Implement connections to TCP-based services

Both IPv4 and IPv6 are supported.  The port or both host and port can be
taken from the service argument instead of the symbolic link name.  Of
course, there are full unit tests.

Fixes: QubesOS/qubes-issues#9037

Author: DemiMarie

libqrexec/exec.c

@@ -27,11 +27,12 @@
 #include <stddef.h>
 #include <limits.h>
 
-#include <sys/socket.h>
 #include <sys/types.h>
+#include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/un.h>
 #include <sys/wait.h>
+#include <netdb.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include "qrexec.h"
@@ -206,7 +207,7 @@ static int qubes_connect(int s, const char *connect_path, const size_t total_pat
 }
 
 static int execute_qrexec_service(
-    const struct qrexec_parsed_command *cmd,
+    struct qrexec_parsed_command *cmd,
     int *pid, int *stdin_fd, int *stdout_fd, int *stderr_fd,
     struct buffer *stdin_buffer);
 
@@ -418,7 +419,7 @@ struct qrexec_parsed_command *parse_qubes_rpc_command(
         /* Parse service name ("qubes.Service") */
 
         const char *const plus = memchr(start, '+', descriptor_len);
-        size_t const name_len = plus != NULL ? (size_t)(plus - start) : descriptor_len;
+        size_t name_len = plus != NULL ? (size_t)(plus - start) : descriptor_len;
         if (name_len > NAME_MAX) {
             LOG(ERROR, "Service name too long to execute (length %zu)", name_len);
             goto err;
@@ -430,6 +431,7 @@ struct qrexec_parsed_command *parse_qubes_rpc_command(
         cmd->service_name = memdupnul(start, name_len);
         if (!cmd->service_name)
             goto err;
+        cmd->arg = plus != NULL ? plus + 1 : NULL;
 
         /* If there is no service argument, add a trailing "+" to the descriptor */
         cmd->service_descriptor = memdupnul(start, descriptor_len + (plus == NULL));
@@ -487,7 +489,7 @@ int execute_qubes_rpc_command(const char *cmdline, int *pid, int *stdin_fd,
 }
 
