spartservPrivDrop.c (17750B)
1 /*
2 This server creates a socket listening to PORT and
3 starts the event loop
4 2 mimetypes are set depending on file extension:
5 text/gemini .gmi
6 text/markdown .md .markdown
7 */
8
9 #define _GNU_SOURCE
10 #include <string.h>
11 #include <stdio.h>
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <netinet/in.h>
15 #include <stdlib.h>
16 #include <unistd.h>
17 #include <sys/stat.h>
18 #include <stdbool.h>
19 #include <ctype.h>
20 #include <stdarg.h>
21 #include <limits.h>
22 #include <time.h>
23 #include <fcntl.h> // access
24
25 // inet_ntoa
26 //already included #include <sys/socket.h>
27 //already included #include <netinet/in.h>
28 #include <arpa/inet.h>
29
30 // privilege drop
31 // already included #include <sys/types.h>
32 #include <pwd.h>
33 #include <grp.h>
34
35 // seccomp bpf filters
36 #include <sys/syscall.h>
37 #include <errno.h>
38 #include <stddef.h>
39 #include <linux/seccomp.h>
40 #include <linux/filter.h> // struct sock_filter
41 #include <linux/audit.h>
42 #include <sys/mman.h>
43 #include <sys/prctl.h>
44
45 // server configuration
46 #define HOSTNAME "localhost"
47 #define ROOT "/"
48 #define PORT 300
49
50 #define RUNAS "spartserv"
51 #define CHROOT "."
52
53 // ----------------- seccomp setup
54 // This code is copied and modified from kore http server
55 // https://kore.io
56 /*
57 * Copyright (c) 2013-2022 Joris Vink <joris@coders.se>
58 *
59 * Permission to use, copy, modify, and distribute this software for any
60 * purpose with or without fee is hereby granted, provided that the above
61 * copyright notice and this permission notice appear in all copies.
62 *
63 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
64 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
65 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
66 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
67 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
68 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
69 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
70 */
71
72 #if __BYTE_ORDER == __LITTLE_ENDIAN
73 #define ARGS_LO_OFFSET 0
74 #define ARGS_HI_OFFSET sizeof(u_int32_t)
75 #elif __BYTE_ORDER == __BIG_ENDIAN
76 #define ARGS_LO_OFFSET sizeof(u_int32_t)
77 #define ARGS_HI_OFFSET 0
78 #else
79 #error "__BYTE_ORDER unknown"
80 #endif
81
82 // AUDIT_ARCH_X86_64 AUDIT_ARCH_ARM AUDIT_ARCH_AARCH64
83 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
84 #define SECCOMP_KILL_POLICY SECCOMP_RET_KILL
85
86 /* Load field of seccomp_data into accumulator. */
87 #define KORE_BPF_LOAD(_field, _off) \
88 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, _field) + _off)
89 /* Compare the accumulator against a constant (==). */
90 #define KORE_BPF_CMP(_k, _jt, _jf) \
91 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, _k, _jt, _jf)
92
93 /* Return a constant from a BPF program. */
94 #define KORE_BPF_RET(_retval) \
95 BPF_STMT(BPF_RET+BPF_K, _retval)
96
97 /* AND operation on the accumulator. */
98 #define KORE_BPF_AND(_k) \
99 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, _k)
100
101 /* The length of a filter. */
102 #define KORE_FILTER_LEN(x) (sizeof(x) / sizeof(x[0]))
103
104 #define KORE_SYSCALL_FILTER(_name, _action) \
105 KORE_BPF_CMP(SYS_##_name, 0, 1), \
106 KORE_BPF_RET(_action)
107
108 #define KORE_SYSCALL_WITH_FLAG(_name, _arg, _flag, _action) \
109 KORE_BPF_CMP(SYS_##_name, 0, 8), \
110 KORE_BPF_LOAD(args[(_arg)], ARGS_LO_OFFSET), \
111 KORE_BPF_AND(((_flag) & 0xffffffff)), \
112 KORE_BPF_CMP(((_flag) & 0xffffffff), 0, 4), \
113 KORE_BPF_LOAD(args[(_arg)], ARGS_HI_OFFSET), \
114 KORE_BPF_AND((((uint32_t)((uint64_t)(_flag) >> 32)) & 0xffffffff)), \
115 KORE_BPF_CMP((((uint32_t)((uint64_t)(_flag) >> 32)) & 0xffffffff), 0, 1), \
116 KORE_BPF_RET(_action), \
117 KORE_BPF_LOAD(nr, 0)
118
119 #define KORE_SYSCALL_DENY(_name, _errno) \
120 KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ERRNO|(_errno))
121
122 #define KORE_SYSCALL_DENY_WITH_FLAG(_name, _arg, _flag, _errno) \
123 KORE_SYSCALL_WITH_FLAG(_name, _arg, _flag, SECCOMP_RET_ERRNO|(_errno))
124
125 #define KORE_SYSCALL_ALLOW(_name) \
126 KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ALLOW)
127
128
129 /*
130 * The bare minimum to be able to run kore. These are added last and can
131 * be overwritten by a filter program that is added before hand.
132 */
133 static struct sock_filter filter_kore[] = {
134 /* Deny these, but with EACCESS instead of dying. */
135 KORE_SYSCALL_DENY(ioctl, EACCES),
136
137 /* File related. */
138 KORE_SYSCALL_ALLOW(read),
139 #if defined(SYS_stat)
140 KORE_SYSCALL_ALLOW(stat),
141 #endif
142 #if defined(SYS_lstat)
143 KORE_SYSCALL_ALLOW(lstat),
144 #endif
145 KORE_SYSCALL_ALLOW(fstat),
146 KORE_SYSCALL_ALLOW(write),
147 KORE_SYSCALL_ALLOW(close),
148 KORE_SYSCALL_ALLOW(openat),
149 #if defined(SYS_access)
150 KORE_SYSCALL_ALLOW(access),
151 #endif
152 #if defined(SYS_send)
153 KORE_SYSCALL_ALLOW(send),
154 #endif
155 KORE_SYSCALL_ALLOW(sendto),
156 KORE_SYSCALL_ALLOW(accept),
157 KORE_SYSCALL_ALLOW(sendfile),
158 #if defined(SYS_recv)
159 KORE_SYSCALL_ALLOW(recv),
160 #endif
161 KORE_SYSCALL_ALLOW(recvfrom),
162 KORE_SYSCALL_ALLOW(setsockopt),
163 // for perror
164 #if defined(SYS_dup)
165 KORE_SYSCALL_ALLOW(dup),
166 #endif
167 #if defined(SYS_fcntl)
168 KORE_SYSCALL_ALLOW(fcntl),
169 #endif
170 };
171
172 /* bpf program prologue. */
173 static struct sock_filter filter_prologue[] = {
174 /* Load arch member into accumulator (A) (arch is __u32). */
175 KORE_BPF_LOAD(arch, 0),
176
177 /* Compare accumulator against constant, if false jump over kill. */
178 KORE_BPF_CMP(SECCOMP_AUDIT_ARCH, 1, 0),
179 KORE_BPF_RET(SECCOMP_RET_KILL),
180
181 /* Load the system call number into the accumulator. */
182 KORE_BPF_LOAD(nr, 0),
183 };
184
185 /* bpf program epilogue. */
186 static struct sock_filter filter_epilogue[] = {
187 /* Return hit if no system calls matched our list. */
188 BPF_STMT(BPF_RET+BPF_K, SECCOMP_KILL_POLICY)
189 };
190
191 #define filter_prologue_len KORE_FILTER_LEN(filter_prologue)
192 #define filter_epilogue_len KORE_FILTER_LEN(filter_epilogue)
193
194 int kore_seccomp_tracing = 0;
195
196 void kore_seccomp_enable(void) {
197 struct sock_filter *sf;
198 struct sock_fprog prog;
199 size_t prog_len, off, i;
200
201 /*
202 * If kore_seccomp_tracing is turned on, set the default policy to
203 * SECCOMP_RET_TRACE so we can log the system calls.
204 */
205 if (kore_seccomp_tracing) {
206 filter_epilogue[0].k = SECCOMP_RET_TRACE;
207 puts("seccomp tracing enabled");
208 }
209
210 /* Start with the prologue. */
211 /* Finally add the epilogue. */
212 prog_len = filter_prologue_len + KORE_FILTER_LEN(filter_kore) + filter_epilogue_len ;
213
214 /* Build the entire bpf program now. */
215 if ((sf = calloc(prog_len, sizeof(*sf))) == NULL) {
216 puts("calloc");
217 exit(1);
218 }
219
220 off = 0;
221 for (i = 0; i < filter_prologue_len; i++)
222 sf[off++] = filter_prologue[i];
223
224 for (i = 0; i < KORE_FILTER_LEN(filter_kore); i++)
225 sf[off++] = filter_kore[i];
226
227 for (i = 0; i < filter_epilogue_len; i++)
228 sf[off++] = filter_epilogue[i];
229
230 /* Lock and load it. */
231 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
232 printf("prctl: %s\n", strerror(errno));
233 exit(1);
234 }
235
236 prog.filter = sf;
237 prog.len = prog_len;
238
239 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
240 printf("prctl: %s\n", strerror(errno));
241 exit(1);
242 }
243 }
244
245 // ----------------- seccomp end
246
247 bool isDir(const char *path) {
248 struct stat st;
249
250 if (stat(path, &st) == -1) {
251 return(false);
252 }
253
254 if (!S_ISDIR(st.st_mode)) {
255 return(false);
256 }
257 return(true);
258 }
259
260 int main(int ac, char **av){
261 int sock;
262 struct sockaddr_in server;
263 int mysock;
264 char buf[4096];
265 int rval;
266
267 char root[PATH_MAX] = {0};
268 if (ROOT[0] == '/') {
269 realpath(ROOT, root);
270 }
271 else {
272 // create absolute path from relative ROOT path
273 char p[PATH_MAX] = {0};
274 getcwd(p, PATH_MAX);
275 strcat(p, "/");
276 strcat(p, ROOT);
277 realpath(p, root);
278 strcat(root, "/");
279 }
280
281 size_t rootLen = strlen(root);
282 size_t slash = 0;
283
284 // count slashes at the end of root
285 // to compare paths with memcmp correctly
286 // since realpath removes the slashes at the
287 // end of the path from client.
288 while(root[rootLen-1-slash] == '/') {
289 slash++;
290 }
291
292 sock = socket(AF_INET, SOCK_STREAM, 0);
293 if (sock < 0){
294 perror("Failed to create socket");
295 }
296
297 server.sin_family = AF_INET;
298 server.sin_addr.s_addr = INADDR_ANY;
299 server.sin_port = htons(PORT);
300
301 /* setsockopt: Handy debugging trick that lets
302 * us rerun the server immediately after we kill it;
303 * otherwise we have to wait about 20 secs.
304 * Eliminates "ERROR on binding: Address already in use" error.
305 */
306 int optval = 1;
307 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (const void *)&optval , sizeof(int));
308
309 if (bind(sock, (struct sockaddr *) &server, sizeof(server))){
310 perror("bind failed");
311 exit(1);
312 }
313
314 listen(sock, SOMAXCONN);
315
316 struct passwd *pw = NULL;
317 pw = getpwnam(RUNAS);
318 if (!pw) {
319 perror("get user info failed");
320 exit(1);
321 }
322
323 if (chroot(CHROOT) == -1) {
324 perror("cannot chroot");
325 exit(1);
326 }
327
328 if (chdir("/") == -1) {
329 perror("cannot chdir");
330 exit(1);
331 }
332
333 if (setgroups(1, &pw->pw_gid) ||
334 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
335 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) {
336 printf("cannot drop privileges");
337 exit(1);
338 }
339
340 kore_seccomp_enable();
341
342 printf("Serving "HOSTNAME":%d %s\n", PORT, root);
343
344 // date for request print
345 char date[50];
346 do {
347 // struct for printing client ip in terminal with inet_ntoa
348 struct sockaddr_in addr;
349 socklen_t len = sizeof(addr);
350 mysock = accept(sock, &addr, &len);
351 if (mysock == -1)
352 perror("accept failed");
353 else {
354 // Set 10s timeouts for receive and send (SO_RCVTIMEO and SO_SNDTIMEO)
355 struct timeval timeout;
356 timeout.tv_sec = 10;
357 timeout.tv_usec = 0;
358 // get YMD HMS date
359 time_t clk = time(NULL);
360 struct tm *pClk = localtime(&clk);
361 strftime(date, sizeof(date), "%Y-%m-%d:%H:%M:%S", pClk);
362 if (setsockopt(mysock, SOL_SOCKET, SO_RCVTIMEO, (void *) &timeout, sizeof(timeout)) < 0) {
363 printf("%s %s ",date, inet_ntoa(addr.sin_addr));
364 perror("receive timeout failed");
365 close(mysock);
366 continue;
367 }
368 if (setsockopt(mysock, SOL_SOCKET, SO_SNDTIMEO, (void *) &timeout, sizeof(timeout)) < 0) {
369 printf("%s %s ",date, inet_ntoa(addr.sin_addr));
370 perror("send timeout failed");
371 close(mysock);
372 continue;
373 }
374
375 // new client
376 memset(buf, 0, sizeof(buf));
377 if ((rval = recv(mysock, buf, sizeof(buf), 0)) < 0) {
378 printf("%s %s ",date, inet_ntoa(addr.sin_addr));
379 perror("reading message");
380 close(mysock);
381 continue;
382 }
383 else if (rval == 0) {
384 printf("%s %s ",date, inet_ntoa(addr.sin_addr));
385 puts("Ending connection");
386 close(mysock);
387 continue;
388 }
389
390 printf("%s %s ",date, inet_ntoa(addr.sin_addr));
391
392 // validate request then scan hostname path and content length
393
394 // find request end
395 char *reqEnd = memmem(buf, sizeof(buf), "\r\n", 2);
396 if (!reqEnd || buf[0] == ' ') {
397 puts("4 Invalid request");
398 // add MSG_NOSIGNAL flag to ignore SIGPIPE when the client closes the socket early
399 send(mysock, "4 Invalid request\r\n", sizeof("4 Invalid request\r\n"), MSG_NOSIGNAL);
400 close(mysock);
401 continue;
402 }
403
404 // check ascii
405 char *cursor = buf;
406 bool isBad = false;
407 while (cursor < reqEnd) {
408 if (*cursor < 32 || *cursor == 127) {
409 isBad = true;
410 break;
411 }
412 cursor++;
413 }
414 if (isBad) {
415 puts("4 Non ASCII");
416 send(mysock, "4 Non ASCII\r\n", sizeof("4 Non ASCII\r\n"), MSG_NOSIGNAL);
417 close(mysock);
418 continue;
419 }
420
421 // print request in terminal
422 *reqEnd = 0;
423 printf("%s ", buf);
424 *reqEnd = '\r';
425
426 // parse hostname, path and content_length in request
427 char *hostname;
428 char *path;
429 char *content_length;
430
431 hostname = buf;
432
433 // hostname must match HOSTNAME
434 // comment out this test to accept nay hostname
435 int c = memcmp(hostname, HOSTNAME, strlen(HOSTNAME));
436
437 if (c != 0) {
438 puts("4 Hostname");
439 send(mysock, "4 Hostname\r\n", sizeof("4 Hostname\r\n"), MSG_NOSIGNAL);
440 close(mysock);
441 continue;
442 }
443
444 // get path
445 cursor = buf;
446 while (*cursor != ' ' && cursor < reqEnd) {
447 cursor++;
448 }
449
450 cursor++;
451 if (cursor >= reqEnd || *cursor == ' ') {
452 puts("4 Path");
453 send(mysock, "4 Path\r\n", sizeof("4 Path\r\n"), MSG_NOSIGNAL);
454 close(mysock);
455 continue;
456 }
457
458 path = cursor;
459
460 // get content_length
461 while (*cursor != ' ' && cursor < reqEnd) {
