Archives
/
xmppipe
mirror of https://github.com/msantos/xmppipe
2
0
Fork 0
Code Issues Releases Wiki Activity
288 Commits
1 Branch
7 Tags
1.1 MiB
master
0.14.2
0.14.3
0.14.5
0.14.8
0.14.9
0.15.0
0.16.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Commit Graph

288 Commits (master)
 

Author SHA1 Message Date
Michael Santos 6aa2cb528e sandbox: enforce rlimit restrictions before connect 
Basic pre-connect sandbox: disable the ability for the xmppipe process
to fork.
 7 years ago
Michael Santos 90c57630b6 openbsd: pre-connect pledge sandbox 7 years ago
Michael Santos c17b196053 sandbox: add a pre-connect sandbox 
Add a sandbox enforced before options are parsed and the connection is
established to the XMPP server. This sandbox will allow network
operations.

The post-connect sandbox is unchanged and restricts operations to stdio.

The commit just adds the infrastructure for the pre-connect sandbox.
 7 years ago
Michael Santos 9a87cd4e1b openbsd: fix compile error 7 years ago
Michael Santos 899e988a6f roomname: use UID in default roomname 
Use the UID of the xmppipe process instead of the PID in the default
name. This allows many processes running under the same user on a host
to share the same output channel and makes it easier to pre-create the
MUC if the xmppipe XMPP user does not have MUC creation privs.
 7 years ago
Michael Santos be90386d6e stream management: check h value in server response 7 years ago
Michael Santos f4d9184bac Add wrapper around strtonum(3) for options 7 years ago
Michael Santos cee9094fc8 options: use strtonum(3) to convert numbers 
Limit the ranges for integers accepted as command line options.
 7 years ago
Michael Santos f30f666d87 Convert last handled stanza using strtonum(3) 7 years ago
Michael Santos 58cb075664 state: set room name/resource before options 7 years ago
Michael Santos ad56bab3cc xmppipe_roomname: use define for hostname 7 years ago
Michael Santos 5cb6364cd0 Check gethostname(2) for error 
Whether gethostname(2) returns an error depends on the implementation.
Some implementations:

* truncate the hostname if length is less than the hostname, with or
  without a trailing NULL

* return -1 if length is less than hostname

* return -1 if length is 0

Set a default name if gethostanme() returns error.
 7 years ago
Michael Santos 0296f2fbbd readme: running tests 7 years ago
Michael Santos b9c446a928 test: error message for environment variables 7 years ago
Michael Santos ad39d23c05 test: base64 encode/decode 7 years ago
Michael Santos 7d1fb8fdb8 makefile: add target for test 7 years ago
Michael Santos e4fcd47b20 test: send using FIFOs between parent/child 7 years ago
Michael Santos ff86eb8f9a test: send a message using stdin 7 years ago
Michael Santos 6c4a14c712 sandbox/seccomp: fake close(2) return value 
Some errors will cause the XMPP file descriptor to be closed before
xmppipe exits. Return EBADF if close is called since the process will
terminate anyway.
 7 years ago
Michael Santos f51377428f Ignore invalid base64 messages 
When base64 encoding is enabled, ignore any messages that fail base64
decoding.

Previously signed-unsigned integer conversion would cause the return
value of b64_pton() on error (a negative integer) to be converted to a
large value. The attempt to allocate this value would force xmppipe to
exit.
 7 years ago
Michael Santos 85917f8ec4 sandbox/seccomp: print error message using err(3) 7 years ago
Michael Santos 417176cddb tests: add some basic tests 
Check the the basic functionality of xmppipe:

    # https://github.com/sstephenson/bats
    # apt-get install bats
    bats test
 7 years ago
Michael Santos 7f0b5863c0 handle_stdin: use fd for nfds 7 years ago
Michael Santos 15926183a6 sandbox/seccomp: add more syscalls 7 years ago
Michael Santos 25f3441b33 README: add information about sandbox 7 years ago
Michael Santos 4a440def98 Enforce sandboxing 7 years ago
Michael Santos 2bf9415683 sandbox: enable capabilities sandbox on FreeBSD 7 years ago
Michael Santos 707d7cf19d Display enforced sandbox in verbose mode 7 years ago
Michael Santos 5917d03137 sandbox: Linux seccomp syscall filter 
Add a BPF seccomp syscall filter on Linux. Not enabled by default. To
compile:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_SECCOMP make

The sandbox is derived from OpenSSH's seccomp sandbox by Will Drewry and
Kees Cook's tutorial on seccomp:

    http://outflux.net/teach-seccomp/
 7 years ago
Michael Santos c346c863e4 sandbox: set number of allowed fd's 
The number of file descriptors enforced by setrlimit() can now be set at
compile time using a flag. The flag defaults to 0 on Linux and -1
everywhere else:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT \
    XMPPIPE_SANDBOX_RLIMIT_NOFILE=-1 \
    make

