Implement connections to TCP-based services

DemiMarie · DemiMarie · commit 96192f773b4e · 2024-04-07T16:57:46.000-04:00
Both IPv4 and IPv6 are supported. The port or both host and port can be taken from the service argument instead of the symbolic link name. Fixes: QubesOS/qubes-issues#9037
diff --git a/libqrexec/exec.c b/libqrexec/exec.c
@@ -27,11 +27,12 @@
 #include <stddef.h>
 #include <limits.h>
 
-#include <sys/socket.h>
 #include <sys/types.h>
+#include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/un.h>
 #include <sys/wait.h>
+#include <netdb.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include "qrexec.h"
@@ -206,7 +207,7 @@ static int qubes_connect(int s, const char *connect_path, const size_t total_pat
 }
 
 static int execute_qrexec_service(
-    const struct qrexec_parsed_command *cmd,
+    struct qrexec_parsed_command *cmd,
     int *pid, int *stdin_fd, int *stdout_fd, int *stderr_fd,
     struct buffer *stdin_buffer);
 
@@ -265,21 +266,17 @@ static int find_file(
         if (res == 0 && S_ISLNK(statbuf->st_mode)) {
             if (buf != NULL) {
                 ssize_t res = readlink(buffer, buf, buffer_size);
-                if (res >= (ssize_t)(sizeof "/dev/tcp/" - 1) &&
-                        memcmp(buf, "/dev/tcp/", (sizeof "/dev/tcp/" - 1)) == 0) {
-                    if ((size_t)res >= buffer_size) {
-                        errno = ERANGE;
-                        rc = -2;
-                    } else {
-                        memcpy(buffer, buf, (size_t)res);
-                        buffer[res] = '\0';
-                        rc = 0;
-                    }
-                    goto done;
-                } else if (res < 0) {
+                if (res < (ssize_t)(sizeof "/dev/tcp") ||
+                        (size_t)res >= buffer_size ||
+                        memcmp(buf, "/dev/tcp/", sizeof "/dev/tcp") != 0) {
                     rc = -2;
-                    goto done;
+                } else {
+                    memcpy(buffer, buf, (size_t)res);
+                    buffer[res] = '\0';
+                    rc = 0;
+                    LOG(ERROR, "Symlink to /dev/tcp detected: value is %s", buffer);
                 }
+                goto done;
             }
             /* check if the symlink is valid */
             res = stat(buffer, statbuf);
@@ -410,7 +407,7 @@ struct qrexec_parsed_command *parse_qubes_rpc_command(
         /* Parse service name ("qubes.Service") */
 
         const char *const plus = memchr(start, '+', descriptor_len);
-        size_t const name_len = plus != NULL ? (size_t)(plus - start) : descriptor_len;
+        size_t name_len = plus != NULL ? (size_t)(plus - start) : descriptor_len;
         if (name_len > NAME_MAX) {
             LOG(ERROR, "Service name too long to execute (length %zu)", name_len);
             goto err;
@@ -426,6 +423,7 @@ struct qrexec_parsed_command *parse_qubes_rpc_command(
         }
         memcpy(cmd->service_name, start, name_len);
         cmd->service_name[name_len] = '\0';
+        cmd->arg = plus != NULL ? plus + 1 : NULL;
 
         /* If there is no service argument, add a trailing "+" to the descriptor */
         size_t const descriptor_buffer_size = descriptor_len + 1 + (plus == NULL);
@@ -493,7 +491,7 @@ int execute_qubes_rpc_command(const char *cmdline, int *pid, int *stdin_fd,
 }
 
 int execute_parsed_qubes_rpc_command(
-        const struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
+        struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
         int *stdout_fd, int *stderr_fd, struct buffer *stdin_buffer) {
     if (cmd->service_descriptor) {
         // Proper Qubes RPC call
@@ -506,8 +504,145 @@ int execute_parsed_qubes_rpc_command(
     }
 }
 
