Obfuscate memory roots for non-root users
This commit is contained in:
parent
43331d6344
commit
a17f86ce3a
|
@ -374,7 +374,8 @@ try_again:
|
||||||
goto try_again;
|
goto try_again;
|
||||||
}
|
}
|
||||||
if (res > 0 && buf[0] == '/')
|
if (res > 0 && buf[0] == '/')
|
||||||
roots.emplace(file, std::string(static_cast<char *>(buf), res));
|
roots.emplace((format("{memory:%1%") % file).str(),
|
||||||
|
std::string(static_cast<char *>(buf), res));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -407,8 +408,8 @@ void LocalStore::findRuntimeRoots(Roots & roots)
|
||||||
while (errno = 0, ent = readdir(procDir.get())) {
|
while (errno = 0, ent = readdir(procDir.get())) {
|
||||||
checkInterrupt();
|
checkInterrupt();
|
||||||
if (std::regex_match(ent->d_name, digitsRegex)) {
|
if (std::regex_match(ent->d_name, digitsRegex)) {
|
||||||
readProcLink((format("/proc/%1%/exe") % ent->d_name).str(), unchecked);
|
readProcLink((format("{memory:/proc/%1%/exe}") % ent->d_name).str(), unchecked);
|
||||||
readProcLink((format("/proc/%1%/cwd") % ent->d_name).str(), unchecked);
|
readProcLink((format("{memory:/proc/%1%/cwd}") % ent->d_name).str(), unchecked);
|
||||||
|
|
||||||
auto fdStr = (format("/proc/%1%/fd") % ent->d_name).str();
|
auto fdStr = (format("/proc/%1%/fd") % ent->d_name).str();
|
||||||
auto fdDir = AutoCloseDir(opendir(fdStr.c_str()));
|
auto fdDir = AutoCloseDir(opendir(fdStr.c_str()));
|
||||||
|
@ -435,10 +436,9 @@ void LocalStore::findRuntimeRoots(Roots & roots)
|
||||||
auto mapLines = tokenizeString<std::vector<string>>(readFile(mapFile, true), "\n");
|
auto mapLines = tokenizeString<std::vector<string>>(readFile(mapFile, true), "\n");
|
||||||
int n = 0;
|
int n = 0;
|
||||||
for (const auto& line : mapLines) {
|
for (const auto& line : mapLines) {
|
||||||
n++;
|
|
||||||
auto match = std::smatch{};
|
auto match = std::smatch{};
|
||||||
if (std::regex_match(line, match, mapRegex))
|
if (std::regex_match(line, match, mapRegex))
|
||||||
unchecked.emplace((format("{%1%:%2%}") % mapFile % n).str(), match[1]);
|
unchecked.emplace((format("{memory:%1%:%2%}") % mapFile % n++).str(), match[1]);
|
||||||
}
|
}
|
||||||
|
|
||||||
auto envFile = (format("/proc/%1%/environ") % ent->d_name).str();
|
auto envFile = (format("/proc/%1%/environ") % ent->d_name).str();
|
||||||
|
@ -446,7 +446,7 @@ void LocalStore::findRuntimeRoots(Roots & roots)
|
||||||
auto env_end = std::sregex_iterator{};
|
auto env_end = std::sregex_iterator{};
|
||||||
n = 0;
|
n = 0;
|
||||||
for (auto i = std::sregex_iterator{envString.begin(), envString.end(), storePathRegex}; i != env_end; ++i)
|
for (auto i = std::sregex_iterator{envString.begin(), envString.end(), storePathRegex}; i != env_end; ++i)
|
||||||
unchecked.emplace((format("{%1%:%2%}") % envFile % envString).str(), i->str());
|
unchecked.emplace((format("{memory:%1%:%2%}") % envFile % n++).str(), i->str());
|
||||||
} catch (SysError & e) {
|
} catch (SysError & e) {
|
||||||
if (errno == ENOENT || errno == EACCES || errno == ESRCH)
|
if (errno == ENOENT || errno == EACCES || errno == ESRCH)
|
||||||
continue;
|
continue;
|
||||||
|
@ -467,7 +467,7 @@ void LocalStore::findRuntimeRoots(Roots & roots)
|
||||||
for (const auto & line : lsofLines) {
|
for (const auto & line : lsofLines) {
|
||||||
std::smatch match;
|
std::smatch match;
|
||||||
if (std::regex_match(line, match, lsofRegex))
|
if (std::regex_match(line, match, lsofRegex))
|
||||||
unchecked.emplace((format("{%1%:%2%}" % LSOF % n++).str(), match[1]);
|
unchecked.emplace((format("{memory:%1%:%2%}" % LSOF % n++).str(), match[1]);
|
||||||
}
|
}
|
||||||
} catch (ExecError & e) {
|
} catch (ExecError & e) {
|
||||||
/* lsof not installed, lsof failed */
|
/* lsof not installed, lsof failed */
|
||||||
|
|
|
@ -478,8 +478,15 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
||||||
Roots roots = store->findRoots();
|
Roots roots = store->findRoots();
|
||||||
logger->stopWork();
|
logger->stopWork();
|
||||||
to << roots.size();
|
to << roots.size();
|
||||||
for (auto & i : roots)
|
int n = 0;
|
||||||
to << i.first << i.second;
|
for (auto & i : roots) {
|
||||||
|
// Obfuscate 'memory' roots as they exposes information about other users,
|
||||||
|
if (i.first.rfind("{memory:", 0) == 0) {
|
||||||
|
to << fmt("{memory:%d}", n++) << i.second;
|
||||||
|
} else {
|
||||||
|
to << i.first << i.second;
|
||||||
|
}
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue