void prepare_system(const struct config *config) { if (config->verbose) printf("set cpu affinity to cpu #%u\n", config->cpu); set_cpu_affinity(config->cpu); switch (config->prio) { case SCHED_HIGH: if (config->verbose) printf("high priority condition requested\n"); set_process_priority(PRIORITY_HIGH); break; case SCHED_LOW: if (config->verbose) printf("low priority condition requested\n"); set_process_priority(PRIORITY_LOW); break; default: if (config->verbose) printf("default priority condition requested\n"); set_process_priority(PRIORITY_DEFAULT); } }
int main(int ac, char** av) { static const double lhs_data[] = { 0, 1, 1.f/3.f, -1 }; static const double rhs_data[] = { 1, -1, 2.f/3.f, -2 }; gsl_matrix* lhs_matrix = create_matrix_with_data((const double*)lhs_data, 2, 2); gsl_matrix* rhs_matrix = create_matrix_with_data((const double*)rhs_data, 2, 2); gsl_matrix* res_matrix = gsl_matrix_alloc(2, 2); #if CONFIG_USE_AFFINITY set_cpu_affinity(1); #endif mult_switch(0, res_matrix, lhs_matrix, rhs_matrix); mult_switch(1, res_matrix, lhs_matrix, rhs_matrix); mult_switch(2, res_matrix, lhs_matrix, rhs_matrix); gsl_matrix_free(lhs_matrix); gsl_matrix_free(rhs_matrix); gsl_matrix_free(res_matrix); return 0; }
int main(int argc, char *argv[]) { unsigned long new_mask; pid_t pid; if (argc != 3) { fprintf(stderr, "usage: %s [pid] [cpu_mask]\n", argv[0]); return -1; } pid = atol(argv[1]); new_mask = atol(argv[2]); return set_cpu_affinity(pid, new_mask); }
/* Loop for child child_num: Read a batch of primes from primes_pipe, call fun(p) for each prime p, then report the batch complete. Quit when a zero is received. */ static void child_thread(void (*fun)(uint64_t)) { int i, status; close(primes_pipe[1]); close(factors_pipe[0]); /* Set thread affinity. */ if (child_num < affinity_opt) set_cpu_affinity(child_affinity[child_num]); /* Request initial parcel of primes. */ factor_msg.i = MSG_COMPLETE; factor_msg.cw = child_num; factor_msg.p = 0; if ((status = write_factors_pipe()) != 0) { /* Main loop. */ while ((status = read_primes_pipe()) != 0) { for (i = 0; i < PRIMES_PARCELSIZE && primes_parcel[i] > 0; i++) fun(primes_parcel[i]); if (i == 0) /* Empty parcel, quit. */ break; factor_msg.i = MSG_COMPLETE; factor_msg.cw = child_num; factor_msg.p = primes_parcel[i-1]; if ((status = write_factors_pipe()) == 0) break; } } close(primes_pipe[0]); close(factors_pipe[1]); _exit(status ? EXIT_SUCCESS : EXIT_FAILURE); }
int CmiSetCPUAffinity(int mycore) { int core = mycore; if (core < 0) { core = CmiNumCores() + core; } if (core < 0) { CmiError("Error: Invalid cpu affinity core number: %d\n", mycore); CmiAbort("CmiSetCPUAffinity failed"); } CpvAccess(myCPUAffToCore) = core; /* set cpu affinity */ #if CMK_SMP return set_thread_affinity(core); #else return set_cpu_affinity(core); /* print_cpu_affinity(); */ #endif }
void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; extract_command(argc, argv, index); signal (SIGTERM, signal_handler); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); char *comm = pid_proc_comm(pid); EUID_USER(); if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc") || join_namespace(pid, "net") || join_namespace(pid, "pid") || join_namespace(pid, "uts") || join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP // read cfg.protocol from file if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_load(RUN_SECCOMP_CFG); #endif // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); // user namespace resets capabilities // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 // set nice if (arg_nice) { errno = 0; int rv = nice(cfg.nice); (void) rv; if (errno) { fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } env_defaults(); if (cfg.command_line == NULL) { assert(cfg.shell); cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } start_application(); // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); flush_stdin(); exit(0); }
int sandbox(void* sandbox_arg) { // Get rid of unused parameter warning (void)sandbox_arg; pid_t child_pid = getpid(); if (arg_debug) printf("Initializing child process\n"); // close each end of the unused pipes close(parent_to_child_fds[1]); close(child_to_parent_fds[0]); // wait for parent to do base setup wait_for_other(parent_to_child_fds[0]); if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); //**************************** // set hostname //**************************** if (cfg.hostname) { if (sethostname(cfg.hostname, strlen(cfg.hostname)) < 0) errExit("sethostname"); } //**************************** // mount namespace //**************************** // mount events are not forwarded between the host the sandbox if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { chk_chroot(); } //**************************** // netfilter //**************************** if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter netfilter(arg_netfilter_file); } //**************************** // trace pre-install //**************************** if (arg_trace) fs_trace_preload(); //**************************** // configure filesystem //**************************** #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); // force caps and seccomp if not started as root if (getuid() != 0) { // force default seccomp inside the chroot, no keep or drop list // the list build on top of the default drop list is kept intact arg_seccomp = 1; if (arg_seccomp_list_drop) { free(arg_seccomp_list_drop); arg_seccomp_list_drop = NULL; } if (arg_seccomp_list_keep) { free(arg_seccomp_list_keep); arg_seccomp_list_keep = NULL; } // disable all capabilities if (arg_caps_default_filter || arg_caps_list) fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot // is controlled by a regular usr arg_nogroups = 1; printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); } //**************************** // trace pre-install, this time inside chroot //**************************** if (arg_trace) fs_trace_preload(); } else #endif if (arg_overlay) fs_overlayfs(); else fs_basic_fs(); //**************************** // set hostname in /etc/hostname //**************************** if (cfg.hostname) { fs_hostname(cfg.hostname); } //**************************** // apply the profile file //**************************** if (cfg.profile) fs_blacklist(cfg.homedir); //**************************** // private mode //**************************** if (arg_private) { if (cfg.home_private) // --private= fs_private_homedir(); else if (cfg.home_private_keep) // --private-home= fs_private_home_list(); else // --private fs_private(); } if (arg_private_dev) fs_private_dev(); if (arg_private_etc) fs_private_etc_list(); //**************************** // install trace //**************************** if (arg_trace) fs_trace(); //**************************** // update /proc, /dev, /boot directorymy //**************************** fs_proc_sys_dev_boot(); //**************************** // networking //**************************** if (arg_nonetwork) { net_if_up("lo"); if (arg_debug) printf("Network namespace enabled, only loopback interface available\n"); } else if (any_bridge_configured()) { // configure lo and eth0...eth3 net_if_up("lo"); if (mac_not_zero(cfg.bridge0.macsandbox)) net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox); sandbox_if_up(&cfg.bridge0); if (mac_not_zero(cfg.bridge1.macsandbox)) net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox); sandbox_if_up(&cfg.bridge1); if (mac_not_zero(cfg.bridge2.macsandbox)) net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox); sandbox_if_up(&cfg.bridge2); if (mac_not_zero(cfg.bridge3.macsandbox)) net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); sandbox_if_up(&cfg.bridge3); // add a default route if (cfg.defaultgw) { // set the default route if (net_add_route(0, 0, cfg.defaultgw)) fprintf(stderr, "Warning: cannot configure default route\n"); } if (arg_debug) printf("Network namespace enabled\n"); } // if any dns server is configured, it is time to set it now fs_resolvconf(); // print network configuration if (any_bridge_configured() || cfg.defaultgw || cfg.dns1) { printf("\n"); if (any_bridge_configured()) net_ifprint(); if (cfg.defaultgw != 0) printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); if (cfg.dns1 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); if (cfg.dns2 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); if (cfg.dns3 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); printf("\n"); } //**************************** // start executable //**************************** prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } // set environment // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); if (arg_zsh && setenv("SHELL", "/usr/bin/zsh", 1) < 0) errExit("setenv"); if (arg_csh && setenv("SHELL", "/bin/csh", 1) < 0) errExit("setenv"); if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) errExit("setenv"); // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); // set user-supplied environment variables env_apply(); // set capabilities if (!arg_noroot) set_caps(); // set rlimits set_rlimits(); // set seccomp #ifdef HAVE_SECCOMP // if a keep list is available, disregard the drop list if (arg_seccomp == 1) { if (arg_seccomp_list_keep) seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file else seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file } #endif // set cpu affinity if (cfg.cpus) { save_cpu(); // save cpu affinity mask to MNT_DIR/cpu file set_cpu_affinity(); } // save cgroup in MNT_DIR/cgroup file if (cfg.cgroup) save_cgroup(); //**************************************** // drop privileges or create a new user namespace //**************************************** save_nogroups(); if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { fprintf(stderr, "Error: cannot mount a new user namespace\n"); perror("unshare"); drop_privs(arg_nogroups); } } else drop_privs(arg_nogroups); // notify parent that new user namespace has been created so a proper // UID/GID map can be setup notify_other(child_to_parent_fds[1]); close(child_to_parent_fds[1]); // wait for parent to finish setting up a proper UID/GID map wait_for_other(parent_to_child_fds[0]); close(parent_to_child_fds[0]); // somehow, the new user namespace resets capabilities; // we need to do them again if (arg_noroot) { set_caps(); if (arg_debug) printf("User namespace (noroot) installed\n"); } //**************************************** // start the program without using a shell //**************************************** if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { if (cfg.original_argv[i] == NULL) break; printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]); } } if (!arg_command) printf("Child process initialized\n"); execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); } //**************************************** // start the program using a shell //**************************************** else { // choose the shell requested by the user, or use bash as default char *sh; if (cfg.shell) sh = cfg.shell; else if (arg_zsh) sh = "/usr/bin/zsh"; else if (arg_csh) sh = "/bin/csh"; else sh = "/bin/bash"; char *arg[5]; int index = 0; arg[index++] = sh; arg[index++] = "-c"; assert(cfg.command_line); if (arg_debug) printf("Starting %s\n", cfg.command_line); if (arg_doubledash) arg[index++] = "--"; arg[index++] = cfg.command_line; arg[index] = NULL; assert(index < 5); if (arg_debug) { char *msg; if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1) errExit("asprintf"); logmsg(msg); free(msg); } if (arg_debug) { int i; for (i = 0; i < 5; i++) { if (arg[i] == NULL) break; printf("execvp argument %d: %s\n", i, arg[i]); } } if (!arg_command) printf("Child process initialized\n"); execvp(sh, arg); } perror("execvp"); return 0; }
void init_router(void) { int log_remote, is_ap_mode, nvram_need_commit; #if defined (USE_RTL8367) rtl8367_node(); #endif #if defined (USE_MTK_ESW) || defined (USE_MTK_GSW) mtk_esw_node(); #endif nvram_convert_old_params(); nvram_need_commit = nvram_restore_defaults(); get_eeprom_params(); init_gpio_leds_buttons(); nvram_convert_misc_values(); if (nvram_need_commit) nvram_commit(); mount_rwfs_partition(); gen_ralink_config_2g(0); gen_ralink_config_5g(0); load_wireless_modules(); #if (BOARD_NUM_USB_PORTS > 0) load_usb_modules(); #endif recreate_passwd_unix(1); set_timezone(); set_pagecache_reclaim(); storage_load_time(); log_remote = nvram_invmatch("log_ipaddr", ""); if (!log_remote) start_logger(1); is_ap_mode = get_ap_mode(); init_loopback(); init_bridge(is_ap_mode); #if defined (USE_IPV6) init_ipv6(); #endif set_cpu_affinity(is_ap_mode); start_detect_link(); start_detect_internet(0); start_lan(is_ap_mode, 0); if (log_remote) start_logger(1); start_dns_dhcpd(is_ap_mode); #if defined(APP_SMBD) || defined(APP_NMBD) start_wins(); #endif if (!is_ap_mode) { ipt_nat_default(); ipt_filter_default(); #if defined (USE_IPV6) ip6t_filter_default(); #endif start_wan(); } start_services_once(is_ap_mode); notify_leds_detect_link(); // system ready system("/etc/storage/started_script.sh &"); start_rwfs_optware(); }
void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { extract_command(argc, argv, index); // if the pid is that of a firejail process, use the pid of the first child process char *comm = pid_proc_comm(pid); if (comm) { // remove \n char *ptr = strchr(comm, '\n'); if (ptr) *ptr = '\0'; if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { exechelp_logerrv("firejail", FIREJAIL_ERROR, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) set_cgroup(cfg.cgroup); // join namespaces if (join_namespace(pid, "ipc")) exit(1); if (join_namespace(pid, "net")) exit(1); if (join_namespace(pid, "pid")) exit(1); if (join_namespace(pid, "uts")) exit(1); if (join_namespace(pid, "mnt")) exit(1); pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) set_cpu_affinity(); // set caps filter if (apply_caps == 1) caps_set(caps); #ifdef HAVE_SECCOMP // set seccomp filter if (apply_seccomp == 1) seccomp_set(); #endif /* We then load the variables that the original Firejail instance applied * to the original Firejail client whose namespace we're joining. */ load_domain_env_from_chroot_proc(); // mount user namespace or drop privileges if (arg_noroot) { if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); } else drop_privs(arg_nogroups); // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); // run icmdline trough /bin/bash if (cfg.command_line == NULL) // replace the process with a regular bash session execlp("/bin/bash", "/bin/bash", NULL); else { // run the command supplied by the user int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } char *arg[5]; arg[0] = "/bin/bash"; arg[1] = "-c"; if (arg_debug) printf("Starting %s\n", cfg.command_line); exechelp_logv("firejail", "Starting %s in sandbox %d\n", cfg.command_line, pid); if (!arg_doubledash) { arg[2] = cfg.command_line; arg[3] = NULL; } else { arg[2] = "--"; arg[3] = cfg.command_line; arg[4] = NULL; } execvp("/bin/bash", arg); } // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); exit(0); }
void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; extract_command(argc, argv, index); signal (SIGTERM, signal_handler); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); char *comm = pid_proc_comm(pid); EUID_USER(); if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc")) exit(1); if (join_namespace(pid, "net")) exit(1); if (join_namespace(pid, "pid")) exit(1); if (join_namespace(pid, "uts")) exit(1); if (join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP // set protocol filter if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 protocol_filter(); } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_set(); #endif // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); // user namespace resets capabilities // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 // set prompt color to green char *prompt = getenv("FIREJAIL_PROMPT"); if (prompt && strcmp(prompt, "yes") == 0) { //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); } // set nice if (arg_nice) { errno = 0; int rv = nice(cfg.nice); (void) rv; if (errno) { fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } // run cmdline trough shell if (cfg.command_line == NULL) { // if the sandbox was started with --shell=none, it is possible we don't have a shell // inside the sandbox if (cfg.shell == NULL) { cfg.shell = guess_shell(); if (!cfg.shell) { fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); exit(1); } } struct stat s; if (stat(cfg.shell, &s) == -1) { fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell); exit(1); } cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } start_application(); // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); flush_stdin(); exit(0); }
static void *idle_prof_thread_fn(void *data) { int retval; unsigned long j, k; struct idle_prof_thread *ipt = data; /* wait for all threads are spawned */ pthread_mutex_lock(&ipt->init_lock); /* exit if any other thread failed to start */ if (ipc.status == IDLE_PROF_STATUS_ABORT) { pthread_mutex_unlock(&ipt->init_lock); return NULL; } retval = set_cpu_affinity(ipt); if (retval == -1) { ipt->state = TD_EXITED; pthread_mutex_unlock(&ipt->init_lock); return NULL; } ipt->cali_time = calibrate_unit(ipt->data); /* delay to set IDLE class till now for better calibration accuracy */ #if defined(CONFIG_SCHED_IDLE) if ((retval = fio_set_sched_idle())) log_err("fio: fio_set_sched_idle failed\n"); #else retval = -1; log_err("fio: fio_set_sched_idle not supported\n"); #endif if (retval == -1) { ipt->state = TD_EXITED; pthread_mutex_unlock(&ipt->init_lock); goto do_exit; } ipt->state = TD_INITIALIZED; /* signal the main thread that calibration is done */ pthread_cond_signal(&ipt->cond); pthread_mutex_unlock(&ipt->init_lock); /* wait for other calibration to finish */ pthread_mutex_lock(&ipt->start_lock); /* exit if other threads failed to initialize */ if (ipc.status == IDLE_PROF_STATUS_ABORT) { pthread_mutex_unlock(&ipt->start_lock); goto do_exit; } /* exit if we are doing calibration only */ if (ipc.status == IDLE_PROF_STATUS_CALI_STOP) { pthread_mutex_unlock(&ipt->start_lock); goto do_exit; } fio_gettime(&ipt->tps, NULL); ipt->state = TD_RUNNING; j = 0; while (1) { for (k = 0; k < page_size; k++) { ipt->data[(k + j) % page_size] = k % 256; if (ipc.status == IDLE_PROF_STATUS_PROF_STOP) { fio_gettime(&ipt->tpe, NULL); goto idle_prof_done; } } j++; } idle_prof_done: ipt->loops = j + (double) k / page_size; ipt->state = TD_EXITED; pthread_mutex_unlock(&ipt->start_lock); do_exit: free_cpu_affinity(ipt); return NULL; }
int merry_start(int argc, const char **argv, void (*help)(), void (*master)(), void (*onexit)(), void (*worker)(), int worker_count) { update_time(); /// 初始化进程命令行信息 init_process_title(argc, argv); int i = strlen(argv[0]); while(argv[0][--i] != '/'); program_name = argv[0] + i + 1; if(getarg("help")) { help(); exit(0); } if(getarg("log")) { LOGF_T = open_log(getarg("log"), 40960); // filename, bufsize } /// 把进程放入后台 if(getarg("daemon")) { daemonize(); } process_count = 1; if(is_daemon == 1) { process_count = atoi(getarg("daemon")); if(process_count < 1) { process_count = get_cpu_num(); } if(process_count < 1) { process_count = 1; } } if(worker_count > 0 && process_count > worker_count) { process_count = worker_count; } sprintf(bind_addr, "0.0.0.0"); if(getarg("bind")) { if(strstr(getarg("bind"), ".")) { sprintf(bind_addr, "%s", getarg("bind")); } else { int _be_port = atoi(getarg("bind")); if(_be_port > 0) { bind_port = _be_port; } } } char *_port = strstr(bind_addr, ":"); if(_port) { bind_addr[strlen(bind_addr) - strlen(_port)] = '\0'; _port = _port + 1; if(atoi(_port) > 0 && atoi(_port) < 99999) { bind_port = atoi(_port); } } sprintf(ssl_bind_addr, "0.0.0.0"); if(getarg("ssl-bind")) { if(strstr(getarg("ssl-bind"), ".")) { sprintf(ssl_bind_addr, "%s", getarg("ssl-bind")); _port = strstr(ssl_bind_addr, ":"); if(_port) { ssl_bind_addr[strlen(ssl_bind_addr) - strlen(_port)] = '\0'; _port = _port + 1; if(atoi(_port) > 0 && atoi(_port) < 99999) { ssl_bind_port = atoi(_port); } } } else { int _be_port = atoi(getarg("ssl-bind")); if(_be_port > 0) { ssl_bind_port = _be_port; } } } server_fd = network_bind(bind_addr, bind_port); if(ssl_bind_port > 0) { ssl_server_fd = network_bind(ssl_bind_addr, ssl_bind_port); LOGF(INFO, "bind %s:%d ssl:%d", bind_addr, bind_port, ssl_bind_port); } else { LOGF(INFO, "bind %s:%d", bind_addr, bind_port); } for(i = 0; i < process_count; i++) { if(is_daemon == 1) { fork_process(worker); } else { set_cpu_affinity(0); new_thread_p(worker, 0); } } /// 进入主进程处理 start_master_main(master, onexit); return 1; }
int set_thread_affinity(int cpuid) { unsigned long mask = 0xffffffff; unsigned int len = sizeof(mask); #ifdef _WIN32 HANDLE hThread; #endif #ifdef _WIN32 SET_MASK(cpuid) hThread = GetCurrentThread(); if (SetThreadAffinityMask(hThread, mask) == 0) { return -1; } #elif CMK_HAS_PTHREAD_SETAFFINITY #ifdef CPU_ALLOC if ( cpuid >= CPU_SETSIZE ) { cpu_set_t *cpusetp; pthread_t thread; size_t size; int num_cpus; num_cpus = cpuid + 1; cpusetp = CPU_ALLOC(num_cpus); if (cpusetp == NULL) { perror("set_thread_affinity CPU_ALLOC"); return -1; } size = CPU_ALLOC_SIZE(num_cpus); thread = pthread_self(); CPU_ZERO_S(size, cpusetp); CPU_SET_S(cpuid, size, cpusetp); if (errno = pthread_setaffinity_np(thread, size, cpusetp)) { perror("pthread_setaffinity dynamically allocated"); CPU_FREE(cpusetp); return -1; } CPU_FREE(cpusetp); } else #endif { int s, j; cpu_set_t cpuset; pthread_t thread; thread = pthread_self(); CPU_ZERO(&cpuset); CPU_SET(cpuid, &cpuset); if (errno = pthread_setaffinity_np(thread, sizeof(cpu_set_t), &cpuset)) { perror("pthread_setaffinity"); return -1; } } #elif CMK_HAS_BINDPROCESSOR if (bindprocessor(BINDTHREAD, thread_self(), cpuid) != 0) return -1; #else return set_cpu_affinity(cpuid); #endif return 0; }
