Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/pr/17'
Browse files Browse the repository at this point in the history
* origin/pr/17:
  qrexec-daemon: don't open log file when run with --direct
  Don't run tests as root in Docker
  Add tests for qrexec-daemon
  daemon: add options to enable testing
  Add tests for MSG_SERVICE_REFUSED
  Move socket tests to qrexec/tests/socket
  Add tests for agent using vchan-socket
  agent: don't try to change user if not necessary
  agent: add options for alternative socket paths
  • Loading branch information
marmarek committed Feb 6, 2020
2 parents 68dda8f + df1dbf5 commit ea8ca0b
Show file tree
Hide file tree
Showing 16 changed files with 878 additions and 67 deletions.
4 changes: 2 additions & 2 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ jobs:
include:
- python: '3.7'
script: pylint qrexec
- install:
- install:
- pip install --quiet codecov
- docker build -t qrexec-test ci
env: DOCKER_RUN="docker run -v $TRAVIS_BUILD_DIR:$TRAVIS_BUILD_DIR -v /tmp/.X11-unix:/tmp/.X11-unix -w $TRAVIS_BUILD_DIR -e DISPLAY=$DISPLAY -- qrexec-test"
script: $DOCKER_RUN python3 -m coverage run -m unittest discover -s qrexec/tests -t . -p '*.py' -v
script: $DOCKER_RUN ./run-tests
# - python: '3.7'
# script: python -m coverage run -m unittest discover -s qrexec/tests -t . -p '*.py' -v
- stage: deploy
Expand Down
71 changes: 68 additions & 3 deletions agent/qrexec-agent.c
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
#include <sys/wait.h>
#include <fcntl.h>
#include <string.h>
#include <getopt.h>
#include <pwd.h>
#include <grp.h>
#include <sys/stat.h>
Expand Down Expand Up @@ -77,6 +78,9 @@ int trigger_fd;

int meminfo_write_started = 0;

static const char *agent_trigger_path = QREXEC_AGENT_TRIGGER_PATH;
static const char *fork_server_path = QREXEC_FORK_SERVER_SOCKET;

void handle_server_exec_request_do(int type, int connect_domain, int connect_port, char *cmdline);

void no_colon_in_cmd()
Expand Down Expand Up @@ -160,6 +164,21 @@ void do_exec(char *cmd)
signal(SIGCHLD, SIG_DFL);
signal(SIGPIPE, SIG_DFL);

pw = getpwuid(geteuid());
if (!pw) {
perror("getpwuid");
exit(1);
}
if (!strcmp(pw->pw_name, user)) {
/* call QUBESRPC if requested */
exec_qubes_rpc_if_requested(realcmd, environ);

/* otherwise exec shell */
execl("/bin/sh", "sh", "-c", realcmd, NULL);
perror("execl");
exit(1);
}

#ifdef HAVE_PAM
pw = getpwnam (user);
if (! (pw && pw->pw_name && pw->pw_name[0] && pw->pw_dir && pw->pw_dir[0]
Expand Down Expand Up @@ -355,7 +374,7 @@ void init()
if (handle_handshake(ctrl_vchan) < 0)
exit(1);
old_umask = umask(0);
trigger_fd = get_server_socket(QREXEC_AGENT_TRIGGER_PATH);
trigger_fd = get_server_socket(agent_trigger_path);
umask(old_umask);
register_exec_func(do_exec);

Expand Down Expand Up @@ -409,13 +428,16 @@ int try_fork_server(int type, int connect_domain, int connect_port,
struct sockaddr_un remote;
struct qrexec_cmd_info info;

if (!fork_server_path)
return -1;

strncpy(username, cmdline, cmdline_len);
colon = index(username, ':');
if (!colon)
return -1;
*colon = '\0';

if (asprintf(&fork_server_socket_path, QREXEC_FORK_SERVER_SOCKET, username) < 0) {
if (asprintf(&fork_server_socket_path, fork_server_path, username) < 0) {
fprintf(stderr, "Memory allocation failed\n");
return -1;
}
Expand Down Expand Up @@ -934,12 +956,55 @@ void handle_terminated_fork_client(fd_set *rdset) {
}
}

int main()
struct option longopts[] = {
{ "help", no_argument, 0, 'h' },
{ "agent-socket", required_argument, 0, 'a' },
{ "fork-server-socket", optional_argument, 0, 's' },
{ "no-fork-server", no_argument, 0, 'S' },
{ NULL, 0, 0, 0 },
};