 int execute_parsed_qubes_rpc_command(
-        const struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
+        struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
         int *stdout_fd, int *stderr_fd, struct buffer *stdin_buffer) {
     if (cmd->service_descriptor) {
         // Proper Qubes RPC call
@@ -499,9 +501,156 @@ int execute_parsed_qubes_rpc_command(
                            pid, stdin_fd, stdout_fd, stderr_fd);
     }
 }
+static bool validate_port(const char *port) {
+#define MAXPORT "65535"
+#define MAXPORTLEN (sizeof MAXPORT - 1)
+    if (*port < '1' || *port > '9')
+        return false;
+    const char *p = port + 1;
+    for (; *p != 0; ++p) {
+        if (*p < '0' || *p > '9')
+            return false;
+    }
+    if (p - port > (ptrdiff_t)MAXPORTLEN)
+        return false;
+    if (p - port < (ptrdiff_t)MAXPORTLEN)
+        return true;
+    return memcmp(port, MAXPORT, MAXPORTLEN) <= 0;
+#undef MAXPORT
+#undef MAXPORTLEN
+}
+
+static int qubes_tcp_connect(const char *host, const char *port)
+{
+    // Work around a glibc bug: overly-large port numbers not rejected
+    if (!validate_port(port)) {
+        LOG(ERROR, "Invalid port number %s", port);
+        return -1;
+    }
+    /* If there is ':' or '%' in the host, then this must be an IPv6 address, not
+     * a hostname. */
+    bool const must_be_ipv6_addr = strchr(host, ':') != NULL || strchr(host, '%') != NULL;
+    LOG(DEBUG, "Connecting to %s%s%s:%s",
+               must_be_ipv6_addr ? "[" : "",
+               host,
+               must_be_ipv6_addr ? "]" : "",
+               port);
+    struct addrinfo hints = {
+        .ai_flags = AI_NUMERICSERV | (must_be_ipv6_addr ? AI_NUMERICHOST : 0),
+        .ai_family = must_be_ipv6_addr ? AF_INET6 : AF_UNSPEC,
+        .ai_socktype = SOCK_STREAM,
+        .ai_protocol = IPPROTO_TCP,
+    }, *addrs;
+    int rc = getaddrinfo(host, port, &hints, &addrs);
+    if (rc != 0) {
+        /* data comes from symlink or from qrexec service argument, which has already
+         * been sanitized */
+        LOG(ERROR, "getaddrinfo(%s, %s) failed: %s", host, port, gai_strerror(rc));
+        return -1;
+    }
+    rc = -1;
+    size_t addresses = 1, used_addresses = 0;
+    assert(addrs != NULL && "getaddrinfo() returned zero addresses");
+    for (struct addrinfo *p = addrs->ai_next; p != NULL; p = p->ai_next) {
+        addresses++;
+    }
+    struct pollfd *fds = calloc(addresses, sizeof(struct pollfd));
+    if (fds == NULL) {
+        LOG(ERROR, "Out of memory allocating %zu pollfds!", addresses);
+        goto freeaddrs;
+    }
+    for (struct addrinfo *p = addrs; p != NULL; p = p->ai_next) {
+        switch (p->ai_family) {
+        case AF_INET:
+            assert(p->ai_addrlen >= sizeof(struct sockaddr_in));
+            LOG(DEBUG, "Port number %d", ntohs(((struct sockaddr_in*)p->ai_addr)->sin_port));
+            break;
+        case AF_INET6:
+            assert(p->ai_addrlen >= sizeof(struct sockaddr_in6));
+            LOG(DEBUG, "Port number %d", ntohs(((struct sockaddr_in6*)p->ai_addr)->sin6_port));
+            break;
+        default:
+            LOG(ERROR, "Unknown socket family");
+            break;
+        }
+        int sockfd = socket(p->ai_family,
+                            p->ai_socktype | SOCK_CLOEXEC | SOCK_NONBLOCK,
+                            p->ai_protocol);
+        if (sockfd < 0) {
+            LOG(ERROR, "Cannot create socket, skipping");
+            continue;
+        }
+        int res = connect(sockfd, p->ai_addr, p->ai_addrlen);
+        if (res == 0) {
+            rc = sockfd;
+            goto done;
+        }
+        if (errno != EINPROGRESS) {
+            PERROR("connect");
+            close(sockfd);
+            continue;
+        }
+        fds[used_addresses].fd = sockfd;
+        fds[used_addresses].events = POLLIN|POLLOUT|POLLPRI|POLLRDHUP;
+        used_addresses++;
+    }
+    /* FIXME: USE EPOLL!!!!!!! */
+    while (used_addresses != 0) {
+        for (size_t i = 0; i < used_addresses; ++i) {
+            fds[i].revents = 0;
+        }
+        int res = poll(fds, used_addresses, 1000 /* 1 second */);
+        if (res > 0) {
+            struct pollfd *p = fds;
+            for (size_t i = 0; i < used_addresses; ++i) {
+                if (fds[i].revents == 0)
+                    *p++ = fds[i];
+                else if (fds[i].revents & ~(short)(POLLIN | POLLOUT)) {
+                    LOG(ERROR, "FD %d (offset %zu) had events 0%s%s%s%s%s%s", fds[i].fd, i,
+                        (fds[i].revents & POLLIN) ? " | POLLIN" : "",
+                        (fds[i].revents & POLLOUT) ? " | POLLOUT" : "",
+                        (fds[i].revents & POLLPRI) ? " | POLLPRI" : "",
+                        (fds[i].revents & POLLERR) ? " | POLLERR" : "",
+                        (fds[i].revents & POLLHUP) ? " | POLLHUP" : "",
+                        (fds[i].revents & POLLNVAL) ? " | POLLNVAL" : "");
+                    close(fds[i].fd);
+                    fds[i].fd = -1;
+                } else {
+                    rc = fds[i].fd;
+                    fds[i].fd = -1;
+                    goto done;
+                }
+            }
+            used_addresses = (size_t)(p - fds);
+        } else if (res == 0) {
+            LOG(ERROR, "TCP connection timeout");
+            break;
+        } else if (errno == EINTR || errno == EAGAIN) {
+            continue;
+        } else {
+            PERROR("poll");
+            break;
+        }
+    }
+done:
+    if (rc < 0)
+        LOG(ERROR, "None of %zu TCP sockets could connect", addresses);
+    else
+        LOG(DEBUG, "Connection succeeded");
+    /* Close all FDs but the chosen one */
+    for (size_t i = 0; i < used_addresses; ++i) {
+        if (fds[i].fd != -1) {
+            close(fds[i].fd);
+        }
+    }
+    free(fds);
+freeaddrs:
+    freeaddrinfo(addrs);
+    return rc;
+}
 
 static int execute_qrexec_service(
-        const struct qrexec_parsed_command *cmd,
+        struct qrexec_parsed_command *cmd,
         int *pid, int *stdin_fd, int *stdout_fd, int *stderr_fd,
         struct buffer *stdin_buffer) {
 
