From cb6222abdf21a038359811a55da9e0b394fff268 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Fri, 9 Feb 2018 17:27:28 +0100 Subject: [PATCH] net: move to C++ --- Makefile | 14 +++++++------- contain.cc | 5 +++-- net.c => net.cc | 46 +++++++++++++++++++++++++++------------------- net.h | 20 ++++++++------------ nsjail.cc | 4 ++-- subproc.cc | 12 ++++++------ 6 files changed, 53 insertions(+), 48 deletions(-) rename net.c => net.cc (91%) diff --git a/Makefile b/Makefile index c74b303..ffcad4f 100644 --- a/Makefile +++ b/Makefile @@ -35,8 +35,8 @@ LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf) BIN = nsjail LIBS = kafel/libkafel.a -SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c user.c util.c uts.c cpu.c -SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc sandbox.cc subproc.cc +SRCS_C = caps.c log.c cgroup.c mount.c pid.c user.c util.c uts.c cpu.c +SRCS_CXX = cmdline.cc config.cc contain.cc net.cc nsjail.cc sandbox.cc subproc.cc SRCS_PROTO = config.proto SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc) SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h) @@ -101,7 +101,6 @@ caps.o: caps.h nsjail.h common.h log.h util.h log.o: log.h nsjail.h cgroup.o: cgroup.h nsjail.h log.h util.h mount.o: mount.h nsjail.h common.h log.h subproc.h util.h -net.o: net.h nsjail.h log.h subproc.h pid.o: pid.h nsjail.h log.h subproc.h user.o: user.h nsjail.h common.h log.h subproc.h util.h util.o: util.h nsjail.h common.h log.h @@ -111,9 +110,10 @@ cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h user.h util.h cmdline.o: config.h sandbox.h config.o: common.h caps.h nsjail.h config.h log.h mount.h user.h util.h config.o: cmdline.h -contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h -contain.o: user.h uts.h +contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h pid.h +contain.o: user.h uts.h net.h +net.o: net.h nsjail.h log.h subproc.h nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h -subproc.o: subproc.h nsjail.h contain.h sandbox.h cgroup.h common.h log.h -subproc.o: net.h user.h util.h +subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h cgroup.h common.h +subproc.o: log.h user.h util.h diff --git a/contain.cc b/contain.cc index 1012a90..e8642d7 100644 --- a/contain.cc +++ b/contain.cc @@ -43,19 +43,20 @@ extern "C" { #include "cpu.h" #include "log.h" #include "mount.h" -#include "net.h" #include "pid.h" #include "user.h" #include "uts.h" } +#include "net.h" + namespace contain { static bool containUserNs(struct nsjconf_t* nsjconf) { return userInitNsFromChild(nsjconf); } static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pidInitNs(nsjconf); } -static bool containInitNetNs(struct nsjconf_t* nsjconf) { return netInitNsFromChild(nsjconf); } +static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); } static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return utsInitNs(nsjconf); } diff --git a/net.c b/net.cc similarity index 91% rename from net.c rename to net.cc index 2f1704a..4312048 100644 --- a/net.c +++ b/net.cc @@ -40,17 +40,22 @@ #include #include +extern "C" { #include "log.h" +} + #include "subproc.h" -#define IFACE_NAME "vs" - extern char** environ; +namespace net { + +#define IFACE_NAME "vs" + #if defined(NSJAIL_NL3_WITH_MACVLAN) #include #include -bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { +bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) { if (nsjconf->clone_newnet == false) { return true; } @@ -117,7 +122,7 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { } #else // defined(NSJAIL_NL3_WITH_MACVLAN) -bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { +bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) { if (nsjconf->clone_newnet == false) { return true; } @@ -142,7 +147,7 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { } #endif // defined(NSJAIL_NL3_WITH_MACVLAN) -static bool netIsSocket(int fd) { +static bool isSocket(int fd) { int optval; socklen_t optlen = sizeof(optval); int ret = getsockopt(fd, SOL_SOCKET, SO_TYPE, &optval, &optlen); @@ -152,7 +157,7 @@ static bool netIsSocket(int fd) { return true; } -bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) { +bool limitConns(struct nsjconf_t* nsjconf, int connsock) { /* 0 means 'unlimited' */ if (nsjconf->max_conns_per_ip == 0) { return true; @@ -160,7 +165,7 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) { struct sockaddr_in6 addr; char cs_addr[64]; - netConnToText(connsock, true /* remote */, cs_addr, sizeof(cs_addr), &addr); + connToText(connsock, true /* remote */, cs_addr, sizeof(cs_addr), &addr); unsigned int cnt = 0; struct pids_t* p; @@ -180,7 +185,7 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) { return true; } -int netGetRecvSocket(const char* bindhost, int port) { +int getRecvSocket(const char* bindhost, int port) { if (port < 1 || port > 65535) { LOG_F( "TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " @@ -232,13 +237,13 @@ int netGetRecvSocket(const char* bindhost, int port) { } char ss_addr[64]; - netConnToText(sockfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL); + connToText(sockfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL); LOG_I("Listening on %s", ss_addr); return sockfd; } -int netAcceptConn(int listenfd) { +int acceptConn(int listenfd) { struct sockaddr_in6 cli_addr; socklen_t socklen = sizeof(cli_addr); int connfd = accept(listenfd, (struct sockaddr*)&cli_addr, &socklen); @@ -250,15 +255,15 @@ int netAcceptConn(int