Merge 39b4b72a412aed65656f61e5359919fd0df06d88 into bd67b41f329702465d1d548ca2144b609e82927a

nfqws,tpws: check accessibility of list files after droproot
Create SECURITY.md
2025-04-20 22:12:58 +03:00 · 2025-02-04 01:05:43 +03:00 · 2025-02-03 22:37:08 +03:00 · 2025-01-31 17:12:40 +05:00
4 changed files with 73 additions and 1 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,21 @@
 # Security Policy
 ## Supported Versions
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 | Version | Supported          |
 | ------- | ------------------ |
 | 5.1.x   | :white_check_mark: |
 | 5.0.x   | :x:                |
 | 4.0.x   | :white_check_mark: |
 | < 4.0   | :x:                |
 ## Reporting a Vulnerability
 Use this section to tell people how to report a vulnerability.
 Tell them where to go, how often they can expect to get an update on a
 reported vulnerability, what to expect if the vulnerability is accepted or
 declined, etc.
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod
 v70.1
 nfqws: --dpi-desync-fake-tls-mod=dupsid
 nfqws,tpws: test accessibility of list files after privs drop
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat
 }
 static bool test_list_files()
 {
 	struct hostlist_file *hfile;
 	struct ipset_file *ifile;
 	LIST_FOREACH(hfile, &params.hostlists, next)
 		if (!file_mod_time(hfile->filename))
 		{
 			DLOG_PERROR("file_mod_time");
 			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
 			return false;
 		}
 	LIST_FOREACH(ifile, &params.ipsets, next)
 		if (!file_mod_time(ifile->filename))
 		{
 			DLOG_PERROR("file_mod_time");
 			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
 			return false;
 		}
 	return true;
 }
 #ifdef __linux__
 static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie)
 {
@ -260,6 +283,8 @@ static int nfq_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		return 1;
 	print_id();
 	if (params.droproot && !test_list_files())
 		return 1;
 	pre_desync();
@ -357,6 +382,8 @@ static int dvt_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		goto exiterr;
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;
 	pre_desync();
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -116,6 +116,27 @@ static int8_t block_sigpipe(void)
 	return 0;
 }
 static bool test_list_files()
 {
 	struct hostlist_file *hfile;
 	struct ipset_file *ifile;
 	LIST_FOREACH(hfile, &params.hostlists, next)
 		if (!file_mod_time(hfile->filename))
 		{
 			DLOG_PERROR("file_mod_time");
 			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
 			return false;
 		}
 	LIST_FOREACH(ifile, &params.ipsets, next)
 		if (!file_mod_time(ifile->filename))
 		{
 			DLOG_PERROR("file_mod_time");
 			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
 			return false;
 		}
 	return true;
 }
 static bool is_interface_online(const char *ifname)
 {
@ -1918,10 +1939,12 @@ int main(int argc, char *argv[])
 	set_ulimit();
 	sec_harden();
 	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;
 	//splice() causes the process to receive the SIGPIPE-signal if one part (for
 	//example a socket) is closed during splice(). I would rather have splice()
 	//fail and return -1, so blocking SIGPIPE.
Author	SHA1	Message	Date
sigma470	b5dd04640d	Merge 39b4b72a412aed65656f61e5359919fd0df06d88 into bd67b41f329702465d1d548ca2144b609e82927a	2025-02-04 01:05:43 +03:00
bol-van	bd67b41f32	nfqws,tpws: check accessibility of list files after droproot	2025-02-03 22:37:08 +03:00
sigma470	39b4b72a41	Create SECURITY.md	2025-01-31 17:12:40 +05:00