Commit Graph

91 Commits (4c0cdae4e5c4b81ca363c9ee48e423df0850fb29)

Author SHA1 Message Date
Klemens Nanni 788eb772c8 OpenBSD: no need to read data files (logs)
One of the last changes missed this, but it is a NOOP anyway since
"rpath" is not pledged any longer.
2021-06-13 14:02:59 -04:00
Klemens Nanni 772c9789b7 OpenBSD: Drop now unneeded file system access for save file
All opening happens before unveil/pledge and the file handle is kept
open read/write so it can be used without any pledge.

Simpler/less code and less chances to write other files (accidentially).
2021-06-11 20:57:40 -04:00
Klemens Nanni cdd4ccf16f Open save file once in uiLoad() and keep it open until uiSave()
Opening the same file *path* twice is a TOCTOU, although not a critical
one: worst case we load from one file and save to another - the impact
depends on how and when catgirl is started the next anyway.

More importantly, keeping the file handle open at runtime allows us to
drop all filesystem related promises for `-s/save' on OpenBSD.

uiLoad() now opens "r+", meaning "Open for reading and writing." up
front so uiSave() can write to it.  In the case of a nonexistent save
file, it now opens with "w" meaning "Open for writing.  The file is
created if it does not exist.", i.e. the same write/create semantics as
"w" except uiLoad() no longer truncates. existing files.

uiSave() now truncates the save file to avoid appending in general.
2021-06-11 20:57:40 -04:00
Klemens Nanni 4aa3da5786 OpenBSD: Hoist loading save file to drop filesystem read-access
After TLS cert/key files, the save file is the only file being read from;
do so before pleding and drop the "rpath" promise all together:  log files
will only be created and written to.
2021-06-11 12:51:00 -04:00
C. McEnroe 275d657b8b Move unveilAll back into main
It doesn't do as much anymore, so move it back inline.
2021-06-10 15:40:45 -04:00
Klemens Nanni 552cd49833 OpenBSD: Drop now unneeded promise from initial pledge
Both ssl(8) as well as ncurses(3) related files are now read completely
by the time of ircConfig() and uiInitEarly() respectively, so read
access to the filesystem is no longer needed at all unless the "log" or
"save" options are used.
2021-06-10 14:44:35 -04:00
Klemens Nanni 71a84aa502 OpenBSD: Remove now obsolete unveil code
Previous tls_default_ca_cert_file(3) hoisting makes this possible: all
TLS related files are fully loaded into memory by ircConfig() such that
ircConnect() will not do any file I/O.

Call ircConfig() before pledge(2) in the `-o' "print cert" case so this
works out -- that order should have been preserved in the previous
a989e15 "OpenBSD: hoist -o/printCert code to simplify" but fixing it now
nicely demonstrates the achivement even more so.
2021-06-10 14:44:35 -04:00
C. McEnroe e066a954f5 Replace catf with seprintf 2021-06-09 11:56:35 -04:00
Klemens Nanni 3d931d0f5a OpenBSD: pledge minimum promises from the start
catgirl needs:
- "stdio tty" at all times
- "rpath inet dns" once at startup for terminfo(5) and ssl(8)
- "proc exec" iff -R/restrict options is disabled
- "rpath wpath cpath" iff -s/save or -l/log options is enabled

Status quo:  catgirl starts with the superset of all possible promises
"stdio rpath wpath cpath inet dns tty proc exec", drops offline with
"stdio rpath wpath cpath tty proc exec" and possibly drops to either of
"stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty"
depending on the options used.

Such step-by-step reduction is straight forward and easy to model along
the process runtime, but it comes with the drawback of starting with
too broad promises right from the beginning, i.e. `catgirl -R -h host'
is able to execute code and write to filesystems even though it must
never do so according the (un)used options.

Lay out required promises up front and pledge in two stages:
1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns"
   plus potential "rpath wpath cpath" plus potential "proc exec"
2. final rutime,  i.e. fixed "stdio tty"
   plus potential "rpath wpath cpath" plus potential "proc exec"

This way the above mentioned usage example can never execute or write
files, hence less potential for bugs and more accurate modelling of
catgirl's runtime -- dropping "inet dns" alone in between also becomes
obsolete with this approach.
2021-06-09 09:41:22 -04:00
Klemens Nanni c97a9eb870 OpenBSD: unveil after ncurses(3) init to support TERMINFO
initscr(3) in uiInitEarly() attempts more than /usr/share/terminfo/, see
`mandoc -O tag=TERMINFO ncurses`.

