Exemplo n.º 1
 def __init__(self, task: Task, ram: RAM,
              environment: t.Dict[bytes, bytes]) -> None:
     self.data = environment
     self.sh = Command(Path("/bin/sh"), ['sh'], {})
     self.tmpdir = Path(self.get("TMPDIR", "/tmp"))
     self.path = ExecutablePathCache(task, ram,
                                     self.get("PATH", "").split(":"))
Exemplo n.º 2
async def start_recursor(nursery, parent: Thread, path: Path,
                                  ipv4_sockets: t.List[t.Tuple[handle.FileDescriptor, handle.FileDescriptor]],
                                  ipv6_sockets: t.List[t.Tuple[handle.FileDescriptor, handle.FileDescriptor]],
                                  root_hints: dns.zone.Zone=None) -> Powerdns:
    pdns_recursor = Command(Path("/home/sbaugh/.local/src/pdns/pdns/recursordist/pdns_recursor"), ['pdns_recursor'], {})
    thread = await parent.fork()

    ipv4s = {str(i+1): (udp.move(thread.task), tcp.move(thread.task))
             for i, (udp, tcp) in enumerate(ipv4_sockets)}
    ipv6s = {"::"+str(i+1): (udp.move(thread.task), tcp.move(thread.task))
             for i, (udp, tcp) in enumerate(ipv6_sockets)}
    addresses = {**ipv4s, **ipv6s}
    await thread.unshare_files(going_to_exec=True)
    config = {
        "config-dir": os.fsdecode(path),
        "socket-dir": os.fsdecode(path),
        # more logging
        "loglevel": "9",
        "log-common-errors": "yes",
        "quiet": "no",
        "trace": "yes",
        "dont-query": "",
        "logging-facility": "0",
        # relevant stuff
        "local-address": ",".join(addresses),
        "allow-from": "",
        "local-address-udp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (fd, _) in addresses.items()]),
        "local-address-tcp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (_, fd) in addresses.items()]),
    if root_hints is not None:
        config["hint-file"] = os.fsdecode(await thread.spit(path/'root.hints', root_hints.to_text()))
    child = await thread.exec(pdns_recursor.args(*[f"--{name}={value}" for name, value in config.items()]))
    return Powerdns()
Exemplo n.º 3
async def make_tun(process: Process, name: str, reqsock: FileDescriptor) -> t.Tuple[FileDescriptor, int]:
    # open /dev/net/tun
    tun_fd = await process.task.open(await process.ptr(Path("/dev/net/tun")), O.RDWR)
    # register TUN interface name for this /dev/net/tun fd
    ifreq = await process.ptr(Ifreq(name, flags=IFF.TUN))
    await tun_fd.ioctl(TUNSETIFF, ifreq)
    # use reqsock to look up the interface index of the TUN interface by name (reusing the previous Ifreq)
    await reqsock.ioctl(SIOC.GIFINDEX, ifreq)
    tun_index = (await ifreq.read()).ifindex
    return tun_fd, tun_index
Exemplo n.º 4
 async def send_email(self, from_: str, to: str, subject: str, msg: str) -> None:
     thread = await self.thread.fork()
     await thread.unshare_files()
     fd = await thread.task.memfd_create(await thread.ram.ptr(Path('message')))
     msg = f'From: {from_}\nSubject: {subject}\nTo: {to}\n\n' + msg
     await thread.spit(fd, msg)
     await fd.lseek(0, SEEK.SET)
     await thread.stdin.replace_with(fd)
     child = await thread.exec(self.sendmail.args('-t'))
     await child.check()
Exemplo n.º 5
async def start_miredo(nursery, miredo_exec: MiredoExecutables,
                       thread: Thread) -> Miredo:
    inet_sock = await thread.task.socket(AF.INET, SOCK.DGRAM)
    await inet_sock.bind(await thread.ram.ptr(SockaddrIn(0, 0)))
    # set a bunch of sockopts
    one = await thread.ram.ptr(Int32(1))
    await inet_sock.setsockopt(SOL.IP, IP.RECVERR, one)
    await inet_sock.setsockopt(SOL.IP, IP.PKTINFO, one)
    await inet_sock.setsockopt(SOL.IP, IP.MULTICAST_TTL, one)
    # hello fragments my old friend
    await inet_sock.setsockopt(SOL.IP, IP.MTU_DISCOVER, await
    ns_thread = await thread.fork()
    await ns_thread.unshare(CLONE.NEWNET | CLONE.NEWUSER)
    # create icmp6 fd so miredo can relay pings
    icmp6_fd = await ns_thread.task.socket(AF.INET6, SOCK.RAW, IPPROTO.ICMPV6)

    # create the TUN interface
    tun_fd = await ns_thread.task.open(
        await ns_thread.ram.ptr(Path("/dev/net/tun")), O.RDWR)
    ptr = await thread.ram.ptr(netif.Ifreq(b'teredo', flags=netif.IFF_TUN))
    await tun_fd.ioctl(netif.TUNSETIFF, ptr)
    # create reqsock for ifreq operations in this network namespace
    reqsock = await ns_thread.task.socket(AF.INET, SOCK.STREAM)
    await reqsock.ioctl(netif.SIOCGIFINDEX, ptr)
    tun_index = (await ptr.read()).ifindex
    # create socketpair for communication between privileged process and teredo client
    privproc_pair = await (await ns_thread.task.socketpair(
        AF.UNIX, SOCK.STREAM, 0, await

    privproc_thread = await ns_thread.fork()
    await add_to_ambient(privproc_thread, {CAP.NET_ADMIN})
    privproc_child = await exec_miredo_privproc(miredo_exec, privproc_thread,
                                                privproc_pair.first, tun_index)

    # TODO lock down the client thread, it's talking on the network and isn't audited...
    # should clear out the mount namespace
    # iterate through / and umount(MNT_DETACH) everything that isn't /nix
    # ummm and let's use UMOUNT_NOFOLLOW too
    # ummm no let's just only umount directories
    client_thread = await ns_thread.fork(CLONE.NEWPID)
    await client_thread.unshare(CLONE.NEWNET | CLONE.NEWNS)
    await client_thread.unshare_user()
    client_child = await exec_miredo_run_client(miredo_exec, client_thread,
                                                inet_sock, tun_fd, reqsock,
                                                icmp6_fd, privproc_pair.second,

    # we keep the ns thread around so we don't have to mess with setns
    return Miredo(ns_thread)
Exemplo n.º 6
async def start_powerdns(nursery, parent: Thread, path: Path, zone: dns.zone.Zone,
                                  # tuple is (udpfd, listening tcpfd)
                                  ipv4_sockets: t.List[t.Tuple[handle.FileDescriptor, handle.FileDescriptor]],
                                  ipv6_sockets: t.List[t.Tuple[handle.FileDescriptor, handle.FileDescriptor]],
) -> Powerdns:
    pdns_server = Command(Path("/home/sbaugh/.local/src/pdns/pdns/pdns_server"), ['pdns_server'], {})
    # pdns_server = await parent.environ.which("pdns_server")
    thread = await parent.fork()

