Loading docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod v70.1 nfqws: --dpi-desync-fake-tls-mod=dupsid nfqws,tpws: test accessibility of list files after privs drop nfq/nfqws.c +27 −0 Original line number Diff line number Diff line Loading @@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat } static bool test_list_files() { struct hostlist_file *hfile; struct ipset_file *ifile; LIST_FOREACH(hfile, ¶ms.hostlists, next) if (!file_mod_time(hfile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); return false; } LIST_FOREACH(ifile, ¶ms.ipsets, next) if (!file_mod_time(ifile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); return false; } return true; } #ifdef __linux__ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie) { Loading Loading @@ -260,6 +283,8 @@ static int nfq_main(void) if (params.droproot && !droproot(params.uid, params.gid)) return 1; print_id(); if (params.droproot && !test_list_files()) return 1; pre_desync(); Loading Loading @@ -357,6 +382,8 @@ static int dvt_main(void) if (params.droproot && !droproot(params.uid, params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; pre_desync(); Loading tpws/tpws.c +24 −1 Original line number Diff line number Diff line Loading @@ -116,6 +116,27 @@ static int8_t block_sigpipe(void) return 0; } static bool test_list_files() { struct hostlist_file *hfile; struct ipset_file *ifile; LIST_FOREACH(hfile, ¶ms.hostlists, next) if (!file_mod_time(hfile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); return false; } LIST_FOREACH(ifile, ¶ms.ipsets, next) if (!file_mod_time(ifile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); return false; } return true; } static bool is_interface_online(const char *ifname) { Loading Loading @@ -1918,10 +1939,12 @@ int main(int argc, char *argv[]) set_ulimit(); sec_harden(); if (params.droproot && !droproot(params.uid,params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; //splice() causes the process to receive the SIGPIPE-signal if one part (for //example a socket) is closed during splice(). I would rather have splice() //fail and return -1, so blocking SIGPIPE. Loading Loading
docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod v70.1 nfqws: --dpi-desync-fake-tls-mod=dupsid nfqws,tpws: test accessibility of list files after privs drop
nfq/nfqws.c +27 −0 Original line number Diff line number Diff line Loading @@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat } static bool test_list_files() { struct hostlist_file *hfile; struct ipset_file *ifile; LIST_FOREACH(hfile, ¶ms.hostlists, next) if (!file_mod_time(hfile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); return false; } LIST_FOREACH(ifile, ¶ms.ipsets, next) if (!file_mod_time(ifile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); return false; } return true; } #ifdef __linux__ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie) { Loading Loading @@ -260,6 +283,8 @@ static int nfq_main(void) if (params.droproot && !droproot(params.uid, params.gid)) return 1; print_id(); if (params.droproot && !test_list_files()) return 1; pre_desync(); Loading Loading @@ -357,6 +382,8 @@ static int dvt_main(void) if (params.droproot && !droproot(params.uid, params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; pre_desync(); Loading
tpws/tpws.c +24 −1 Original line number Diff line number Diff line Loading @@ -116,6 +116,27 @@ static int8_t block_sigpipe(void) return 0; } static bool test_list_files() { struct hostlist_file *hfile; struct ipset_file *ifile; LIST_FOREACH(hfile, ¶ms.hostlists, next) if (!file_mod_time(hfile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename); return false; } LIST_FOREACH(ifile, ¶ms.ipsets, next) if (!file_mod_time(ifile->filename)) { DLOG_PERROR("file_mod_time"); DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename); return false; } return true; } static bool is_interface_online(const char *ifname) { Loading Loading @@ -1918,10 +1939,12 @@ int main(int argc, char *argv[]) set_ulimit(); sec_harden(); if (params.droproot && !droproot(params.uid,params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; //splice() causes the process to receive the SIGPIPE-signal if one part (for //example a socket) is closed during splice(). I would rather have splice() //fail and return -1, so blocking SIGPIPE. Loading