The meaning of the XMPPIPE_SANDBOX_RLIMIT_NOFILE is:

* -1 : set rlim_cur/rlim_max to the lowest allocated file desciptor

* >=0: set rlim_cur/rlim_max to this number

On some platforms, setting rlim_cur below the value of the highest
allocated fd may interfere with polling. See commit a34d5766c5 for
details.
 7 years ago
Michael Santos a34d5766c5 sandbox: basic rlimit sandbox 
The rlimit sandbox disables forking processes and opening files.

The rlimit sandbox is not used by default yet. To compile it:

    XMPPIPE_SANDBOX=XMPPIPE_SANDBOX_RLIMIT make

The rlimit sandbox should work on any platform. However the interaction
of RLIMIT_NOFILE with poll(2) (and select(2)?) on some platforms (FreeBSD
but really any OS besides Linux) is problematic:

* opening a number of fd's, setting RLIMIT_NOFILE to 0, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: fails

* opening a number of fd's, setting RLIMIT_NOFILE to maxfd+1, calling
  poll(2) on the fdset

  Linux: works
  FreeBSD: works

The issue with the second option is that a library may have opened a
sequence of file descriptors then closed the lower numbered fd's:

    open() => 3
    open() => 4
    open() => 5
    close(3)
    close(4)
    maxfd = 5

RLIMIT_NOFILE would be set to 6 (stdin, stdout, stderr, 3, 4, 5) and the
sandbox would allow re-opening fd's 3 and 4.

One possible fix would be to run through the sequence of fd's before
entering the rlimit sandbox:

* test if the fd is closed
* if the fd is closed, dup2(STDIN_FILENO, fd)

Since the closed fd's are not part of the pollset, they will not be
polled and should be ignored.

Note we can't simply move maxfd to the lowest unused fd because
libstrophe maintains the fd number as internal, opaque state.

Empirically, the xmpp fd is always 3. Another option would be to abort
the process if the fd does not equal 3.
 7 years ago
Michael Santos cc665538cb sandbox: stdio mode using pledge(2) on OpenBSD 7 years ago
Michael Santos a7d0ca7e47 Initial support for sandboxing 
Prepare for sandboxing the xmppipe process by adding a function called
after all file descriptors are allocated.

The intent of the sandbox is to limit the xmppipe process to the role
of a component in a shell pipeline: reading from stdin, reading/writing
to the XMPP socket and writing to stdout. Any activity not involved with
using stdio should force the process to exit.

The sandbox function will vary based on the capabilities of the
platform. The default sandbox function does nothing.

Limitations of the sandbox:

Probably the biggest risk is in session establishment:
* the TLS handshake
* the XML parsing

The sandbox is enforced after the TLS connection is established, i.e.,
after the file descriptor for the XMPP session is allocated and so has no
effect on the TLS handshake or the initial XMPP handshake.

Possibly an initial sandbox could be setup for the connection phase
followed by a stricter sandbox for the stdio phase.
 7 years ago
Michael Santos 7cf7562bb1 Update readme 7 years ago
Michael Santos eef6074dd5 Add a LICENSE file 
Uses the ISC license. License is also in the source code.
 7 years ago
Michael Santos e20bca9bd1 const'ify all the things 7 years ago
Michael Santos 550eaf4e59 Check message id has been allocated 8 years ago
Michael Santos 04c05bd5f2 xmppipe: avoid memory leak from duplicate options 8 years ago
Michael Santos ee32002c2f ssh-over-xmpp: clean up example 8 years ago
Michael Santos 04f0641df1 Add example of terminal sharing using script(1) 8 years ago
Michael Santos 9410df9d78 bot.sh: clean up 8 years ago
Michael Santos 34efc88484 Mention tested XMPP servers 8 years ago
Michael Santos 2f2805d68a stdin: combine read error check 8 years ago
Michael Santos 16f03deff4 Fix typo 8 years ago
Michael Santos 877ecd5619 Flush stdout after print 8 years ago
Michael Santos 1e16b16c74 encoding: allow '@' and '/' 
To make the JID easier to read, do not encode @ and /. Probably all the
RFC 3986 reserved characters can be passed through.
 8 years ago
Michael Santos 07174101b4 encoding: remove useless lookup, sprintf 8 years ago
Michael Santos 1426be5902 Update README 8 years ago
Michael Santos def456835b Add README 8 years ago
Michael Santos 072e8542ae alloc: log sizes on error 8 years ago