    # we pretend to pass addresses like etc
    # we add one so we don't pass and make powerdns think it's bound to everything
    ipv4s = {str(i+1): (udp.move(thread.task), tcp.move(thread.task))
             for i, (udp, tcp) in enumerate(ipv4_sockets)}
    ipv6s = {str(i+1): (udp.move(thread.task), tcp.move(thread.task))
             for i, (udp, tcp) in enumerate(ipv6_sockets)}
    await thread.unshare_files(going_to_exec=True)
    config = {
        "config-dir": os.fsdecode(path),
        # TODO control-console seems to be a feature where it will listen on stdin or something?
        # we should use that instead of this socketdir
        "socket-dir": os.fsdecode(path),
        # more logging
        "loglevel": "9",
        "log-dns-queries": "yes",
        # backend
        "launch": "bind",
        "bind-config": os.fsdecode(await thread.spit(path/"named.conf",
            'zone "%s" { file "%s"; };' % (
                os.fsdecode(await thread.spit(path/"zone", zone.to_text()))))),
        "enable-lua-records": "yes",
        # relevant stuff
        "local-address": ",".join(ipv4s),
        "local-address-udp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (fd, _) in ipv4s.items()]),
        "local-address-tcp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (_, fd) in ipv4s.items()]),
        "local-ipv6": ",".join(ipv6s),
        "local-ipv6-udp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (fd, _) in ipv6s.items()]),
        "local-ipv6-tcp-fds": ",".join([f"{i}={await fd.as_argument()}" for i, (_, fd) in ipv6s.items()]),
    child = await thread.exec(pdns_server.args(*[f"--{name}={value}" for name, value in config.items()]))
    return Powerdns()
Exemplo n.º 7
async def do_cloexec_except(thr: RAMThread, excluded_fds: t.Set[near.FileDescriptor]) -> None:
    "Close all CLOEXEC file descriptors, except for those in a whitelist. Would be nice to have a syscall for this."
    buf = await thr.ram.malloc(DirentList, 4096)
    dirfd = await thr.task.open(await thr.ram.ptr(Path("/proc/self/fd")), O.DIRECTORY)
    async def maybe_close(fd: near.FileDescriptor) -> None:
        flags = await syscalls.fcntl(thr.task.sysif, fd, F.GETFD)
        if (flags & FD_CLOEXEC) and (fd not in excluded_fds):
            await syscalls.close(thr.task.sysif, fd)
    async with trio.open_nursery() as nursery:
        while True:
            valid, rest = await dirfd.getdents(buf)
            if valid.size() == 0:
            dents = await valid.read()
            for dent in dents:
                    num = int(dent.name)
                except ValueError:
                nursery.start_soon(maybe_close, near.FileDescriptor(num))
            buf = valid.merge(rest)
Exemplo n.º 8
async def write_user_mappings(thr: RAMThread, uid: int, gid: int,
                              in_namespace_uid: int=None, in_namespace_gid: int=None) -> None:
    """Set up a new user namespace with single-user {uid,gid}_map

    These are the only valid mappings for unprivileged user namespaces.
    if in_namespace_uid is None:
        in_namespace_uid = uid
    if in_namespace_gid is None:
        in_namespace_gid = gid
    procself = Path("/proc/self")

    uid_map = await thr.task.open(await thr.ram.ptr(procself/"uid_map"), O.WRONLY)
    await uid_map.write(await thr.ram.ptr(f"{in_namespace_uid} {uid} 1\n".encode()))
    await uid_map.close()

    setgroups = await thr.task.open(await thr.ram.ptr(procself/"setgroups"), O.WRONLY)
    await setgroups.write(await thr.ram.ptr(b"deny"))
    await setgroups.close()

    gid_map = await thr.task.open(await thr.ram.ptr(procself/"gid_map"), O.WRONLY)
    await gid_map.write(await thr.ram.ptr(f"{in_namespace_gid} {gid} 1\n".encode()))
    await gid_map.close()
Exemplo n.º 9
 async def which(self, name: str) -> Command:
     "Locate an executable with this name on PATH; throw ExecutableNotFound on failure"
         path = self.name_to_path[name]
     except KeyError:
         nameptr = await self.ram.ptr(Path(name))
         # do the lookup for 64 paths at a time, that seems like a good batching number
         for paths in chunks(self.paths, 64):
             thunks = [
                 functools.partial(self._check, path, nameptr)
                 for path in paths
             results = await run_all(thunks)  # type: ignore
             for path, result in zip(paths, results):
                 if result:
                     # path is set as the loop variable; python has no scope
                     # so we can just break out and use it.
             if result:
             raise ExecutableNotFound(name)
         self.name_to_path[name] = path
     return Command(path / name, [name], {})
Exemplo n.º 10
 def __init__(self, task: Task, ram: RAM, paths: t.List[str]) -> None:
     self.task = task
     self.ram = ram
     self.paths = [Path(path) for path in paths]
     self.fds: t.Dict[Path, t.Optional[FileDescriptor]] = {}
     self.name_to_path: t.Dict[str, Path] = {}