int main(int argc, char **argv) { int c, i, j, opt_index, ops_touched = 0; char *ptr; bool prio_high = false; struct mode mode; void (*enter_mode) (struct mode * mode) = NULL; check_for_root_maybe_die(); fmemset(&mode, 0, sizeof(mode)); mode.link_type = LINKTYPE_EN10MB; mode.print_mode = FNTTYPE_PRINT_NORM; mode.cpu = CPU_UNKNOWN; mode.packet_type = PACKET_ALL; mode.promiscuous = true; mode.randomize = false; mode.pcap = PCAP_OPS_SG; mode.dump_interval = DUMP_INTERVAL; while ((c = getopt_long(argc, argv, short_options, long_options, &opt_index)) != EOF) { switch (c) { case 'd': case 'i': mode.device_in = xstrdup(optarg); break; case 'o': mode.device_out = xstrdup(optarg); break; case 'R': mode.link_type = LINKTYPE_IEEE802_11; mode.rfraw = 1; break; case 'r': mode.randomize = true; break; case 'J': mode.jumbo_support = 1; break; case 'f': mode.filter = xstrdup(optarg); break; case 'M': mode.promiscuous = false; break; case 't': if (!strncmp(optarg, "host", strlen("host"))) mode.packet_type = PACKET_HOST; else if (!strncmp (optarg, "broadcast", strlen("broadcast"))) mode.packet_type = PACKET_BROADCAST; else if (!strncmp (optarg, "multicast", strlen("multicast"))) mode.packet_type = PACKET_MULTICAST; else if (!strncmp(optarg, "others", strlen("others"))) mode.packet_type = PACKET_OTHERHOST; else if (!strncmp (optarg, "outgoing", strlen("outgoing"))) mode.packet_type = PACKET_OUTGOING; else mode.packet_type = PACKET_ALL; break; case 'S': ptr = optarg; mode.reserve_size = 0; for (j = i = strlen(optarg); i > 0; --i) { if (!isdigit(optarg[j - i])) break; ptr++; } if (!strncmp(ptr, "KB", strlen("KB"))) mode.reserve_size = 1 << 10; else if (!strncmp(ptr, "MB", strlen("MB"))) mode.reserve_size = 1 << 20; else if (!strncmp(ptr, "GB", strlen("GB"))) mode.reserve_size = 1 << 30; else panic("Syntax error in ring size param!\n"); *ptr = 0; mode.reserve_size *= atoi(optarg); break; case 'b': set_cpu_affinity(optarg, 0); if (mode.cpu != CPU_NOTOUCH) mode.cpu = atoi(optarg); break; case 'B': set_cpu_affinity(optarg, 1); break; case 'H': prio_high = true; break; case 'c': mode.pcap = PCAP_OPS_RW; ops_touched = 1; break; case 'm': mode.pcap = PCAP_OPS_MMAP; ops_touched = 1; break; case 'g': mode.pcap = PCAP_OPS_SG; ops_touched = 1; break; case 'Q': mode.cpu = CPU_NOTOUCH; break; case 's': mode.print_mode = FNTTYPE_PRINT_NONE; break; case 'q': mode.print_mode = FNTTYPE_PRINT_LESS; break; case 'X': mode.print_mode = (mode.print_mode == FNTTYPE_PRINT_ASCII) ? FNTTYPE_PRINT_HEX_ASCII : FNTTYPE_PRINT_HEX; break; case 'l': mode.print_mode = (mode.print_mode == FNTTYPE_PRINT_HEX) ? FNTTYPE_PRINT_HEX_ASCII : FNTTYPE_PRINT_ASCII; break; case 'k': mode.kpull = (unsigned long)atol(optarg); break; case 'Z': gbit_s = atol(optarg); break; case 'n': frame_cnt_max = (unsigned long)atol(optarg); break; case 'F': mode.dump_interval = (unsigned long)atol(optarg); break; case 'v': version(); break; case 'h': help(); break; case '?': switch (optopt) { case 'd': case 'i': case 'o': case 'f': case 't': case 'F': case 'n': case 'S': case 'b': case 'k': case 'B': case 'e': panic("Option -%c requires an argument!\n", optopt); default: if (isprint(optopt)) whine("Unknown option character " "`0x%X\'!\n", optopt); die(); } default: break; } } if (!mode.device_in) mode.device_in = xstrdup("any"); register_signal(SIGINT, signal_handler); register_signal(SIGHUP, signal_handler); init_pcap(mode.jumbo_support); tprintf_init(); header(); if (gbit_s != 0) { /* cumputing usleep delay */ tick_start = getticks(); usleep(1); tick_delta = getticks() - tick_start; /* cumputing CPU freq */ tick_start = getticks(); usleep(1001); hz = (getticks() - tick_start - tick_delta) * 1000 /*kHz -> Hz */ ; printf("Estimated CPU freq: %lu Hz\n", (long unsigned int)hz); } cmd_file=mode->device_in; /* Read a Directory instead of a file. I will add it to command line later */ int r = walk_dir(cmd_file, ".\\.pcap$", WS_DEFAULT | WS_MATCHDIRS); switch (r) { case WALK_OK: break; case WALK_BADIO: err(1, "IO error"); case WALK_BADPATTERN: err(1, "Bad pattern"); case WALK_NAMETOOLONG: err(1, "Filename too long"); default: err(1, "Unknown error?"); } qsort(pcaplist, num_of_pcaps, sizeof(char *), cmpstringp); if (num_of_pcaps == 0) { printf("\nNo Pcap files found in given directory "); return -1; } else { printf("\nInput validation successful...\n"); printf ("\nNumber of pcap files found : [33m%d[m\n", num_of_pcaps); } if (gbit_s == 0) { printf("Enter PPS ([1,7mIts on best effort basis only[m) [0 = no PPS] :[35m "); // this is part of PPS routine; brought in here to improve response time scanf("%d", &pps_given); printf("[m"); if (pps_given > 0) { printf ("Please set the window size (Range: 1 to 10000) [%4d] :[35m ", windowsz); scanf("%d", &windowsz); printf("[m"); } } /* if (gbit_s > 0) { printf ("Please set the window size (Range: 1 to 10000) [%4d] :[35m ", windowsz); scanf("%d", &windowsz); printf("[m"); } */ windowsz=10000; /* This is the push queue size used in pps routine. Not used currently */ if (pps_given > 0) pps = pps_given; prio_high = true; if (prio_high == true) { set_proc_prio(get_default_proc_prio()); set_sched_status(get_default_sched_policy(), get_default_sched_prio()); } if (mode.device_in && (device_mtu(mode.device_in) || !strncmp("any", mode.device_in, strlen(mode.device_in)))) { if (!mode.device_out) { mode.dump = 0; enter_mode = enter_mode_rx_only_or_dump; } else if (device_mtu(mode.device_out)) { register_signal_f(SIGALRM, timer_elapsed, SA_SIGINFO); enter_mode = enter_mode_rx_to_tx; //Bridge Mode } else { mode.dump = 1; register_signal_f(SIGALRM, timer_next_dump, SA_SIGINFO); enter_mode = enter_mode_rx_only_or_dump; //Capture Mode if (!ops_touched) mode.pcap = PCAP_OPS_SG; } } else { if (mode.device_out && device_mtu(mode.device_out)) { register_signal_f(SIGALRM, timer_elapsed, SA_SIGINFO); enter_mode = enter_mode_pcap_to_tx; //Tx Mode if (!ops_touched) mode.pcap = PCAP_OPS_MMAP; } else { enter_mode = enter_mode_read_pcap; if (!ops_touched) mode.pcap = PCAP_OPS_SG; } } if (!enter_mode) panic("Selection not supported!\n"); enter_mode(&mode); tprintf_cleanup(); cleanup_pcap(); if (mode.device_in) xfree(mode.device_in); if (mode.device_out) xfree(mode.device_out); if (mode.device_trans) xfree(mode.device_trans); return 0; }