462 cursor++;
463 }
464
465 cursor++;
466 if (cursor >= reqEnd || *cursor == ' ') {
467 puts("4 Length");
468 send(mysock, "4 Length\r\n", sizeof("4 Length\r\n"), MSG_NOSIGNAL);
469 close(mysock);
470 continue;
471 }
472
473 content_length = cursor;
474 while(cursor < reqEnd) {
475 if (!isdigit(*cursor)) {
476 isBad = true;
477 break;
478 }
479 cursor++;
480 }
481
482 // the request must not have any content
483 // content_length = 0
484 if (isBad || reqEnd - content_length > 1 || *content_length != '0') {
485 puts("4 Length");
486 send(mysock, "4 Length\r\n", sizeof("4 Length\r\n"), MSG_NOSIGNAL);
487 close(mysock);
488 continue;
489 }
490
491 // replace SPC with 0 at the end of path
492 *(content_length-1) = 0;
493
494 // build server path
495 char localPath[PATH_MAX] = {0};
496 if (rootLen + strlen(path) >= PATH_MAX) {
497 puts("5 Path too long");
498 send(mysock, "5 Path too long\r\n", sizeof("5 Path too long\r\n"), MSG_NOSIGNAL);
499 close(mysock);
500 continue;
501 }
502 memcpy(localPath, root, rootLen);
503 cursor = localPath + rootLen;
504 memcpy(cursor, path, strlen(path));
505
506 // check path
507 if (access(localPath, R_OK) == -1) {
508 puts("4 Not found");
509 send(mysock, "4 Not found\r\n", sizeof("4 Not found\r\n"), MSG_NOSIGNAL);
510 close(mysock);
511 continue;
512 }
513 char realPath[PATH_MAX] = {0};
514 realpath(localPath, realPath);
515 if (memcmp(realPath, root, rootLen-slash) != 0) {
516 puts("4 Not found");
517 send(mysock, "4 Not found\r\n", sizeof("4 Not found\r\n"), MSG_NOSIGNAL);
518 close(mysock);
519 continue;
520 }
521
522 size_t pathLen = strlen(realPath);
523 cursor = realPath + pathLen;
524 if (isDir(realPath)) {
525 if (pathLen + strlen("/index.gmi") >= PATH_MAX) {
526 puts("5 Path too long");
527 send(mysock, "5 Path too long\r\n", sizeof("5 Path too long\r\n"), MSG_NOSIGNAL);
528 close(mysock);
529 continue;
530 }
531 memcpy(cursor, "/index.gmi", strlen("/index.gmi"));
532 cursor += strlen("/index.gmi");
533 }
534
535 FILE *f = fopen(realPath, "r");
536 if (!f) {
537 puts("4 Page not found");
538 send(mysock, "4 Page not found\r\n", sizeof("4 Page not found\r\n"), MSG_NOSIGNAL);
539 close(mysock);
540 continue;
541 }
542
543 // request in buf is not needed anymore, reuse buf for response
544
545 // check gemini extension
546 char *mimetype = "application/octet-stream";
547 if (strlen(realPath) > 4 && memcmp(cursor-2, "md", 2) == 0) {
548 mimetype = "text/markdown";
549 }
550 else if (strlen(realPath) > 5 && memcmp(cursor-3, "gmi", 3) == 0) {
551 mimetype = "text/gemini";
552 }
553 else if (strlen(realPath) > 10 && memcmp(cursor-2, "markdown", 8) == 0) {
554 mimetype = "text/markdown";
555 }
556
557 int len = sprintf(buf, "2 %s\r\n", mimetype);
558 if (send(mysock, buf, len, MSG_NOSIGNAL) != -1) {
559 // print response in terminal
560 // remove \r\n
561 buf[len-2] = 0;
562 puts(buf);
563
564 // send file
565 size_t fsz;
566 while (fsz = fread(buf, 1, (size_t)sizeof(buf) , f)) {
567 ssize_t r = send(mysock, buf, fsz, MSG_NOSIGNAL);
568 if (r == -1) {
569 perror("write failed");
570 puts("closed socket");
571 break;
572 }
573 }
574 }
575 else {
576 perror("write failed");
577 }
578 fclose(f);
579 close(mysock);
580 }
581 } while(1);
582
583 puts("Server stopped.");
584 }