Merge 39b4b72a412aed65656f61e5359919fd0df06d88 into bd67b41f329702465d1d548ca2144b609e82927a

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.

docs/changes.txt

@@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod
 v70.1
 
 nfqws: --dpi-desync-fake-tls-mod=dupsid
+nfqws,tpws: test accessibility of list files after privs drop

nfq/nfqws.c

@@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat
 }
 
 
+static bool test_list_files()
+{
+	struct hostlist_file *hfile;
+	struct ipset_file *ifile;
+
+	LIST_FOREACH(hfile, &params.hostlists, next)
+		if (!file_mod_time(hfile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
+			return false;
+		}
+	LIST_FOREACH(ifile, &params.ipsets, next)
+		if (!file_mod_time(ifile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
+			return false;
+		}
+	return true;
+}
+
+
 #ifdef __linux__
 static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie)
 {
@@ -260,6 +283,8 @@ static int nfq_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		return 1;
 	print_id();
+	if (params.droproot && !test_list_files())
+		return 1;
 
 	pre_desync();
 
@@ -357,6 +382,8 @@ static int dvt_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		goto exiterr;
 	print_id();
+	if (params.droproot && !test_list_files())
+		goto exiterr;
 
 	pre_desync();
 

tpws/tpws.c

@@ -116,6 +116,27 @@ static int8_t block_sigpipe(void)
 	return 0;
 }
 
+static bool test_list_files()
+{
+	struct hostlist_file *hfile;
+	struct ipset_file *ifile;
+
+	LIST_FOREACH(hfile, &params.hostlists, next)
+		if (!file_mod_time(hfile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
+			return false;
+		}
+	LIST_FOREACH(ifile, &params.ipsets, next)
+		if (!file_mod_time(ifile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
+			return false;
+		}
+	return true;
+}
 
 static bool is_interface_online(const char *ifname)
 {
@@ -1918,10 +1939,12 @@ int main(int argc, char *argv[])
 
 	set_ulimit();
 	sec_harden();
-
 	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
 	print_id();
+	if (params.droproot && !test_list_files())
+		goto exiterr;
+
 	//splice() causes the process to receive the SIGPIPE-signal if one part (for
 	//example a socket) is closed during splice(). I would rather have splice()
 	//fail and return -1, so blocking SIGPIPE.