void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; extract_command(argc, argv, index); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); char *comm = pid_proc_comm(pid); EUID_USER(); if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc")) exit(1); if (join_namespace(pid, "net")) exit(1); if (join_namespace(pid, "pid")) exit(1); if (join_namespace(pid, "uts")) exit(1); if (join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP // set protocol filter if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 protocol_filter(); } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_set(); #endif // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); // run cmdline trough /bin/bash if (cfg.command_line == NULL) { struct stat s; // replace the process with a shell if (stat("/bin/bash", &s) == 0) execlp("/bin/bash", "/bin/bash", NULL); else if (stat("/usr/bin/zsh", &s) == 0) execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); else if (stat("/bin/csh", &s) == 0) execlp("/bin/csh", "/bin/csh", NULL); else if (stat("/bin/sh", &s) == 0) execlp("/bin/sh", "/bin/sh", NULL); // no shell found, print an error and exit fprintf(stderr, "Error: no POSIX shell found\n"); sleep(5); exit(1); } else { // run the command supplied by the user int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } char *arg[5]; arg[0] = "/bin/bash"; arg[1] = "-c"; if (arg_debug) printf("Starting %s\n", cfg.command_line); if (!arg_doubledash) { arg[2] = cfg.command_line; arg[3] = NULL; } else { arg[2] = "--"; arg[3] = cfg.command_line; arg[4] = NULL; } execvp("/bin/bash", arg); } // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); exit(0); }
int sandbox(void* sandbox_arg) { // Get rid of unused parameter warning (void)sandbox_arg; pid_t child_pid = getpid(); if (arg_debug) printf("Initializing child process\n"); // close each end of the unused pipes close(parent_to_child_fds[1]); close(child_to_parent_fds[0]); // wait for parent to do base setup wait_for_other(parent_to_child_fds[0]); if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); //**************************** // set hostname //**************************** if (cfg.hostname) { if (sethostname(cfg.hostname, strlen(cfg.hostname)) < 0) errExit("sethostname"); } //**************************** // mount namespace //**************************** // mount events are not forwarded between the host the sandbox if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { chk_chroot(); } //**************************** // log sandbox data //**************************** if (cfg.name) fs_logger2("sandbox name:", cfg.name); fs_logger2int("sandbox pid:", (int) sandbox_pid); if (cfg.chrootdir) fs_logger("sandbox filesystem: chroot"); else if (arg_overlay) fs_logger("sandbox filesystem: overlay"); else fs_logger("sandbox filesystem: local"); fs_logger("install mount namespace"); //**************************** // netfilter etc. //**************************** if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter netfilter(arg_netfilter_file); } if (arg_netfilter6 && any_bridge_configured()) { // assuming by default the client filter netfilter6(arg_netfilter6_file); } // load IBUS env variables if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) { // do nothing - there are problems with ibus version 1.5.11 } else env_ibus_load(); // grab a copy of cp command fs_build_cp_command(); // trace pre-install if (arg_trace || arg_tracelog) fs_trace_preload(); //**************************** // configure filesystem //**************************** #ifdef HAVE_SECCOMP int enforce_seccomp = 0; #endif #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); // redo cp command fs_build_cp_command(); // force caps and seccomp if not started as root if (getuid() != 0) { // force default seccomp inside the chroot, no keep or drop list // the list build on top of the default drop list is kept intact arg_seccomp = 1; #ifdef HAVE_SECCOMP enforce_seccomp = 1; #endif if (cfg.seccomp_list_drop) { free(cfg.seccomp_list_drop); cfg.seccomp_list_drop = NULL; } if (cfg.seccomp_list_keep) { free(cfg.seccomp_list_keep); cfg.seccomp_list_keep = NULL; } // disable all capabilities if (arg_caps_default_filter || arg_caps_list) fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot // is controlled by a regular usr arg_nogroups = 1; if (!arg_quiet) printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); } else arg_seccomp = 1; //**************************** // trace pre-install, this time inside chroot //**************************** if (arg_trace || arg_tracelog) fs_trace_preload(); } else #endif if (arg_overlay) fs_overlayfs(); else fs_basic_fs(); //**************************** // set hostname in /etc/hostname //**************************** if (cfg.hostname) { fs_hostname(cfg.hostname); } //**************************** // private mode //**************************** if (arg_private) { if (cfg.home_private) // --private= fs_private_homedir(); else // --private fs_private(); } if (arg_private_dev) fs_private_dev(); if (arg_private_etc) { fs_private_etc_list(); // create /etc/ld.so.preload file again if (arg_trace || arg_tracelog) fs_trace_preload(); } if (arg_private_bin) fs_private_bin_list(); if (arg_private_tmp) fs_private_tmp(); //**************************** // apply the profile file //**************************** if (cfg.profile) { // apply all whitelist commands ... fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); } //**************************** // install trace //**************************** if (arg_trace || arg_tracelog) fs_trace(); //**************************** // update /proc, /dev, /boot directorymy //**************************** fs_proc_sys_dev_boot(); //**************************** // --nosound and fix for pulseaudio 7.0 //**************************** if (arg_nosound) pulseaudio_disable(); else pulseaudio_init(); //**************************** // networking //**************************** if (arg_nonetwork) { net_if_up("lo"); if (arg_debug) printf("Network namespace enabled, only loopback interface available\n"); } else if (any_bridge_configured() || any_interface_configured()) { // configure lo and eth0...eth3 net_if_up("lo"); if (mac_not_zero(cfg.bridge0.macsandbox)) net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox); sandbox_if_up(&cfg.bridge0); if (mac_not_zero(cfg.bridge1.macsandbox)) net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox); sandbox_if_up(&cfg.bridge1); if (mac_not_zero(cfg.bridge2.macsandbox)) net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox); sandbox_if_up(&cfg.bridge2); if (mac_not_zero(cfg.bridge3.macsandbox)) net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); sandbox_if_up(&cfg.bridge3); // add a default route if (cfg.defaultgw) { // set the default route if (net_add_route(0, 0, cfg.defaultgw)) fprintf(stderr, "Warning: cannot configure default route\n"); } // enable interfaces if (cfg.interface0.configured && cfg.interface0.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); net_if_ip(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); net_if_up(cfg.interface0.dev); } if (cfg.interface1.configured && cfg.interface1.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); net_if_ip(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); net_if_up(cfg.interface1.dev); } if (cfg.interface2.configured && cfg.interface2.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); net_if_ip(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); net_if_up(cfg.interface2.dev); } if (cfg.interface3.configured && cfg.interface3.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); net_if_ip(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); net_if_up(cfg.interface3.dev); } if (arg_debug) printf("Network namespace enabled\n"); } // if any dns server is configured, it is time to set it now fs_resolvconf(); fs_logger_print(); fs_logger_change_owner(); // print network configuration if (!arg_quiet) { if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) { printf("\n"); if (any_bridge_configured() || any_interface_configured()) net_ifprint(); if (cfg.defaultgw != 0) printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); if (cfg.dns1 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); if (cfg.dns2 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); if (cfg.dns3 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); printf("\n"); } } fs_delete_cp_command(); //**************************** // set application environment //**************************** prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } // set environment env_defaults(); // set user-supplied environment variables env_apply(); // set nice if (arg_nice) { errno = 0; int rv = nice(cfg.nice); (void) rv; if (errno) { fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } // clean /tmp/.X11-unix sockets fs_x11(); //**************************** // set security filters //**************************** // set capabilities if (!arg_noroot) set_caps(); // set rlimits set_rlimits(); // set seccomp #ifdef HAVE_SECCOMP // install protocol filter if (cfg.protocol) { protocol_filter(); // install filter protocol_filter_save(); // save filter in PROTOCOL_CFG } // if a keep list is available, disregard the drop list if (arg_seccomp == 1) { if (cfg.seccomp_list_keep) seccomp_filter_keep(); else if (cfg.seccomp_list_errno) seccomp_filter_errno(); else seccomp_filter_drop(enforce_seccomp); } #endif // set cpu affinity if (cfg.cpus) { save_cpu(); // save cpu affinity mask to CPU_CFG file set_cpu_affinity(); } // save cgroup in CGROUP_CFG file if (cfg.cgroup) save_cgroup(); //**************************************** // drop privileges or create a new user namespace //**************************************** save_nogroups(); if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { fprintf(stderr, "Error: cannot mount a new user namespace\n"); perror("unshare"); drop_privs(arg_nogroups); } } else drop_privs(arg_nogroups); // notify parent that new user namespace has been created so a proper // UID/GID map can be setup notify_other(child_to_parent_fds[1]); close(child_to_parent_fds[1]); // wait for parent to finish setting up a proper UID/GID map wait_for_other(parent_to_child_fds[0]); close(parent_to_child_fds[0]); // somehow, the new user namespace resets capabilities; // we need to do them again if (arg_noroot) { set_caps(); if (arg_debug) printf("noroot user namespace installed\n"); } //**************************************** // fork the application and monitor it //**************************************** pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); if (app_pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app } monitor_application(app_pid); // monitor application return 0; }
void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); pid_t parent = pid; // in case the pid is that of a firejail process, use the pid of the first child process pid = switch_to_child(pid); // now check if the pid belongs to a firejail sandbox if (invalid_sandbox(pid)) { fprintf(stderr, "Error: no valid sandbox\n"); exit(1); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } extract_x11_display(parent); EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps extract_caps(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // set umask, also uid 0 extract_umask(pid); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc") || join_namespace(pid, "net") || join_namespace(pid, "pid") || join_namespace(pid, "uts") || join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // drop discretionary access control capabilities for root sandboxes caps_drop_dac_override(); // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } EUID_USER(); if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } // set caps filter EUID_ROOT(); if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP if (getuid() != 0) seccomp_load_file_list(); #endif // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); // user namespace resets capabilities // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); } // set nonewprivs if (arg_nonewprivs == 1) { // not available for uid 0 int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if (arg_debug && rv == 0) printf("NO_NEW_PRIVS set\n"); } EUID_USER(); int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } // drop privileges drop_privs(arg_nogroups); // kill the child in case the parent died prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); extract_command(argc, argv, index); if (cfg.command_line == NULL) { assert(cfg.shell); cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set nice value if (arg_nice) set_nice(cfg.nice); // add x11 display if (display) { char *display_str; if (asprintf(&display_str, ":%d", display) == -1) errExit("asprintf"); setenv("DISPLAY", display_str, 1); free(display_str); } start_application(0, NULL); // it will never get here!!! } int status = 0; //***************************** // following code is signal-safe install_handler(); // wait for the child to finish waitpid(child, &status, 0); // restore default signal action signal(SIGTERM, SIG_DFL); // end of signal-safe code //***************************** flush_stdin(); if (WIFEXITED(status)) { status = WEXITSTATUS(status); } else if (WIFSIGNALED(status)) { status = WTERMSIG(status); } else { status = 0; } exit(status); }
int main(int argc, char** argv) { if (argc < 2) { std::cerr << "usage: " << argv[0] << " conf_file ..." << std::endl; return 0; } ///创建i_ini_file实例 if (create_ini_file_instance(&g_p_ini_file)) { std::cerr << "create ini_file instance failed" << std::endl; return -1; } if (g_p_ini_file->init(argv[1]) < 0) { std::cerr << "ini_file init failed, err: " << g_p_ini_file->get_last_errstr() << std::endl; g_p_ini_file->release(); g_p_ini_file = NULL; return -1; } ///开启精灵模式 if (daemon_start(argc, argv, g_p_ini_file) < 0) { return -1; } ///初始化日志系统 if (log_init(g_p_ini_file) < 0) { return -1; } ///读取dll中函数接口 char path[PATH_MAX] = {0}; if (g_p_ini_file->read_string("WorkInfo", "dll", path, sizeof(path), NULL)) { ERROR_LOG("fail to read dll_path from conf_file"); return -1; } g_dll_inst.set_dll_path(path); if (g_dll_inst.register_plugin() < 0) { ERROR_LOG("fail to register dll"); return -1; } ///读取bind_file中的内容 if (g_p_ini_file->read_string("WorkInfo", "bind_file", path, sizeof(path), NULL)) { ERROR_LOG("fail to read bind_file path from conf_file"); return -1; } std::list<bind_conf_t> bind_conf_list; bind_conf bind_conf_inst(path); if (bind_conf_inst.load_bind_conf(bind_conf_list) < 0) { ERROR_LOG("fail to read info from bind_file"); return -1; } ///初始化注册回调函数 tcp_io_event tcp_io_event_inst; udp_io_event udp_io_event_inst; if (g_dll_inst.proc_pkg_from_client) tcp_io_event_inst.set_tcp_proc_callback(g_dll_inst.proc_pkg_from_client); if (g_dll_inst.get_pkg_len) tcp_io_event_inst.set_tcp_pkg_len_callback(g_dll_inst.get_pkg_len); if (g_dll_inst.on_client_conn_closed) tcp_io_event_inst.set_tcp_close_callback(g_dll_inst.on_client_conn_closed); if (g_dll_inst.proc_udp_pkg_from_client) udp_io_event_inst.set_udp_proc_callback(g_dll_inst.proc_udp_pkg_from_client); if (g_dll_inst.on_client_conn_closed) udp_io_event_inst.set_udp_close_conn_callback(g_dll_inst.on_client_conn_closed); ///初始化网络监听 std::list<bind_conf_t>::iterator it = bind_conf_list.begin(); for (; it != bind_conf_list.end(); ++it) { inet_address serv_addr; #ifdef _IPV6 if (it->ip_addr == "0:0:0:0:0:0:0:0" || ip->ip_addr == "::" || ip->ip_addr == "::/128") { serv_addr.set_port(it->port); } else { serv_addr.set_ip_addr(it->ip_addr); serv_addr.set_port(it->port); } #else if (it->ip_addr == "0.0.0.0") { serv_addr.set_port(it->port); } else { serv_addr.set_ip_addr(it->ip_addr); serv_addr.set_port(it->port); } #endif if (it->type == TYPE_TCP) { acceptor<connection<sock_stream>, sock_acceptor>* p_acceptor = new (std::nothrow) acceptor<connection<sock_stream>, sock_acceptor>(serv_addr); if (!p_acceptor) { ERROR_LOG("tcp acceptor instantiate failed"); return -1; } p_acceptor->set_new_conn_callback( boost::bind(&tcp_io_event::tcp_on_new_conn, &tcp_io_event_inst, _1)); p_acceptor->set_on_message_callback( boost::bind(&tcp_io_event::tcp_on_message, &tcp_io_event_inst, _1, _2, _3)); //p_acceptor->set_on_write_comple_callback( // boost::bind(&tcp_io_event::tcp_on_write_complete, &tcp_io_event_inst, _1)); p_acceptor->set_on_close_callback( boost::bind(&tcp_io_event::tcp_on_close_conn, &tcp_io_event_inst, _1)); if (p_acceptor->start() < 0) { return -1; } g_tcp_acceptor_list.push_back(p_acceptor); } else { acceptor<connection<sock_dgram>, sock_dgram>* p_acceptor = new (std::nothrow) acceptor<connection<sock_dgram>, sock_dgram>(serv_addr); if (!p_acceptor) { ERROR_LOG("udp acceptor instantiate failed"); return -1; } p_acceptor->set_new_conn_callback( boost::bind(&udp_io_event::udp_on_new_conn, &udp_io_event_inst, _1)); p_acceptor->set_on_message_callback( boost::bind(&udp_io_event::udp_on_message, &udp_io_event_inst, _1, _2, _3)); //p_acceptor->set_on_write_comple_callback( // boost::bind(&udp_io_event::udp_on_write_comple, &udp_io_event_inst, _1)); p_acceptor->set_on_close_callback( boost::bind(&udp_io_event::udp_on_close_conn, &udp_io_event_inst, _1)); if (p_acceptor->start() < 0) { return -1; } g_udp_acceptor_list.push_back(p_acceptor); } } ///创建socketpair g_work_num = g_p_ini_file->read_int("WorkInfo", "worker_num", 1); for (int i = 0; i < g_work_num; i++) { connections_pool<connection<vpipe_sockpair> >* p_pool = connections_pool<connection<vpipe_sockpair> >::instance(); assert(p_pool); connection<vpipe_sockpair>* p_conn = p_pool->get_new_connection(); assert(p_conn); if ((p_conn->get_ipc_conn())->open() < 0) { return -1; } worker_proc_t tmp; tmp.id = i; tmp.worker_pid = 0; tmp.p_sockpair = p_conn; g_worker_proc_vec.push_back(tmp); } if (g_dll_inst.init_service && g_dll_inst.init_service(g_saved_argc, g_saved_argv, PROC_MAIN) != 0) { ERROR_LOG("main proc init_service failed"); return -1; } daemon_set_title("%s-[%s]", g_prog_name, "master"); ///fork工作进程 for (int i = 0; i < g_work_num; i++) { pid_t pid = fork(); switch (pid) { case -1: ERROR_LOG("fork failed, err: %s", strerror(errno)); return -1; case 0: ///子进程 worker_proc_loop(i); default: ///master进程 g_worker_proc_vec[i].worker_pid = pid; break; } } ///设置work进程cpu亲和性 for (int i = 0; i < g_work_num; i++) { if (set_cpu_affinity(g_work_num, g_worker_proc_vec[i].worker_pid, g_worker_proc_vec[i].id) < 0) { DEBUG_LOG("set_cpu_affinity failed, err: %s", strerror(errno)); } } master_proc_loop(); daemon_stop(); if (g_p_ini_file) { g_p_ini_file->uninit(); g_p_ini_file->release(); g_p_ini_file = NULL; } return 0; }
int main(int argc, char **argv) { int status; struct sched_param thread_param; int i; int retval = FAILURE; int core; int nthreads; /* Make sure we see all message, even those on stdout. */ setvbuf(stdout, NULL, _IONBF, 0); /* get the number of processors */ num_processors = sysconf(_SC_NPROCESSORS_ONLN); /* calculate the number of inversion groups to run */ ngroups = num_processors == 1 ? 1 : num_processors - 1; /* process command line arguments */ process_command_line(argc, argv); /* lock memory */ if (lockall) if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) { error("mlockall failed\n"); return FAILURE; } /* boost main's priority (so we keep running) :) */ prio_min = sched_get_priority_min(policy); thread_param.sched_priority = MAIN_PRIO(); status = pthread_setschedparam(pthread_self(), policy, &thread_param); if (status) { error("main: boosting to max priority: 0x%x\n", status); return FAILURE; } /* block unwanted signals */ block_signals(); /* allocate our groups array */ groups = calloc(ngroups, sizeof(struct group_parameters)); if (groups == NULL) { error("main: failed to allocate %d groups\n", ngroups); return FAILURE; } /* set up CPU affinity masks */ if (set_cpu_affinity(&test_cpu_mask, &admin_cpu_mask)) return FAILURE; nthreads = ngroups * NUM_TEST_THREADS + NUM_ADMIN_THREADS; /* set up our ready barrier */ if (barrier_init(&all_threads_ready, NULL, nthreads, "all_threads_ready")) return FAILURE; /* set up our done barrier */ if (barrier_init(&all_threads_done, NULL, nthreads, "all_threads_done")) return FAILURE; /* create the groups */ info("Creating %d test groups\n", ngroups); for (core = 0; core < num_processors; core++) if (CPU_ISSET(core, &test_cpu_mask)) break; for (i = 0; i < ngroups; i++) { groups[i].id = i; groups[i].cpu = core++; if (core >= num_processors) core = 0; if (create_group(&groups[i]) != SUCCESS) return FAILURE; } /* prompt if requested */ if (prompt) { printf("Press return to start test: "); getchar(); } /* report */ banner(); start = time(NULL); /* turn loose the threads */ info("Releasing all threads\n"); status = pthread_barrier_wait(&all_threads_ready); if (status && status != PTHREAD_BARRIER_SERIAL_THREAD) { error("main: pthread_barrier_wait(all_threads_ready): 0x%x\n", status); set_shutdown_flag(); return FAILURE; } reporter(NULL); if (!quiet) { fputs(DOWN_ONE, stdout); printf("Stopping test\n"); } set_shutdown_flag(); /* wait for all threads to notice the shutdown flag */ if (have_errors == 0 && interrupted == 0) { info("waiting for all threads to complete\n"); status = pthread_barrier_wait(&all_threads_done); if (status && status != PTHREAD_BARRIER_SERIAL_THREAD) { error ("main: pthread_barrier_wait(all_threads_ready): 0x%x\n", status); return FAILURE; } info("All threads terminated!\n"); retval = SUCCESS; } else kill(0, SIGTERM); finish = time(NULL); summary(); if (lockall) munlockall(); exit(retval); }
int main(int argc, char **argv) { int c, i, j, opt_index; char *ptr; bool prio_high = false; struct mode mode; void (*enter_mode)(struct mode *mode) = NULL; check_for_root_maybe_die(); memset(&mode, 0, sizeof(mode)); mode.link_type = LINKTYPE_EN10MB; mode.print_mode = FNTTYPE_PRINT_NORM; mode.cpu = CPU_UNKNOWN; mode.packet_type = PACKET_ALL; mode.promiscuous = true; mode.randomize = false; mode.pcap = PCAP_OPS_SG; mode.dump_interval = DUMP_INTERVAL; while ((c = getopt_long(argc, argv, short_options, long_options, &opt_index)) != EOF) { switch (c) { case 'd': case 'i': mode.device_in = xstrdup(optarg); break; case 'o': mode.device_out = xstrdup(optarg); break; case 'r': mode.randomize = true; break; case 'J': mode.jumbo_support = 1; break; case 'f': mode.filter = xstrdup(optarg); break; case 'M': mode.promiscuous = false; break; case 't': if (!strncmp(optarg, "host", strlen("host"))) mode.packet_type = PACKET_HOST; else if (!strncmp(optarg, "broadcast", strlen("broadcast"))) mode.packet_type = PACKET_BROADCAST; else if (!strncmp(optarg, "multicast", strlen("multicast"))) mode.packet_type = PACKET_MULTICAST; else if (!strncmp(optarg, "others", strlen("others"))) mode.packet_type = PACKET_OTHERHOST; else if (!strncmp(optarg, "outgoing", strlen("outgoing"))) mode.packet_type = PACKET_OUTGOING; else mode.packet_type = PACKET_ALL; break; case 'S': ptr = optarg; mode.reserve_size = 0; for (j = i = strlen(optarg); i > 0; --i) { if (!isdigit(optarg[j - i])) break; ptr++; } if (!strncmp(ptr, "KB", strlen("KB"))) mode.reserve_size = 1 << 10; else if (!strncmp(ptr, "MB", strlen("MB"))) mode.reserve_size = 1 << 20; else if (!strncmp(ptr, "GB", strlen("GB"))) mode.reserve_size = 1 << 30; else panic("Syntax error in ring size param!\n"); *ptr = 0; mode.reserve_size *= atoi(optarg); break; case 'b': set_cpu_affinity(optarg, 0); if (mode.cpu != CPU_NOTOUCH) mode.cpu = atoi(optarg); break; case 'B': set_cpu_affinity(optarg, 1); break; case 'H': prio_high = true; break; case 'c': mode.pcap = PCAP_OPS_RW; break; case 'm': mode.pcap = PCAP_OPS_MMAP; break; case 'Q': mode.cpu = CPU_NOTOUCH; break; case 's': mode.print_mode = FNTTYPE_PRINT_NONE; break; case 'q': mode.print_mode = FNTTYPE_PRINT_LESS; break; case 'l': mode.print_mode = FNTTYPE_PRINT_CHR1; break; case 'x': mode.print_mode = FNTTYPE_PRINT_HEX1; break; case 'C': mode.print_mode = FNTTYPE_PRINT_PAAC; break; case 'X': mode.print_mode = FNTTYPE_PRINT_HEX2; break; case 'N': mode.print_mode = FNTTYPE_PRINT_NOPA; break; case 'k': mode.kpull = (unsigned long) atol(optarg); break; case 'n': frame_cnt_max = (unsigned long) atol(optarg); break; case 'F': mode.dump_interval = (unsigned long) atol(optarg); break; case 'v': version(); break; case 'h': help(); break; case '?': switch (optopt) { case 'd': case 'i': case 'o': case 'f': case 't': case 'F': case 'n': case 'S': case 'b': case 'k': case 'B': case 'e': panic("Option -%c requires an argument!\n", optopt); default: if (isprint(optopt)) whine("Unknown option character " "`0x%X\'!\n", optopt); die(); } default: break; } } if (!mode.device_in) mode.device_in = xstrdup("any"); register_signal(SIGINT, signal_handler); register_signal(SIGHUP, signal_handler); init_pcap(mode.jumbo_support); tprintf_init(); header(); if (prio_high == true) { set_proc_prio(get_default_proc_prio()); set_sched_status(get_default_sched_policy(), get_default_sched_prio()); } if (mode.device_in && (device_mtu(mode.device_in) || !strncmp("any", mode.device_in, strlen(mode.device_in)))) { if (!mode.device_out) { mode.dump = 0; enter_mode = enter_mode_rx_only_or_dump; } else if (device_mtu(mode.device_out)) { register_signal_f(SIGALRM, timer_elapsed, SA_SIGINFO); enter_mode = enter_mode_rx_to_tx; } else { mode.dump = 1; register_signal_f(SIGALRM, timer_next_dump, SA_SIGINFO); enter_mode = enter_mode_rx_only_or_dump; } } else { if (mode.device_out && device_mtu(mode.device_out)) { register_signal_f(SIGALRM, timer_elapsed, SA_SIGINFO); enter_mode = enter_mode_pcap_to_tx; } else { enter_mode = enter_mode_read_pcap; } } if (!enter_mode) panic("Selection not supported!\n"); enter_mode(&mode); tprintf_cleanup(); cleanup_pcap(); if (mode.device_in) xfree(mode.device_in); if (mode.device_out) xfree(mode.device_out); return 0; }
int hashcat_session_init (hashcat_ctx_t *hashcat_ctx, const char *install_folder, const char *shared_folder, int argc, char **argv, const int comptime) { user_options_t *user_options = hashcat_ctx->user_options; /** * make it a bit more comfortable to use some of the special modes in hashcat */ user_options_session_auto (hashcat_ctx); /** * event init (needed for logging so should be first) */ const int rc_event_init = event_ctx_init (hashcat_ctx); if (rc_event_init == -1) return -1; /** * status init */ const int rc_status_init = status_ctx_init (hashcat_ctx); if (rc_status_init == -1) return -1; /** * folder */ const int rc_folder_config_init = folder_config_init (hashcat_ctx, install_folder, shared_folder); if (rc_folder_config_init == -1) return -1; /** * pidfile */ const int rc_pidfile_init = pidfile_ctx_init (hashcat_ctx); if (rc_pidfile_init == -1) return -1; /** * restore */ const int rc_restore_init = restore_ctx_init (hashcat_ctx, argc, argv); if (rc_restore_init == -1) return -1; /** * process user input */ user_options_preprocess (hashcat_ctx); user_options_extra_init (hashcat_ctx); user_options_postprocess (hashcat_ctx); /** * logfile */ const int rc_logfile_init = logfile_init (hashcat_ctx); if (rc_logfile_init == -1) return -1; /** * cpu affinity */ const int rc_affinity = set_cpu_affinity (hashcat_ctx); if (rc_affinity == -1) return -1; /** * prepare seeding for random number generator, required by logfile and rules generator */ setup_seeding (user_options->rp_gen_seed_chgd, user_options->rp_gen_seed); /** * To help users a bit */ setup_environment_variables (); setup_umask (); /** * tuning db */ const int rc_tuning_db = tuning_db_init (hashcat_ctx); if (rc_tuning_db == -1) return -1; /** * induction directory */ const int rc_induct_ctx_init = induct_ctx_init (hashcat_ctx); if (rc_induct_ctx_init == -1) return -1; /** * outfile-check directory */ const int rc_outcheck_ctx_init = outcheck_ctx_init (hashcat_ctx); if (rc_outcheck_ctx_init == -1) return -1; /** * outfile itself */ const int rc_outfile_init = outfile_init (hashcat_ctx); if (rc_outfile_init == -1) return -1; /** * potfile init * this is only setting path because potfile can be used in read and write mode depending on user options * plus it depends on hash_mode, so we continue using it in outer_loop */ const int rc_potfile_init = potfile_init (hashcat_ctx); if (rc_potfile_init == -1) return -1; /** * dictstat init */ const int rc_dictstat_init = dictstat_init (hashcat_ctx); if (rc_dictstat_init == -1) return -1; /** * loopback init */ const int rc_loopback_init = loopback_init (hashcat_ctx); if (rc_loopback_init == -1) return -1; /** * debugfile init */ const int rc_debugfile_init = debugfile_init (hashcat_ctx); if (rc_debugfile_init == -1) return -1; /** * Try to detect if all the files we're going to use are accessible in the mode we want them */ const int rc_user_options_check_files = user_options_check_files (hashcat_ctx); if (rc_user_options_check_files == -1) return -1; /** * Init OpenCL library loader */ const int rc_opencl_init = opencl_ctx_init (hashcat_ctx); if (rc_opencl_init == -1) return -1; /** * Init OpenCL devices */ const int rc_devices_init = opencl_ctx_devices_init (hashcat_ctx, comptime); if (rc_devices_init == -1) return -1; /** * HM devices: init */ const int rc_hwmon_init = hwmon_ctx_init (hashcat_ctx); if (rc_hwmon_init == -1) return -1; // done return 0; }