Even though non-default terminfo handling seems rare and it is unlikely
to have ever caused a problem for catgirl users on OpenBSD, the current
is still wrong by oversimplifying it.

Avoid the entire curses/unveil clash by setting up the screen before
unveiling.
2021-06-09 09:21:51 -04:00
Klemens Nanni a989e156a1 OpenBSD: hoist -o/printCert code to simplify
Nothing but the TLS handshake is required, so skip all other setup.

On OpenBSD, unveil() handling needs fixing which will involve code
reshuffling -- this is the first related but standalone step.

Also pledge this one-off code path individually such with simpler and
tighter promises while here.
2021-06-09 09:21:17 -04:00
C. McEnroe 7ea14eec84 Pad kiosk username with zero, not space
Oops!
2021-06-06 10:24:22 -04:00
Klemens Nanni 0fe004c5c4 OpenBSD: unveil XDG directories only when needed
The (not perfectly obvious) way catgirl crafts directories gets triggered
by unveilAll() even if no passed option requires filesystem access:

	$ env -i TERM=xterm ./catgirl -h irc.hackint.eu -R -n nobody
	catgirl: HOME unset

Here unveil(2) is used due to the "restrict" option, but besides terminfo(5)
and certificates catgirl does not need any other files, yet it tries to init
the data path -- passing XDG_DATA_HOME=/var/empty makes above invocation work
showing how the then successful path setup is not required.

Fix this by not unveiling the unneeded data path in the first place.
2021-06-06 10:18:52 -04:00
C. McEnroe 6d5bcf72c1 Hash the username in kiosk mode
So that the first part of $SSH_CLIENT can be passed as username.
2021-05-27 11:45:47 -04:00
C. McEnroe 6435dfdda5 Disable nick and channel colors with hash bound 0 2021-03-08 10:47:18 -05:00
C. McEnroe 06fb025496 Error if hash bound is less than 2
Bad things happen otherwise.
2021-02-25 22:36:06 -05:00
C. McEnroe d6ff9e53cf Change default timestamp format to %X
This respects the user's locale settings.
2021-01-27 14:18:20 -05:00
C. McEnroe c118c594e3 Add toggleable display of timestamps 2021-01-27 00:15:46 -05:00
Klemens Nanni bc3bd95648 Drop filesystem access iff possible
Log files and state save/restore both require read/write access to
the filesystem, both during start and exit.

If neither features are used, catgirl may run with "stdio tty".
2021-01-23 00:48:19 -05:00
Klemens Nanni 837c9efce4 Drop exec capability iff restricted
Nothing must be executed when running /copy, et al.
2021-01-23 00:48:19 -05:00
Klemens Nanni c93c56e4e5 Drop network capability after ircConnect()
catgirl has no reconnect feature and generally must not do
anything but read/write from/to the connected socket which
does not require "inet" or "dns" promises.
2021-01-23 00:48:19 -05:00
Klemens Nanni a19f48d840 Call pledge(2) after unveil(2)
Simplify logic, be more idiomatic and finalize by pledging after
all unveiling is done by omitting the "unveil" promise and thereby
not allowing further calls to it.
2021-01-23 00:48:19 -05:00
C. McEnroe 95bb627ffb Separate kiosk mode from restrict mode
Restrict mode will focus on sandboxing, while kiosk will continue
to restrict IRC access through a public kiosk. Kiosk mode without
restrict mode allows execution of man 1 catgirl with /help, assuming
external sandboxing.