+static int qubes_tcp_connect(const char *host, const char *port)
+{
+    // Work around a glibc bug: overly-large port numbers not rejected
+    {
+        if (*port < '1' || *port > '9')
+            goto invalid_port;
+        const char *end = port;
+        errno = 0;
+        long r = strtol(port, (char **)&end, 10);
+        if (r < 1 || r > 65535 || *end != 0 || errno)
+            goto invalid_port;
+    }
+    /* If there is ':' or '%' in the host, then this must be an IPv6 address, not
+     * a hostname. */
+    bool const must_be_ipv6_addr = strchr(host, ':') != NULL || strchr(host, '%') != NULL;
+    LOG(DEBUG, "Connecting to %s%s%s:%s",
+               must_be_ipv6_addr ? "[" : "",
+               host,
+               must_be_ipv6_addr ? "]" : "",
+               port);
+    struct addrinfo hints = {
+        .ai_flags = AI_NUMERICSERV | (must_be_ipv6_addr ? AI_NUMERICHOST : 0),
+        .ai_family = must_be_ipv6_addr ? AF_INET6 : AF_UNSPEC,
+        .ai_socktype = SOCK_STREAM,
+        .ai_protocol = IPPROTO_TCP,
+    }, *addrs;
+    int rc = getaddrinfo(host, port, &hints, &addrs);
+    if (rc != 0) {
+        /* data comes from symlink or from qrexec service argument, which has already
+         * been sanitized */
+        LOG(ERROR, "getaddrinfo(%s, %s) failed: %s", host, port, gai_strerror(rc));
+        return -1;
+    }
+    rc = -1;
+    size_t addresses = 1, used_addresses = 0;
+    assert(addrs != NULL && "getaddrinfo() returned zero addresses");
+    for (struct addrinfo *p = addrs->ai_next; p != NULL; p = p->ai_next) {
+        addresses++;
+    }
+    struct pollfd *fds = calloc(addresses, sizeof(struct pollfd));
+    if (fds == NULL) {
+        LOG(ERROR, "Out of memory allocating %zu pollfds!", addresses);
+        goto freeaddrs;
+    }
+    for (struct addrinfo *p = addrs; p != NULL; p = p->ai_next) {
+        switch (p->ai_family) {
+        case AF_INET:
+            assert(p->ai_addrlen >= sizeof(struct sockaddr_in));
+            LOG(DEBUG, "Port number %d", ntohs(((struct sockaddr_in*)p->ai_addr)->sin_port));
+            break;
+        case AF_INET6:
+            assert(p->ai_addrlen >= sizeof(struct sockaddr_in6));
+            LOG(DEBUG, "Port number %d", ntohs(((struct sockaddr_in6*)p->ai_addr)->sin6_port));
+            break;
+        default:
+            LOG(ERROR, "Unknown socket family");
+            break;
+        }
+        int sockfd = socket(p->ai_family,
+                            p->ai_socktype | SOCK_CLOEXEC | SOCK_NONBLOCK,
+                            p->ai_protocol);
+        if (sockfd < 0) {
+            LOG(ERROR, "Cannot create socket, skipping");
+            continue;
+        }
+        int res = connect(sockfd, p->ai_addr, p->ai_addrlen);
+        if (res == 0) {
+            rc = sockfd;
+            goto done;
+        }
+        if (errno != EINPROGRESS) {
+            PERROR("connect");
+            close(sockfd);
+            continue;
+        }
+        fds[used_addresses].fd = sockfd;
+        fds[used_addresses].events = POLLIN|POLLOUT|POLLPRI|POLLRDHUP;
+        used_addresses++;
+    }
+    /* FIXME: USE EPOLL!!!!!!! */
+    while (used_addresses != 0) {
+        for (size_t i = 0; i < used_addresses; ++i) {
+            fds[i].revents = 0;
+        }
+        int res = poll(fds, used_addresses, 1000 /* 1 second */);
+        if (res > 0) {
+            struct pollfd *p = fds;
+            for (size_t i = 0; i < used_addresses; ++i) {
+                if (fds[i].revents == 0)
+                    *p++ = fds[i];
+                else if (fds[i].revents & ~(short)(POLLIN | POLLOUT)) {
+                    LOG(ERROR, "FD %d (offset %zu) had events 0%s%s%s%s%s%s", fds[i].fd, i,
+                        (fds[i].revents & POLLIN) ? " | POLLIN" : "",
+                        (fds[i].revents & POLLOUT) ? " | POLLOUT" : "",
+                        (fds[i].revents & POLLPRI) ? " | POLLPRI" : "",
+                        (fds[i].revents & POLLERR) ? " | POLLERR" : "",
+                        (fds[i].revents & POLLHUP) ? " | POLLHUP" : "",
+                        (fds[i].revents & POLLNVAL) ? " | POLLNVAL" : "");
+                    close(fds[i].fd);
+                    fds[i].fd = -1;
+                } else {
+                    rc = fds[i].fd;
+                    fds[i].fd = -1;
+                    goto done;
+                }
+            }
+            used_addresses = (size_t)(p - fds);
+        } else if (res == 0) {
+            LOG(ERROR, "TCP connection timeout");
+            break;
+        } else if (errno == EINTR || errno == EAGAIN) {
+            continue;
+        } else {
+            PERROR("poll");
+            break;
+        }
+    }
+done:
+    if (rc < 0)
+        LOG(ERROR, "None of %zu TCP sockets could connect", addresses);
+    else
+        LOG(ERROR, "Connection succeeded");
+    /* Close all FDs but the chosen one */
+    for (size_t i = 0; i < used_addresses; ++i) {
+        if (fds[i].fd != -1) {
+            close(fds[i].fd);
+        }
+    }
+    free(fds);
+freeaddrs:
+    freeaddrinfo(addrs);
+    return rc;
+invalid_port:
+    LOG(ERROR, "Invalid port number %s", port);
+    return -1;
+}
+
 static int execute_qrexec_service(
-        const struct qrexec_parsed_command *cmd,
+        struct qrexec_parsed_command *cmd,
         int *pid, int *stdin_fd, int *stdout_fd, int *stderr_fd,
         struct buffer *stdin_buffer) {
 
@@ -533,10 +668,11 @@ static int execute_qrexec_service(
         return -1;
     }
 