@@ -527,10 +676,11 @@ static int execute_qrexec_service(
         return -1;
     }
 
+    const char *desc = cmd->command + RPC_REQUEST_COMMAND_LEN + 1;
     if (S_ISSOCK(statbuf.st_mode)) {
         /* Socket-based service. */
         int s;
-        if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+        if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0)) == -1) {
             PERROR("socket");
             return -1;
         }
@@ -544,14 +694,62 @@ static int execute_qrexec_service(
         if (stderr_fd)
             *stderr_fd = -1;
         *pid = 0;
-        set_nonblock(s);
 
         if (cmd->send_service_descriptor) {
             /* send part after "QUBESRPC ", including trailing NUL */
-            const char *desc = cmd->command + RPC_REQUEST_COMMAND_LEN + 1;
             buffer_append(stdin_buffer, desc, strlen(desc) + 1);
         }
         return 0;
+    } else if (S_ISLNK(statbuf.st_mode)) {
+        if (stderr_fd)
+            *stderr_fd = -1;
+        *pid = 0;
+        /* TCP-based service */
+        assert(memcmp(service_full_path, "/dev/tcp/", sizeof "/dev/tcp") == 0);
+        char *address = service_full_path + sizeof "/dev/tcp";
+        char *slash = strchr(address, '/');
+        char *host, *port;
+        if (slash == NULL) {
+            if (cmd->arg == NULL || *cmd->arg == ' ') {
+                LOG(ERROR, "No or empty argument provided, cannot connect to %s",
+                    service_full_path);
+                return -1;
+            }
+            char *ptr = cmd->service_descriptor + (cmd->arg - desc);
+            if (*address == '\0') {
+                /* Get both host and port from service arguments */
+                host = ptr;
+                port = strrchr(ptr, '+');
+                if (port == NULL) {
+                    LOG(ERROR, "No host provided, cannot connect at %s", service_full_path);
+                    return -1;
+                }
+                *port = '\0';
+                for (char *p = host; p < port; ++p) {
+                    if (*p == '_') {
+                        LOG(ERROR, "Underscore not allowed in hostname %s", host);
+                        return -1;
+                    }
+                    if (*p == '+')
+                        *p = ':';
+                }
+                port++;
+            } else {
+                /* Get just port from service arguments */
+                host = address;
+                port = ptr;
+            }
+        } else {
+            *slash = '\0';
+            host = address;
+            port = slash + 1;
+        }
+        int res = qubes_tcp_connect(host, port);
+        if (res == -1)
+            return -1;
+        *stdin_fd = *stdout_fd = res;
+        cmd->send_service_descriptor = false;
+        return 0;
     }
 
     if (euidaccess(service_full_path, X_OK) == 0) {

libqrexec/libqrexec-utils.h

@@ -48,7 +48,9 @@ struct buffer {
 #define WRITE_STDIN_BUFFERED  1 /* something still in the buffer */
 #define WRITE_STDIN_ERROR     2 /* write error, errno set */
 
-/* Parsed Qubes RPC or legacy command. */
+/* Parsed Qubes RPC or legacy command.
+ * The size of this structure is not part of the public API or ABI.
+ * Only use instances allocated by libqrexec-utils. */
 struct qrexec_parsed_command {
     const char *cmdline;
 
@@ -82,6 +84,13 @@ struct qrexec_parsed_command {
 
     /* For socket-based services: Should the service descriptor be sent? */
     bool send_service_descriptor;
+
+    /* Remaining fields are private to libqrexec-utils.  Do not access them
+     * directly - they may change in any update. */
+
+    /* Pointer to the argument, or NULL if there is no argument.
+     * Same buffer as "command" and "cmdline". */
+    const char *arg;
 };
 
 /* Parse a command, return NULL on failure. Uses cmd->cmdline
@@ -142,7 +151,7 @@ int fork_and_flush_stdin(int fd, struct buffer *buffer);
  * nonzero on failure.
  */
 int execute_parsed_qubes_rpc_command(
-        const struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
+        struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
         int *stdout_fd, int *stderr_fd, struct buffer *stdin_buffer);
 
 /**

libqrexec/process_io.c

@@ -76,7 +76,7 @@ static void close_stdout(int fd, bool restore_block) {
     } else if (shutdown(fd, SHUT_RD) == -1) {
         if (errno == ENOTSOCK)
             close(fd);
-        else
+        else if (errno != ENOTCONN) /* can happen with TCP, harmless */
             PERROR("shutdown close_stdout");
     }
 }