mirror of
https://github.com/monitoring-plugins/monitoring-plugins.git
synced 2026-02-18 18:17:50 -05:00
OpenBSD: pledge(2) some network-facing checks (#2225)
OpenBSD's pledge(2) system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer. This change starts by calling pledge(2) in some network-facing checks, removing the more dangerous privileges, such as executing other files. My initial motivation came from check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, the pledge(2) calls result in check_icmp to only being allowed to interact with the network and to setuid(2) to the calling user later on. Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with pledge(2)-ing check_curl - having a huge codebase and all -, check_ntp_time, check_smtp, check_ssh, and check_tcp. For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check.
This commit is contained in:
Alvar
GitHub
parent
fe4c82ea6f
commit
cef40299a9
6 changed files with 82 additions and 0 deletions
|
|
@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz
|
|||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts (given up later)
|
||||
* - inet is required for sockets
|
||||
* - dns is required for name lookups (given up later)
|
||||
* - id is required for temporary privilege drops in configparsing and for
|
||||
* permanent privilege dropping after opening the socket (given up later) */
|
||||
pledge("stdio rpath inet dns id", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -836,6 +845,10 @@ int main(int argc, char **argv) {
|
|||
crash("failed to parse config");
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet dns id", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
const check_icmp_config config = tmp_config.config;
|
||||
|
||||
if (config.output_format_is_set) {
|
||||
|
|
@ -898,6 +911,10 @@ int main(int argc, char **argv) {
|
|||
return 1;
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
if (sockset.socket4) {
|
||||
int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
|
||||
if (debug) {
|
||||
|
|
|
|||
|
|
@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_
|
|||
#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts, CA and/or client certs
|
||||
* - wpath is required to write --cookie-jar (possibly given up later)
|
||||
* - inet is required for sockets
|
||||
* - dns is required for name lookups */
|
||||
pledge("stdio rpath wpath inet dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -135,6 +143,15 @@ int main(int argc, char **argv) {
|
|||
|
||||
const check_curl_config config = tmp_config.config;
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
if (!config.curl_config.cookie_jar_file) {
|
||||
if (verbose >= 2) {
|
||||
printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n"));
|
||||
}
|
||||
pledge("stdio rpath inet dns", NULL);
|
||||
}
|
||||
#endif // __OpenBSD__
|
||||
|
||||
if (config.output_format_is_set) {
|
||||
mp_set_format(config.output_format);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) {
|
|||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts (given up later)
|
||||
* - inet is required for sockets
|
||||
* - unix is required for Unix domain sockets
|
||||
* - dns is required for name lookups */
|
||||
pledge("stdio rpath inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -674,6 +682,10 @@ int main(int argc, char *argv[]) {
|
|||
usage4(_("Could not parse arguments"));
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
const check_ntp_time_config config = tmp_config.config;
|
||||
|
||||
if (config.output_format_is_set) {
|
||||
|
|
|
|||
|
|
@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/);
|
|||
static int verbose = 0;
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts (given up later)
|
||||
* - inet is required for sockets
|
||||
* - unix is required for Unix domain sockets
|
||||
* - dns is required for name lookups */
|
||||
pledge("stdio rpath inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -113,6 +121,10 @@ int main(int argc, char **argv) {
|
|||
usage4(_("Could not parse arguments"));
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
const check_smtp_config config = tmp_config.config;
|
||||
|
||||
if (config.output_format_is_set) {
|
||||
|
|
|
|||
|
|
@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_v
|
|||
char *remote_protocol);
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts (given up later)
|
||||
* - inet is required for sockets
|
||||
* - unix is required for Unix domain sockets
|
||||
* - dns is required for name lookups */
|
||||
pledge("stdio rpath inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -74,6 +82,10 @@ int main(int argc, char **argv) {
|
|||
usage4(_("Could not parse arguments"));
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
check_ssh_config config = tmp_config.config;
|
||||
|
||||
mp_check overall = mp_check_init();
|
||||
|
|
|
|||
|
|
@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563;
|
|||
const int DEFAULT_CLAMD_PORT = 3310;
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#ifdef __OpenBSD__
|
||||
/* - rpath is required to read --extra-opts (given up later)
|
||||
* - inet is required for sockets
|
||||
* - unix is required for Unix domain sockets
|
||||
* - dns is required for name lookups */
|
||||
pledge("stdio rpath inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
|
@ -216,6 +224,10 @@ int main(int argc, char **argv) {
|
|||
usage4(_("Could not parse arguments"));
|
||||
}
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
pledge("stdio inet unix dns", NULL);
|
||||
#endif // __OpenBSD__
|
||||
|
||||
config = paw.config;
|
||||
|
||||
if (verbosity > 0) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue