tpws: fix seccomp tgkill, do not interrupt write pipe

2025-05-24 22:32:58 +03:00 · 2024-04-03 10:34:03 +03:00
parent 5805b04bba
commit 103419302f
12 changed files with 11 additions and 8 deletions
--- a/tpws/resolver.c
+++ b/tpws/resolver.c
@@ -46,6 +46,10 @@ int resolver_thread_count(void)
 static void *resolver_thread(void *arg)
 {
 	int r;
+	sigset_t signal_mask;
+
+	sigemptyset(&signal_mask);
+	sigaddset(&signal_mask, SIG_BREAK);

 	//printf("resolver_thread %d start\n",syscall(SYS_gettid));
 	for(;;)
@@ -80,14 +84,17 @@ static void *resolver_thread(void *arg)
 				snprintf(sport,sizeof(sport),"%u",ri->port);
 				memset(&hints, 0, sizeof(struct addrinfo));
 				hints.ai_socktype = SOCK_STREAM;
+				// unfortunately getaddrinfo cannot be interrupted with a signal. we cannot cancel a query
 				ri->ga_res = getaddrinfo(ri->dom,sport,&hints,&ai);
 				if (!ri->ga_res)
 				{
 					memcpy(&ri->ss, ai->ai_addr, ai->ai_addrlen);
 					freeaddrinfo(ai);
 				}
-
 				//printf("THREAD %d END JOB %s  FIRST=%p\n", syscall(SYS_gettid), ri->dom, TAILQ_FIRST(&resolver.resolve_list));
+
+				// never interrupt this
+				pthread_sigmask(SIG_BLOCK, &signal_mask, NULL);
 				wr = write(resolver.fd_signal_pipe,&ri,sizeof(void*));
 				if (wr<0)
 				{
@@ -101,6 +108,7 @@ static void *resolver_thread(void *arg)
 					fprintf(stderr,"write resolve_pipe : not full write\n");
 					exit(1000);
 				}
+				pthread_sigmask(SIG_UNBLOCK, &signal_mask, NULL);
 			}
 		}
 	}
--- a/tpws/sec.c
+++ b/tpws/sec.c
@@ -115,12 +115,6 @@ SYS_process_vm_writev,
 #ifdef SYS_process_madvise
 SYS_process_madvise,
 #endif
-#ifdef SYS_tkill
-SYS_tkill,
-#endif
-#ifdef SYS_tgkill
-SYS_tgkill,
-#endif
 SYS_kill, SYS_ptrace
 };
 #define BLOCKED_SYSCALL_COUNT (sizeof(blocked_syscalls)/sizeof(*blocked_syscalls))
--- a/tpws/tpws_conn.c
+++ b/tpws/tpws_conn.c
@@ -705,8 +705,9 @@ bool proxy_mode_connect_remote(const struct sockaddr *sa, tproxy_conn_t *conn, s
 	bool bConnFooling=true;
 	if (conn->track.hostname && params.mss)
 	{
-		VPRINT("0-phase desync hostlist check")
 		bConnFooling=HostlistCheck(conn->track.hostname, NULL);
+		if (!bConnFooling)
+			VPRINT("0-phase desync hostlist check negative. not acting on this connection.")
 	}

 	if ((remote_fd = connect_remote(sa, bConnFooling)) < 0)