From a0dad605928945f5964d3d933eac103a8e0aec74 Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 19 Feb 2021 08:14:49 +0000 Subject: [PATCH] Move the mkpath() call from the rsync path to the main process. This allows to drop cpath from the rsync proc pledge (down to "stdio proc exec"). This will also make work easier with the upcoming http fetcher. OK tb@ --- usr.sbin/rpki-client/extern.h | 4 ++-- usr.sbin/rpki-client/main.c | 32 +++++++++++++++++++++++--------- usr.sbin/rpki-client/mkdir.c | 6 +++--- usr.sbin/rpki-client/rsync.c | 13 ++----------- 4 files changed, 30 insertions(+), 25 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index f613a5677c4..ef0106fba73 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.45 2021/02/18 16:23:17 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.46 2021/02/19 08:14:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -449,7 +449,7 @@ int output_json(FILE *, struct vrp_tree *, struct stats *); void logx(const char *fmt, ...) __attribute__((format(printf, 1, 2))); -int mkpath(const char *); +int mkpath(int, const char *); #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index e6b1811a180..a63bc15f245 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.101 2021/02/18 10:10:20 claudio Exp $ */ +/* $OpenBSD: main.c,v 1.102 2021/02/19 08:14:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -91,6 +92,7 @@ RB_PROTOTYPE(filepath_tree, filepath, entry, filepathcmp); static struct filepath_tree fpt = RB_INITIALIZER(&fpt); static struct msgbuf procq, rsyncq; +static int cachefd; const char *bird_tablename = "ROAS"; @@ -289,6 +291,15 @@ repo_fetch(struct repo *rp) return; } + /* + * Create destination location. + * Build up the tree to this point because GPL rsync(1) + * will not build the destination for us. + */ + + if (mkpath(cachefd, rp->local) == -1) + err(1, "%s", rp->local); + logx("%s: pulling from network", rp->local); if ((b = ibuf_dynamic(256, UINT_MAX)) == NULL) err(1, NULL); @@ -684,7 +695,7 @@ add_to_del(char **del, size_t *dsz, char *file) } static size_t -repo_cleanup(const char *cachedir) +repo_cleanup(int dirfd) { size_t i, delsz = 0; char *argv[2], **del = NULL; @@ -692,8 +703,8 @@ repo_cleanup(const char *cachedir) FTSENT *e; /* change working directory to the cache directory */ - if (chdir(cachedir) == -1) - err(1, "%s: chdir", cachedir); + if (fchdir(dirfd) == -1) + err(1, "fchdir"); for (i = 0; i < rt.reposz; i++) { if (asprintf(&argv[0], "%s", rt.repos[i].local) == -1) @@ -866,6 +877,9 @@ main(int argc, char *argv[]) goto usage; } + if ((cachefd = open(cachedir, O_RDONLY, 0)) == -1) + err(1, "cache directory %s", cachedir); + if (outformats == 0) outformats = FORMAT_OPENBGPD; @@ -891,8 +905,8 @@ main(int argc, char *argv[]) close(fd[1]); /* change working directory to the cache directory */ - if (chdir(cachedir) == -1) - err(1, "%s: chdir", cachedir); + if (fchdir(cachefd) == -1) + err(1, "fchdir"); /* Only allow access to the cache directory. */ if (unveil(cachedir, "r") == -1) @@ -924,8 +938,8 @@ main(int argc, char *argv[]) close(fd[1]); /* change working directory to the cache directory */ - if (chdir(cachedir) == -1) - err(1, "%s: chdir", cachedir); + if (fchdir(cachefd) == -1) + err(1, "fchdir"); if (pledge("stdio rpath cpath proc exec unveil", NULL) == -1) @@ -1088,7 +1102,7 @@ main(int argc, char *argv[]) if (outputfiles(&v, &stats)) rc = 1; - stats.del_files = repo_cleanup(cachedir); + stats.del_files = repo_cleanup(cachefd); logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)", stats.roas, stats.roas_fail, stats.roas_invalid); diff --git a/usr.sbin/rpki-client/mkdir.c b/usr.sbin/rpki-client/mkdir.c index d9f466f721a..7369c3de4c5 100644 --- a/usr.sbin/rpki-client/mkdir.c +++ b/usr.sbin/rpki-client/mkdir.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mkdir.c,v 1.1 2021/02/02 18:33:11 claudio Exp $ */ +/* $OpenBSD: mkdir.c,v 1.2 2021/02/19 08:14:49 claudio Exp $ */ /* * Copyright (c) 1983, 1992, 1993 @@ -43,7 +43,7 @@ * dir_mode - file mode of intermediate directories */ int -mkpath(const char *dir) +mkpath(int dirfd, const char *dir) { char *path, *slash; int done; @@ -59,7 +59,7 @@ mkpath(const char *dir) done = (*slash == '\0'); *slash = '\0'; - if (mkdir(path, 0700) == -1 && errno != EEXIST) { + if (mkdirat(dirfd, path, 0700) == -1 && errno != EEXIST) { free(path); return (-1); } diff --git a/usr.sbin/rpki-client/rsync.c b/usr.sbin/rpki-client/rsync.c index 0285429d1d8..1f00a6ee596 100644 --- a/usr.sbin/rpki-client/rsync.c +++ b/usr.sbin/rpki-client/rsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsync.c,v 1.17 2021/02/16 08:52:00 claudio Exp $ */ +/* $OpenBSD: rsync.c,v 1.18 2021/02/19 08:14:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -167,7 +167,7 @@ proc_rsync(char *prog, char *bind_addr, int fd) if (unveil(NULL, NULL) == -1) err(1, "unveil"); - if (pledge("stdio cpath proc exec", NULL) == -1) + if (pledge("stdio proc exec", NULL) == -1) err(1, "pledge"); /* Initialise retriever for children exiting. */ @@ -261,15 +261,6 @@ proc_rsync(char *prog, char *bind_addr, int fd) assert(dst); assert(uri); - /* - * Create source and destination locations. - * Build up the tree to this point because GPL rsync(1) - * will not build the destination for us. - */ - - if (mkpath(dst) == -1) - err(1, "%s", dst); - /* Run process itself, wait for exit, check error. */ if ((pid = fork()) == -1) -- 2.20.1