listenfd) { } char cs_addr[64], ss_addr[64]; - netConnToText(connfd, true /* remote */, cs_addr, sizeof(cs_addr), NULL); - netConnToText(connfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL); + connToText(connfd, true /* remote */, cs_addr, sizeof(cs_addr), NULL); + connToText(connfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL); LOG_I("New connection from: %s on: %s", cs_addr, ss_addr); return connfd; } -void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) { - if (netIsSocket(fd) == false) { +void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) { + if (isSocket(fd) == false) { snprintf(buf, s, "[STANDALONE_MODE]"); return; } @@ -293,7 +298,7 @@ void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6 return; } -static bool netIfaceUp(const char* ifacename) { +static bool ifaceUp(const char* ifacename) { int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); if (sock == -1) { PLOG_E("socket(AF_INET, SOCK_STREAM, IPPROTO_IP)"); @@ -367,7 +372,7 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) { return false; } - if (netIfaceUp(IFACE_NAME) == false) { + if (ifaceUp(IFACE_NAME) == false) { close(sock); return false; } @@ -397,7 +402,8 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) { sgate->sin_addr = addr; rt.rt_flags = RTF_UP | RTF_GATEWAY; - rt.rt_dev = IFACE_NAME; + char rt_dev[] = IFACE_NAME; + rt.rt_dev = rt_dev; if (ioctl(sock, SIOCADDRT, &rt) == -1) { PLOG_E("ioctl(SIOCADDRT, '%s')", nsjconf->iface_vs_gw); @@ -409,12 +415,12 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) { return true; } -bool netInitNsFromChild(struct nsjconf_t* nsjconf) { +bool initNsFromChild(struct nsjconf_t* nsjconf) { if (nsjconf->clone_newnet == false) { return true; } if (nsjconf->iface_no_lo == false) { - if (netIfaceUp("lo") == false) { + if (ifaceUp("lo") == false) { return false; } } @@ -425,3 +431,5 @@ bool netInitNsFromChild(struct nsjconf_t* nsjconf) { } return true; } + +} // namespace net diff --git a/net.h b/net.h index 32c3416..e540adc 100644 --- a/net.h +++ b/net.h @@ -27,19 +27,15 @@ #include "nsjail.h" -#ifdef __cplusplus -extern "C" { -#endif +namespace net { -bool netLimitConns(struct nsjconf_t* nsjconf, int connsock); -int netGetRecvSocket(const char* bindhost, int port); -int netAcceptConn(int listenfd); -void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null); -bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid); -bool netInitNsFromChild(struct nsjconf_t* nsjconf); +bool limitConns(struct nsjconf_t* nsjconf, int connsock); +int getRecvSocket(const char* bindhost, int port); +int acceptConn(int listenfd); +void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null); +bool initNsFromParent(struct nsjconf_t* nsjconf, int pid); +bool initNsFromChild(struct nsjconf_t* nsjconf); -#ifdef __cplusplus -} // extern "C" -#endif +} // namespace net #endif /* _NET_H */ diff --git a/nsjail.cc b/nsjail.cc index 12f6d2f..05c56e1 100644 --- a/nsjail.cc +++ b/nsjail.cc @@ -105,7 +105,7 @@ static bool nsjailSetTimer(struct nsjconf_t* nsjconf) { } static void nsjailListenMode(struct nsjconf_t* nsjconf) { - int listenfd = netGetRecvSocket(nsjconf->bindhost, nsjconf->port); + int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port); if (listenfd == -1) { return; } @@ -120,7 +120,7 @@ static void nsjailListenMode(struct nsjconf_t* nsjconf) { nsjailShowProc = false; subproc::displayProc(nsjconf); } - int connfd = netAcceptConn(listenfd); + int connfd = net::acceptConn(listenfd); if (connfd >= 0) { subproc::runChild(nsjconf, connfd, connfd, connfd); close(connfd); diff --git a/subproc.cc b/subproc.cc index d33e672..fc16cf6 100644 --- a/subproc.cc +++ b/subproc.cc @@ -43,13 +43,13 @@ #include #include "contain.h" +#include "net.h" #include "sandbox.h" extern "C" { #include "cgroup.h" #include "common.h" #include "log.h" -#include "net.h" #include "user.h" #include "util.h" @@ -171,7 +171,7 @@ static int subprocNewProc( TAILQ_FOREACH(p, &nsjconf->envs, pointers) { putenv((char*)p->val); } char cs_addr[64]; - netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); + net::connToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); LOG_I("Executing '%s' for '%s'", nsjconf->exec_file, cs_addr); for (size_t i = 0; nsjconf->argv[i]; i++) { @@ -203,7 +203,7 @@ static void addProc(struct nsjconf_t* nsjconf, pid_t pid, int sock) { struct pids_t* p = reinterpret_cast(utilMalloc(sizeof(struct pids_t))); p->pid = pid; p->start = time(NULL); - netConnToText( + net::connToText( sock, true /* remote */, p->remote_txt, sizeof(p->remote_txt), &p->remote_addr); char fname[PATH_MAX]; @@ -376,7 +376,7 @@ void killAll(struct nsjconf_t* nsjconf) { } static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) { - if (netInitNsFromParent(nsjconf, pid) == false) { + if (net::initNsFromParent(nsjconf, pid) == false) { LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid); return false; } @@ -397,7 +397,7 @@ static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) { } void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) { - if (netLimitConns(nsjconf, fd_in) == false) { + if (net::limitConns(nsjconf, fd_in) == false) { return; } unsigned long flags = 0UL; @@ -459,7 +459,7 @@ void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) { close(parent_fd); char cs_addr[64]; - netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); + net::connToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); } } // namespace subproc