The /list and /part commands are also added to the list of disabled
commands in kiosk mode, since they are pointless without access to
/join.
2021-01-23 00:48:15 -05:00
C. McEnroe 063f2aaa0c Add -I highlight option and /highlight 2021-01-16 14:15:00 -05:00
C. McEnroe 5a490945ea Rename ignore code to filter 2021-01-16 13:36:39 -05:00
C. McEnroe df280aa7d6 Sandbox with unveil(2) on OpenBSD in restricted mode
I wrote all this in vi and it was nice.
2021-01-10 19:23:01 -05:00
C. McEnroe c6cd90c2dd Print chain to stdout with -o 2021-01-10 18:00:41 -05:00
C. McEnroe 7b8bd50063 Exit immediately when using -o 2021-01-10 11:47:48 -05:00
C. McEnroe e42b3aa08e Add -o and -t options to trust self-signed certificates 2021-01-09 19:11:57 -05:00
C. McEnroe a324795b86 Allow configuring the upper bound of the hash function
This allows limiting the nick colors used to the 16-color terminal set
without modifying the TERM environment variable. Produces different
results from just using the default configuration in a 16-color
terminal, but what can you do?
2021-01-09 17:58:29 -05:00
C. McEnroe 9ea029c580 Sandbox with pledge(2) on OpenBSD 2021-01-06 21:47:56 -05:00
C. McEnroe d6b4aed4df Split /exec lines by \r as well as \n
This fixes local rendering of /exec toilet --irc, which outputs \r\n
line endings.
2020-11-24 19:15:57 -05:00
C. McEnroe 59006d18bb Avoid eating C-c while connecting
Split UI initialization into two steps either side of the call to
connect, so that C-c works as interrupt while it's blocked.
2020-10-12 19:25:08 -04:00
C. McEnroe d9a0364cb4 Use configPath to load TLS cert/priv 2020-08-20 14:56:13 -04:00
C. McEnroe 814c36223a Say "OpenSSL" in additional permission notices
LibreSSL is "a modified version of that library".
2020-08-04 12:19:14 -04:00
C. McEnroe 94fb9798c5 Bump ParamCap to 254
Apparently IRCds have decided that the 15-parameter limit doesn't matter
anymore. 254 is the maximum number of single-byte parameters (following
a single-byte command) which fit in a 512-byte CR-LF-terminated line.
When everyone decides that the 512-byte line length limit doesn't matter
either, I will delete my software and people can use some JavaScript
garbage instead.

This makes struct Message 2080 bytes, but there's only ever one or two
of them around at once. Avoid passing it by value to handle.
2020-06-24 13:36:24 -04:00
C. McEnroe 721c3a9ee6 Add additional permission for linking with LibreSSL
https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs
2020-06-08 17:48:07 -04:00
C. McEnroe 4282574c18 Revert "Send blank line after 10 minutes idle"
This reverts commit 1d5c4a5e34.

This is fixed instead by pounce using TCP keepalive.
2020-05-18 14:48:22 -04:00
C. McEnroe 2d36c4d7c9 Use a for loop for getopt 2020-04-02 16:13:23 -04:00
C. McEnroe 06543b7030 Generate short option string with a loop
Also change the way option structs are initialized so that the array
sorts the same way as the switch statement.
2020-04-02 14:14:43 -04:00
C. McEnroe 25f419465f Add /ignore message filtering patterns 2020-03-31 14:30:42 -04:00
C. McEnroe ff78362826 Replace some declaration; while loops with for loops
I should have been using this for getopt loops already but the call here
is slightly too long to fit on one line as a for loop.
2020-03-30 19:44:45 -04:00
C. McEnroe a0dde10cb6 Add text macros 2020-03-30 14:56:26 -04:00
C. McEnroe d99f20c0ff Add logging functions
The mkdir dance is a bit awkward...
2020-03-25 18:56:09 -04:00
C. McEnroe cf1545870a Assume worst case for unknown user and host in splitMessage
The default USERLEN of 9 doesn't have a great source, the RFC only says
that nicks are length 9, so my assumption is that usernames are not
longer.
2020-03-23 13:25:10 -04:00
C. McEnroe 1d5c4a5e34 Send blank line after 10 minutes idle
Without this, I was having catgirl "time out" from pounce's POV, but
without catgirl noticing anything... I still don't understand this. Been
using this fix for a couple weeks though and it stopped happening, and
it's otherwise harmless, but yikes.
2020-03-17 11:58:50 -04:00
C. McEnroe b20be7cbad Various small cleanups
Haven't really gone through ui.c yet.
2020-02-16 23:05:43 -05:00
C. McEnroe fa4e81d480 Set defaults for various types of modes
These are actually from RFC 1459, since that seems to be the more likely
lowest common denominator, so I should maybe it it to STANDARDS (along
with ircdocs' section on ISUPPORT). RFC 2812 has a lot of stuff that
isn't currently used.
2020-02-15 22:59:04 -05:00
C. McEnroe 700b5d5870 Replace small integers in size_t with uint 2020-02-15 22:19:55 -05:00
C. McEnroe 42d106260b Separate network info from self 2020-02-15 04:54:53 -05:00