--- embedtools/src/cfexec.c 2017/10/08 21:57:34 1.5.20.1 +++ embedtools/src/cfexec.c 2021/03/21 01:30:19 1.5.20.10 @@ -3,7 +3,7 @@ * by Michael Pounov * * $Author: misho $ - * $Id: cfexec.c,v 1.5.20.1 2017/10/08 21:57:34 misho Exp $ + * $Id: cfexec.c,v 1.5.20.10 2021/03/21 01:30:19 misho Exp $ * ************************************************************************* The ELWIX and AITNET software is distributed under the following @@ -12,7 +12,7 @@ terms: All of the documentation and software included in the ELWIX and AITNET Releases is copyrighted by ELWIX - Sofia/Bulgaria -Copyright 2004 - 2017 +Copyright 2004 - 2021 by Michael Pounov . All rights reserved. Redistribution and use in source and binary forms, with or without @@ -48,7 +48,7 @@ SUCH DAMAGE. cfg_root_t cfg; int Verbose, Timeout, kq; -ait_val_t User, Mount, Dev, Chroot; +ait_val_t User, Mount, Chroot; char szSess[MAXPATHLEN], szSLCK[MAXPATHLEN], szConfig[MAXPATHLEN]; extern char compiled[], compiledby[], compilehost[]; @@ -61,35 +61,75 @@ Usage() "=== %s === %s@%s ===\n\n" " Syntax: cfexec [options] [exec_file]\n\n" "\t-v\t\tVerbose ...\n" + "\t-C \tLoad config [default=/etc/cfexec.conf]\n" "\t-c \tAfter execute chroot to dir [default=/]\n" "\t-u \tAfter execute suid to user [default=root]\n" - "\t-d \tOther device [default=/dev/ufs/elwix]\n" "\t-m \tOther mount dir [default=/]\n" "\t-t \tTimeout for autolock mount dir after seconds [default=300]\n" - "\t-L \tService lock and own RW state of device with reason\n" - "\t-U \t\tService unlock and change RO state of device\n" + "\t-L \tService lock and set RW state of device with reason\n" + "\t-U \t\tService unlock and set RO state of device\n" "\n", compiled, compiledby, compilehost); } +struct statfs * +getmntpt(const char *name) +{ + struct statfs *mntbuf; + int i, mntsize; + + mntsize = getmntinfo(&mntbuf, MNT_NOWAIT); + for (i = mntsize - 1; i >= 0; i--) { + if (!strcmp(mntbuf[i].f_mntfromname, name) || + !strcmp(mntbuf[i].f_mntonname, name)) + return &mntbuf[i]; + } + + return NULL; +} + static int update(int flags) { + struct statfs *mntfs = getmntpt(AIT_GET_STR(&Mount)); + char errmsg[STRSIZ] = { [0 ... STRSIZ - 1] = 0 }; + +#ifdef __NetBSD__ struct ufs_args mnt; memset(&mnt, 0, sizeof mnt); - mnt.fspec = AIT_GET_STR(&Dev); -#ifdef __NetBSD__ - if (mount("ufs", AIT_GET_STR(&Mount), flags, &mnt, sizeof mnt) == -1) { + mnt.fspec = mntfs->f_mntfromname; + if (mount(mntfs->f_fstypename, mntfs->f_mntonname, flags, &mnt, sizeof mnt) == -1) { #else - if (mount("ufs", AIT_GET_STR(&Mount), flags, &mnt) == -1) { + iovec_t *iov; + int ret; + + iov = iov_Init(); + if (!iov) + return -1; + if (flags & MNT_RDONLY) + iov_PushPair(iov, "ro", "", 0); + else + iov_PushPair(iov, "noro", "", 0); + iov_PushPair(iov, "update", "", 0); + iov_PushPair(iov, "fstype", mntfs->f_fstypename, (size_t) -1); + iov_PushPair(iov, "fspath", mntfs->f_mntonname, (size_t) -1); + iov_PushPair(iov, "from", mntfs->f_mntfromname, (size_t) -1); + iov_PushPair(iov, "errmsg", errmsg, sizeof errmsg); + + ret = nmount(iov_Array(iov), iov_Size(iov), flags); + + iov_FreePairs(iov, 0); + iov_Destroy(&iov); + if (ret == -1) { #endif - printf("Error:: can`t