_Noreturn void usage(const char *argv0)
{
fprintf(stderr, "usage: %s [options]\n", argv0);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -h, --help - display usage\n");
fprintf(stderr, " --agent-socket=PATH - path to listen at, default: %s\n",
QREXEC_AGENT_TRIGGER_PATH);
fprintf(stderr, " --fork-server-socket=PATH - where to find the fork server, default: %s\n",
QREXEC_FORK_SERVER_SOCKET);
fprintf(stderr, " (set empty to disable, use %%s as username)\n");
fprintf(stderr, " --no-fork-server - don't try to connect to fork server\n");
exit(2);
}

int main(int argc, char **argv)
{
fd_set rdset, wrset;
int max;
sigset_t chld_set;

int opt;
while (1) {
opt = getopt_long(argc, argv, "ha:s:S", longopts, NULL);
if (opt == -1)
break;
switch (opt) {
case 'a':
agent_trigger_path = strdup(optarg);
break;
case 's':
fork_server_path = strdup(optarg);
break;
case 'S':
fork_server_path = NULL;
break;
case 'h':
case '?':
usage(argv[0]);
}
}

init();
signal(SIGCHLD, sigchld_handler);
signal(SIGPIPE, SIG_IGN);
Expand Down
13 changes: 10 additions & 3 deletions agent/qrexec-client-vm.c
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ void do_exec(char *cmd __attribute__((__unused__))) {
exit(1);
}

int connect_unix_socket(char *path)
int connect_unix_socket(const char *path)
{
int s, len;
struct sockaddr_un remote;
Expand Down Expand Up @@ -97,6 +97,7 @@ struct option longopts[] = {
{ "filter-escape-chars-stderr", no_argument, 0, 'T'},
{ "no-filter-escape-chars-stdout", no_argument, 0, opt_no_filter_stdout},
{ "no-filter-escape-chars-stderr", no_argument, 0, opt_no_filter_stderr},
{ "agent-socket", required_argument, 0, 'a'},
{ NULL, 0, 0, 0},
};

Expand All @@ -110,6 +111,8 @@ _Noreturn void usage(const char *argv0) {
fprintf(stderr, " -T, --filter-escape-chars-stderr - filter non-ASCII and control characters on stderr (default if stderr is a terminal)\n");
fprintf(stderr, " --no-filter-escape-chars-stdout - opposite to --filter-escape-chars-stdout\n");
fprintf(stderr, " --no-filter-escape-chars-stderr - opposite to --filter-escape-chars-stderr\n");
fprintf(stderr, " --agent-socket=PATH - path to connect to, default: %s\n",
QREXEC_AGENT_TRIGGER_PATH);
exit(2);
}

Expand All @@ -128,9 +131,10 @@ int main(int argc, char **argv)
int inpipe[2], outpipe[2];
int buffer_size = 0;
int opt;
const char *agent_trigger_path = QREXEC_AGENT_TRIGGER_PATH;

while (1) {
opt = getopt_long(argc, argv, "+tT", longopts, NULL);
opt = getopt_long(argc, argv, "+tTa:", longopts, NULL);
if (opt == -1)
break;
switch (opt) {
Expand All @@ -149,6 +153,9 @@ int main(int argc, char **argv)
case opt_no_filter_stderr:
replace_chars_stderr = 0;
break;
case 'a':
agent_trigger_path = strdup(optarg);
break;
case '?':
usage(argv[0]);
}
Expand All @@ -172,7 +179,7 @@ int main(int argc, char **argv)

service_name_len = strlen(service_name) + 1;

trigger_fd = connect_unix_socket(QREXEC_AGENT_TRIGGER_PATH);
trigger_fd = connect_unix_socket(agent_trigger_path);

hdr.type = MSG_TRIGGER_SERVICE3;
hdr.len = sizeof(params) + service_name_len;
Expand Down
10 changes: 8 additions & 2 deletions ci/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
FROM fedora:31

RUN dnf install -y python3-pip python3-gobject gtk3 python3-pytest python3-coverage
RUN dnf install -y python3-pip python3-gobject gtk3 python3-pytest \
python3-coverage python3-devel pam-devel pandoc gcc git make

ADD requirements.txt /
RUN git clone https://github.com/QubesOS/qubes-core-vchan-socket ~/qubes-core-vchan-socket
RUN make -C ~/qubes-core-vchan-socket all
RUN make -C ~/qubes-core-vchan-socket install LIBDIR=/usr/lib64

ADD requirements.txt /
RUN pip3 install -r requirements.txt

RUN useradd --create-home --shell /bin/bash travis --uid 2000
USER travis
1 change: 1 addition & 0 deletions ci/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ pylint
sphinx
codecov
pydbus
psutil
5 changes: 2 additions & 3 deletions daemon/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ CC=gcc
CFLAGS+=-I. -g -O2 -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)`
CFLAGS += -I../libqrexec
LIBS = -L../libqrexec
LIBS=`pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils
LIBS += `pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils


all: qrexec-daemon qrexec-client
all: qrexec-daemon qrexec-client
clean:
rm -f *.o *~ qrexec-daemon qrexec-client
install:
Expand All @@ -21,4 +21,3 @@ qrexec-daemon: qrexec-daemon.o
$(CC) -pie -g -o qrexec-daemon qrexec-daemon.o $(LIBS)
qrexec-client: qrexec-client.o
$(CC) -pie -g -o qrexec-client qrexec-client.o $(LIBS)

Loading

0 comments on commit ea8ca0b

Please sign in to comment.