+    const char *desc = cmd->command + RPC_REQUEST_COMMAND_LEN + 1;
     if (S_ISSOCK(statbuf.st_mode)) {
         /* Socket-based service. */
         int s;
-        if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+        if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0)) == -1) {
             PERROR("socket");
             return -1;
         }
@@ -550,14 +686,60 @@ static int execute_qrexec_service(
         if (stderr_fd)
             *stderr_fd = -1;
         *pid = 0;
-        set_nonblock(s);
 
         if (cmd->send_service_descriptor) {
             /* send part after "QUBESRPC ", including trailing NUL */
-            const char *desc = cmd->command + RPC_REQUEST_COMMAND_LEN + 1;
             buffer_append(stdin_buffer, desc, strlen(desc) + 1);
         }
         return 0;
+    } else if (S_ISLNK(statbuf.st_mode)) {
+        if (stderr_fd)
+            *stderr_fd = -1;
+        *pid = 0;
+        /* TCP-based service */
+        assert(memcmp(service_full_path, "/dev/tcp/", sizeof "/dev/tcp") == 0);
+        char *address = service_full_path + sizeof "/dev/tcp";
+        char *slash = strchr(address, '/');
+        char *host, *port;
+        if (slash == NULL) {
+            if (cmd->arg == NULL || *cmd->arg == ' ') {
+                LOG(ERROR, "No or empty argument provided, cannot connect to %s",
+                    service_full_path);
+                return -1;
+            }
+            char *ptr = cmd->service_descriptor + (cmd->arg - desc);
+            if (*address == '\0') {
+                /* Get both host and port from service arguments */
+                host = ptr;
+                port = strrchr(ptr, '+');
+                if (port == NULL) {
+                    LOG(ERROR, "No host provided, cannot connect at %s", service_full_path);
+                    return -1;
+                }
+                *port = '\0';
+                for (char *p = host; p < port; ++p) {
+                    if (*p == '_')
+                        *p = ':';
+                    else if (*p == '+')
+                        *p = '%';
+                }
+                port++;
+            } else {
+                /* Get just port from service arguments */
+                host = address;
+                port = ptr;
+            }
+        } else {
+            *slash = '\0';
+            host = address;
+            port = slash + 1;
+        }
+        int res = qubes_tcp_connect(host, port);
+        if (res == -1)
+            return -1;
+        *stdin_fd = *stdout_fd = res;
+        cmd->send_service_descriptor = false;
+        return 0;
     }
 
     if (euidaccess(service_full_path, X_OK) == 0) {
diff --git a/libqrexec/libqrexec-utils.h b/libqrexec/libqrexec-utils.h
@@ -48,7 +48,9 @@ struct buffer {
 #define WRITE_STDIN_BUFFERED  1 /* something still in the buffer */
 #define WRITE_STDIN_ERROR     2 /* write error, errno set */
 
-/* Parsed Qubes RPC or legacy command. */
+/* Parsed Qubes RPC or legacy command.
+ * The size of this structure is not part of the public API or ABI.
+ * Only use instances allocated by libqrexec-utils. */
 struct qrexec_parsed_command {
     const char *cmdline;
 
@@ -82,6 +84,13 @@ struct qrexec_parsed_command {
 
     /* For socket-based services: Should the service descriptor be sent? */
     bool send_service_descriptor;
+
+    /* Remaining fields are private to libqrexec-utils.  Do not access them
+     * directly - they may change in any update. */
+
+    /* Pointer to the argument, or NULL if there is no argument.
+     * Same buffer as "command" and "cmdline". */
+    const char *arg;
 };
 
 /* Parse a command, return NULL on failure. Uses cmd->cmdline
@@ -142,7 +151,7 @@ int fork_and_flush_stdin(int fd, struct buffer *buffer);
  * nonzero on failure.
  */
 int execute_parsed_qubes_rpc_command(
-        const struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
+        struct qrexec_parsed_command *cmd, int *pid, int *stdin_fd,
         int *stdout_fd, int *stderr_fd, struct buffer *stdin_buffer);
 
 /**
diff --git a/libqrexec/process_io.c b/libqrexec/process_io.c
@@ -76,7 +76,7 @@ static void close_stdout(int fd, bool restore_block) {
     } else if (shutdown(fd, SHUT_RD) == -1) {
         if (errno == ENOTSOCK)
             close(fd);
-        else
+        else if (errno != ENOTCONN) /* can happen with TCP, harmless */
             PERROR("shutdown close_stdout");
     }
 }
diff --git a/qrexec/tests/socket/agent.py b/qrexec/tests/socket/agent.py

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ static void close_stdout(int fd, bool restore_block) {`
`76`	`76`	`} else if (shutdown(fd, SHUT_RD) == -1) {`
`77`	`77`	`if (errno == ENOTSOCK)`
`78`	`78`	`close(fd);`
`79`		`- else`
	`79`	`+ else if (errno != ENOTCONN) /* can happen with TCP, harmless */`
`80`	`80`	`PERROR("shutdown close_stdout");`
`81`	`81`	`}`
`82`	`82`	`}`