strtok(ptr, ":", &Peer); - p_MatchStr=Peer; + case MATCH_BASENAME: + p_MatchStr=basename(MatchStr); + break; + + + case MATCH_PROTO: + ptr=enhancer_strtok(MatchStr, ":", &Item); + ptr=enhancer_strtok(ptr, ":", &Item); + p_MatchStr=Item; + break; + + + case MATCH_PEER: + ptr=enhancer_strtok(MatchStr, ":", &Item); + ptr=enhancer_strtok(ptr, ":", &Item); + p_MatchStr=Item; + break; + + case MATCH_PORT: + ptr=enhancer_strtok(MatchStr, ":", &Item); + ptr=enhancer_strtok(ptr, ":", &Item); + ptr=enhancer_strtok(ptr, ":", &Item); + p_MatchStr=Item; + break; + + default: + p_MatchStr=MatchStr; + break; } - else if (Config->Type==MATCH_BASENAME) p_MatchStr=basename(MatchStr); - else p_MatchStr=MatchStr; result=StrListMatch(p_MatchStr, Config->StrArg); - destroy(Peer); + destroy(Item); if (Config->Op==OP_NOT) result = !result; @@ -514,6 +543,7 @@ for (i=0; i < Config->NoOfMatches; i++) case MATCH_ARG: case MATCH_PATH: case MATCH_PEER: + case MATCH_PORT: case MATCH_BASENAME: if (ConfigStrMatch(Match, MatchStr)) return(TRUE); break; @@ -541,7 +571,6 @@ for (i=0; i < Config->NoOfMatches; i++) if (Match->IntArg == getgid()) return(TRUE); break; - case MATCH_PORT: case MATCH_FD: if (Match->IntArg == MatchInt) return(TRUE); break; diff --git a/enhancer.so b/enhancer.so index 6b9e7a7..22218e4 100755 Binary files a/enhancer.so and b/enhancer.so differ diff --git a/iplist.c b/iplist.c index 8608e01..b04c788 100644 --- a/iplist.c +++ b/iplist.c @@ -17,10 +17,17 @@ if (! IPList) return(""); return(enhancer_getvarlist(IPList, ip_addr)); } - char *enhancer_map_ip(const char *RetStr, const char *name) { uint32_t ip_nbo; +const char *ptr; + +if (IPList) +{ +ptr=enhancer_varlist_find_value(IPList, name); +printf("IPMAP: %s\n", ptr); +if (strvalid(ptr)) return(enhancer_strcpy(RetStr, ptr)); +} ip_maps++; diff --git a/socks.c b/socks.c index 0b414e9..134c953 100644 --- a/socks.c +++ b/socks.c @@ -82,6 +82,7 @@ char *Auth=NULL; const char *ptr; int fd; +if (! DestHost) return(-1); Auth=enhancer_strcpy(Auth, ""); if (strchr(ProxyURL, '@')) { @@ -95,8 +96,6 @@ if (fd > -1) ptr=enhancer_iplist_get(DestHost); if (! strvalid(ptr)) ptr=DestHost; - fprintf(stderr, "SOCKS: %s %s\n", DestHost, ptr); - if ( (! socks_request(fd, Auth, ptr, DestPort)) || (! socks_reply(fd)) diff --git a/vars.c b/vars.c index f1fc4da..5ce9eb5 100644 --- a/vars.c +++ b/vars.c @@ -82,6 +82,22 @@ for (i=0; i < list->max; i++) return(""); } +const char *enhancer_varlist_find_value(TVarList *list, const char *value) +{ +TVar *Var; +int i; + +for (i=0; i < list->max; i++) +{ + Var=&(list->vars[i]); + if (Var && (strcmp(Var->value,value)==0) ) return(Var->name); +} + +return(""); +} + + + const char *enhancer_getvar(const char *name) { if (! enhancer_varlist) return(""); diff --git a/vars.h b/vars.h index ae70a23..be1eaf7 100644 --- a/vars.h +++ b/vars.h @@ -23,6 +23,7 @@ const char *enhancer_getvarlist(TVarList *list, const char *name); void enhancer_setvar(const char *name, const char *value); const char *enhancer_getvar(const char *name); void enhancer_func_setvar(const char *Arg, const char *FuncName, const char *Str1, const char *Str2); +const char *enhancer_varlist_find_value(TVarList *list, const char *value); #endif