Re: tcpdump: revisiting some old diffs, cleanup unused functions

Ricardo Mestre Thu, 08 Nov 2018 02:30:33 -0800
Still works as advertised, ok mestre@

On 19:32 Wed 07 Nov     , Bryan Steele wrote:
> On Wed, Nov 07, 2018 at 07:06:09PM -0500, Bryan Steele wrote:
> > I'm revisiting some old tcpdump diffs, now that mestre@ has added proper
> > unveil(2) support! :-)
> > 
> > Refresher: https://marc.info/?l=openbsd-tech&m=150535073209723&w=2
> > 
> > This hoists opening pf.os(5) fingerprints '-o' from the 'RUN' state to
> > the 'FILTER' state, this will allow for a reduced pledge(2) at runtime
> > in the (currently root) monitor process.
> 
> This was a bit of copy & paste, sorry. This moves the opening of pf.os
> earlier and avoids the unveil later on. Of course, reducing the runtime
> pledge(2) promises will come later! :-)
> 
> > 
> > This still works as well as it already has. :-)
> > 
> >     ( ... ) [tcp sum ok] (src OS: OpenBSD 6.1) 3311509932:3311509932(0) win 
> > 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3905153931 0> 
> > (DF) (ttl 64, id 41239, len 64)
> > 
> > The only potential difference is that if /etc/pf.os is replaced at
> > runtime, tcpdump won't reopen it.
> > 
> > I don't think that's a problem..
> > 
> > ok?
> > 
> > -Bryan.
> 
> Remove the now unused internal privsep "getline" code, which passed
> lines over a socket, replaced with explicit fdpassing of /etc/pf.os.
> 
> This depends on the previous diff..
> 
> ok?
> 
> -Bryan.
> 
> Index: privsep.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
> retrieving revision 1.49
> diff -u -p -u -r1.49 privsep.c
> --- privsep.c 28 Sep 2018 06:48:59 -0000      1.49
> +++ privsep.c 8 Nov 2018 00:19:47 -0000
> @@ -77,8 +77,8 @@ static const int allowed_max[] = {
>                       ALLOW(PRIV_GETPROTOENTRIES) |
>                       ALLOW(PRIV_ETHER_NTOHOST) | ALLOW(PRIV_INIT_DONE),
>       /* RUN */       ALLOW(PRIV_GETHOSTBYADDR) | ALLOW(PRIV_ETHER_NTOHOST) |
> -                     ALLOW(PRIV_GETRPCBYNUMBER) | ALLOW(PRIV_GETLINES) |
> -                     ALLOW(PRIV_LOCALTIME) | ALLOW(PRIV_PCAP_STATS),
> +                     ALLOW(PRIV_GETRPCBYNUMBER) | ALLOW(PRIV_LOCALTIME) |
> +                     ALLOW(PRIV_PCAP_STATS),
>       /* EXIT */      0
>  };
>  
> @@ -90,21 +90,10 @@ static int allowed_ext[] = {
>       /* INIT */      ALLOW(PRIV_SETFILTER),
>       /* BPF */       ALLOW(PRIV_SETFILTER),
>       /* FILTER */    ALLOW(PRIV_GETSERVENTRIES),
> -     /* RUN */       ALLOW(PRIV_GETLINES) | ALLOW(PRIV_LOCALTIME) |
> -                     ALLOW(PRIV_PCAP_STATS),
> +     /* RUN */       ALLOW(PRIV_LOCALTIME) | ALLOW(PRIV_PCAP_STATS),
>       /* EXIT */      0
>  };
>  
> -struct ftab {
> -     char *name;
> -     int max;
> -     int count;
> -};
> -
> -static struct ftab file_table[] = {{PF_OSFP_FILE, 1, 0}};
> -
> -#define NUM_FILETAB (sizeof(file_table) / sizeof(struct ftab))
> -
>  int          debug_level = LOG_INFO;
>  int          priv_fd = -1;
>  volatile     pid_t child_pid = -1;
> @@ -123,7 +112,6 @@ static void       impl_getrpcbynumber(int);
>  static void  impl_getserventries(int);
>  static void  impl_getprotoentries(int);
>  static void  impl_localtime(int fd);
> -static void  impl_getlines(int);
>  static void  impl_pcap_stats(int, int *);
>  
>  static void  test_state(int, int);
> @@ -345,10 +333,6 @@ priv_exec(int argc, char *argv[])
>                       test_state(cmd, STATE_RUN);
>                       impl_localtime(sock);
>                       break;
> -             case PRIV_GETLINES:
> -                     test_state(cmd, STATE_RUN);
> -                     impl_getlines(sock);
> -                     break;
>               case PRIV_PCAP_STATS:
>                       test_state(cmd, STATE_RUN);
>                       impl_pcap_stats(sock, &bpfd);
> @@ -577,55 +561,6 @@ impl_localtime(int fd)
>  }
>  
>  static void
> -impl_getlines(int fd)
> -{
> -     FILE *fp;
> -     char *buf, *lbuf, *file;