update mount %s #%d - %s\n", AIT_GET_STR(&Mount), - errno, strerror(errno)); + printf("Error:: can`t update mount %s %s #%d - %s\n", AIT_GET_STR(&Mount), + errmsg, errno, strerror(errno)); return -1; } - VERB(5) printf("Info(5):: safe mount for device %s to %s operation (%s)\n", - AIT_GET_STR(&Dev), AIT_GET_STR(&Mount), (flags & MNT_RDONLY) ? "ro" : "rw"); + VERB(5) printf("Info(5):: safe mount %s for device %s to %s operation (%s)\n", + mntfs->f_fstypename, mntfs->f_mntfromname, mntfs->f_mntonname, + (flags & MNT_RDONLY) ? "ro" : "rw"); return 0; } @@ -126,18 +166,20 @@ mkevent(struct kevent *chg, struct kevent *evt) } VERB(3) printf("Created lock file %s\n", szSess); - kq = kqueue(); - if (kq == -1) { - printf("Error:: can`t execute safe mount #%d - %s\n", errno, strerror(errno)); - close(f); - unlink(szSess); - return -1; - } else { - memset(chg, 0, sizeof(struct kevent)); - memset(evt, 0, sizeof(struct kevent)); + if (chg && evt) { + kq = kqueue(); + if (kq == -1) { + printf("Error:: can`t execute safe mount #%d - %s\n", errno, strerror(errno)); + close(f); + unlink(szSess); + return -1; + } else { + memset(chg, 0, sizeof(struct kevent)); + memset(evt, 0, sizeof(struct kevent)); - EV_SET(chg, f, EVFILT_VNODE, EV_ADD, NOTE_DELETE | NOTE_RENAME | NOTE_REVOKE, - 0, NULL); + EV_SET(chg, f, EVFILT_VNODE, EV_ADD, NOTE_DELETE | NOTE_RENAME | NOTE_REVOKE, + 0, NULL); + } } return f; @@ -147,20 +189,17 @@ static void cleanexit() { AIT_FREE_VAL(&User); - AIT_FREE_VAL(&Dev); AIT_FREE_VAL(&Mount); AIT_FREE_VAL(&Chroot); - - cfgUnloadConfig(&cfg); } static int s_unlck() { if (access(szSLCK, F_OK)) - return 1; + return 2; - if (update(MNT_UPDATE | MNT_RDONLY) == -1) + if (access(szSess, F_OK) && update(MNT_UPDATE | MNT_RDONLY) == -1) return 8; unlink(szSLCK); @@ -175,14 +214,14 @@ s_lck(const char *reason) char szStr[STRSIZ]; if (!access(szSLCK, F_OK)) { - printf("cfexec:: Service held lock ...\n"); + printf("cfexec already held service lock ...\n"); return 127; } f = open(szSLCK, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (f == -1) { printf("Error:: can`t service lock session #%d - %s\n", errno, strerror(errno)); - return -1; + return 4; } else { memset(szStr, 0, sizeof szStr); snprintf(szStr, sizeof szStr, "[%d] - %s", getpid(), reason); @@ -192,7 +231,7 @@ s_lck(const char *reason) if (update(MNT_UPDATE) == -1) { unlink(szSLCK); - return 4; + return 5; } VERB(3) printf("Lock & created service lock file %s\n", szSLCK); @@ -227,7 +266,6 @@ main(int argc, char **argv) } cfg_loadAttribute(&cfg, "cfexec", "suid", &User, DEFAULT_USER); cfg_loadAttribute(&cfg, "cfexec", "mount", &Mount, DEFAULT_MOUNT); - cfg_loadAttribute(&cfg, "cfexec", "device", &Dev, DEFAULT_DEVICE); cfg_loadAttribute(&cfg, "cfexec", "chroot", &Chroot, DEFAULT_CHROOT); cfgUnloadConfig(&cfg); @@ -235,15 +273,35 @@ main(int argc, char **argv) Timeout = atoi(DEFAULT_TIMEOUT); AIT_SET_STR(&User, DEFAULT_USER); AIT_SET_STR(&Mount, DEFAULT_MOUNT); - AIT_SET_STR(&Dev, DEFAULT_DEVICE); AIT_SET_STR(&Chroot, DEFAULT_CHROOT); } atexit(cleanexit); /* Load variables from arguments if exists */ - while ((ch = getopt(argc, argv, "hvUu:c:d:m:t:L:")) != -1) + while ((ch = getopt(argc, argv, "hvUC:u:c:m:t:L:")) != -1) switch (ch) { + case 'C': + if (!cfgLoadConfig(optarg, &cfg)) { + cfg_loadAttribute(&cfg, "cfexec", "timeout", &User, DEFAULT_TIMEOUT); +#ifndef HAVE_STRTONUM + Timeout = (int) strtol(szUser, NULL, 0); +#else + Timeout = strtonum(AIT_GET_STR(&User), 0, 3600, &err); +#endif + AIT_FREE_VAL(&User); + if (!Timeout && err) { + printf("Error:: in seconds for timeout %s - %s\n", optarg, err); + cfgUnloadConfig(&cfg); + return 1; + } + cfg_loadAttribute(&cfg, "cfexec", "suid", &User, DEFAULT_USER); + cfg_loadAttribute(&cfg, "cfexec", "mount", &Mount, DEFAULT_MOUNT); + cfg_loadAttribute(&cfg, "cfexec", "chroot", &Chroot, DEFAULT_CHROOT); + + cfgUnloadConfig(&cfg); + } + break; case 'v': Verbose++; break; @@ -253,9 +311,6 @@ main(int argc, char **argv) case 'c': AIT_SET_STR(&Chroot, optarg); break; - case 'd': - AIT_SET_STR(&Dev, optarg); - break; case 'm': AIT_SET_STR(&Mount, optarg); break; @@ -289,7 +344,7 @@ main(int argc, char **argv) memset(szSess, 0, MAXPATHLEN); snprintf(szSess, MAXPATHLEN, "%s%s-cfexec.LCK", DEFAULT_TMP, AIT_GET_STR(&Mount)); memset(szSLCK, 0, MAXPATHLEN); - snprintf(szSLCK, MAXPATHLEN, CFEXEC_SLOCK, DEFAULT_TMP); + snprintf(szSLCK, MAXPATHLEN, "%s%s-SYS-cfexec.LCK", DEFAULT_TMP, AIT_GET_STR(&Mount)); /* we have request for service lock! */ if (mod) { @@ -301,8 +356,8 @@ main(int argc, char **argv) return ret; } - VERB(3) printf("Info(3):: Chroot=%s SUID=%s Device=%s Mount=%s Timeout=%d Session=%s\n", - AIT_GET_STR(&Chroot), AIT_GET_STR(&User), AIT_GET_STR(&Dev), + VERB(3) printf("Info(3):: Chroot=%s SUID=%s Mount=%s Timeout=%d Session=%s\n", + AIT_GET_STR(&Chroot), AIT_GET_STR(&User), AIT_GET_STR(&Mount), Timeout, szSess); if (!access(szSess, F_OK)) { @@ -320,11 +375,13 @@ main(int argc, char **argv) VERB(5) printf("Info(5):: Go safe mount.\n"); setsid(); - if (update(MNT_UPDATE) == -1) + if ((f = mkevent(&chg, &evt)) == -1) return 4; - if ((f = mkevent(&chg, &evt)) == -1) - return 5; + if (update(MNT_UPDATE) == -1) { + stat = 5; + goto skip; + } if (Timeout) { memset(&ts, 0, sizeof ts); @@ -347,7 +404,7 @@ main(int argc, char **argv) if (access(szSLCK, F_OK) && update(MNT_UPDATE | MNT_RDONLY) == -1) stat = 8; } - +skip: close(kq); close(f); unlink(szSess); @@ -361,14 +418,22 @@ main(int argc, char **argv) sigprocmask(SIG_BLOCK, &sig, &oldsig); */ - if (update(MNT_UPDATE) == -1) + if ((f = mkevent(NULL, NULL)) == -1) return 4; + else + close(f); + if (update(MNT_UPDATE) == -1) { + unlink(szSess); + return 5; + } + switch ((pid = vfork())) { case -1: printf("Error:: can`t execute safe mount #%d - %s\n", errno, strerror(errno)); - return 5; + stat = 3; + break; case 0: VERB(5) printf("Go to running process %s\n", *argv); if (chroot(AIT_GET_STR(&Chroot)) == -1) { @@ -381,17 +446,19 @@ main(int argc, char **argv) /* chdir("/"); */ execvp(*argv, argv); } - exit(127); + _exit(127); break; default: waitpid(pid, &stat, 0); + stat = WEXITSTATUS(stat); VERB(3) printf("Return code: %d\n", stat); - if (stat == 32512) - stat = 127; if (access(szSLCK, F_OK) && update(MNT_UPDATE | MNT_RDONLY) == -1) - return 8; + stat = 8; + break; } + + unlink(szSess); } return stat;