> -     size_t len, fid;
> -
> -     logmsg(LOG_DEBUG, "[priv]: msg PRIV_GETLINES received");
> -
> -     must_read(fd, &fid, sizeof(size_t));
> -     if (fid >= NUM_FILETAB)
> -             errx(1, "invalid file id");
> -
> -     file = file_table[fid].name;
> -
> -     if (file == NULL)
> -             errx(1, "invalid file referenced");
> -
> -     if (file_table[fid].count >= file_table[fid].max)
> -             errx(1, "maximum open count exceeded for %s", file);
> -
> -     file_table[fid].count++;
> -
> -     if ((fp = fopen(file, "r")) == NULL) {
> -             write_zero(fd);
> -             return;
> -     }
> -
> -     lbuf = NULL;
> -     while ((buf = fgetln(fp, &len))) {
> -             if (buf[len - 1] == '\n')
> -                     buf[len - 1] = '\0';
> -             else {
> -                     if ((lbuf = malloc(len + 1)) == NULL)
> -                             err(1, NULL);
> -                     memcpy(lbuf, buf, len);
> -                     lbuf[len] = '\0';
> -                     buf = lbuf;
> -             }
> -
> -             write_string(fd, buf);
> -
> -             free(lbuf);
> -             lbuf = NULL;
> -     }
> -     write_zero(fd);
> -     fclose(fp);
> -}
> -
> -static void
>  impl_pcap_stats(int fd, int *bpfd)
>  {
>       struct pcap_stat stats;
> @@ -786,17 +721,6 @@ priv_localtime(const time_t *t)
>       return &lt;
>  }
>  
> -/* start getting lines from a file */
> -void
> -priv_getlines(size_t sz)
> -{
> -     if (priv_fd < 0)
> -             errx(1, "%s called from privileged portion", __func__);
> -
> -     write_command(priv_fd, PRIV_GETLINES);
> -     must_write(priv_fd, &sz, sizeof(size_t));
> -}
> -
>  int
>  priv_pcap_stats(struct pcap_stat *ps)
>  {
> @@ -806,18 +730,6 @@ priv_pcap_stats(struct pcap_stat *ps)
>       write_command(priv_fd, PRIV_PCAP_STATS);
>       must_read(priv_fd, ps, sizeof(*ps));
>       return (0);
> -}
> -
> -/* retrieve a line from a file, should be called repeatedly after calling
> -   priv_getlines(), until it returns zero. */
> -size_t
> -priv_getline(char *line, size_t line_len)
> -{
> -     if (priv_fd < 0)
> -             errx(1, "%s called from privileged portion", __func__);
> -
> -     /* read the line */
> -     return (read_string(priv_fd, line, line_len, __func__));
>  }
>  
>  /* Read all data or return 1 for error. */
> Index: privsep.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/privsep.h,v
> retrieving revision 1.10
> diff -u -p -u -r1.10 privsep.h
> --- privsep.h 8 Sep 2017 19:10:57 -0000       1.10
> +++ privsep.h 8 Nov 2018 00:19:47 -0000
> @@ -21,9 +21,6 @@
>  
>  #define TCPDUMP_MAGIC 0xa1b2c3d4
>  
> -/* file ids used by priv_getlines */
> -#define FTAB_PFOSFP  0
> -
>  enum cmd_types {
>       PRIV_OPEN_BPF,          /* open a bpf descriptor */
>       PRIV_OPEN_DUMP,         /* open dump file for reading */
> @@ -35,7 +32,6 @@ enum cmd_types {
>       PRIV_GETSERVENTRIES,    /* get the service entries table */
>       PRIV_GETPROTOENTRIES,   /* get the ip protocol entries table */
>       PRIV_LOCALTIME,         /* return localtime */
> -     PRIV_GETLINES,          /* get lines from a file */
>       PRIV_INIT_DONE,         /* signal that the initialization is done */
>       PRIV_PCAP_STATS         /* get pcap_stats() results */
>  };
> @@ -74,13 +70,6 @@ void       priv_getprotoentries(void);
>  /* Retrieve a single protocol entry, should be called repeatedly after
>     calling priv_getprotoentries() until it returns zero */
>  size_t       priv_getprotoentry(char *, size_t, int *);
> -
> -/* Start getting lines from a file */
> -void priv_getlines(size_t);
> -
> -/* Retrieve a single line from a file, should be called repeatedly after
> -   calling priv_getlines() until it returns zero */
> -size_t       priv_getline(char *, size_t);
>  
>  /* Return the pcap statistics upon completion */
>  int  priv_pcap_stats(struct pcap_stat *);
>
Re: tcpdump: revisiting some old diffs, cleanup unused functions

Reply via email to
