Commit Graph

116 Commits (78a020df8242ae5e4e2ac210bc8d85dc27b43bb6)

Author SHA1 Message Date
C. McEnroe d9388fa2a8 FreeBSD: Revert caph_enter(3) call to cap_enter(2)
caph_enter(3) is the same as cap_enter(2) except that it returns
success even if the kernel does not support capability mode. Since
we only enter capability mode when explicitly requested by the
restrict option, it should fail loudly if it is not supported. On
the other hand, we make calls to caph_rights_limit(3) and friends
in some places regardless of whether we actually enter capability
mode (to keep the code simple), so those should continue to succeed
even if capability mode is not supported.
2021-07-20 13:25:04 -04:00
Klemens Nanni f8e3414af0 Add -q/quiet option to raise default message visibility threshold
Silencing all windows with `M-+' (across multiple catgirl instances)
can be cumbersome, so provide an option to hide events, JOIN/PART noise,
etc. by default (each window's threshold will persist across load/save
cycles, i.e. when using the `-s/save' option).

Started out as `-v | visibility = threshold' to set a specific level,
the idea of a simpler toggle comes from june, who also squashed other
bugs (as usual).
2021-07-20 12:03:46 -04:00
C. McEnroe 2f8ec18e65 Move platform-dependent sandboxing code out of main
To keep the "main" sequence of events on one screen, while emphasizing
that sandboxing happens either side of ircConnect().
2021-07-13 16:28:33 -04:00
C. McEnroe ce53e309e6 Move all UI initialization together 2021-07-13 15:39:16 -04:00
Klemens Nanni ae332f6e8d Perform TLS handshake after final pledge
ircConnect() yields a connected TCP socket after which "inet dns" is
no longer needed.

Possibly having loaded private key material, it seems a tad more
comforting to speak TLS *after* dropping any network capabilities
(except for socket read/write to the IRC host, of course).

Instead of moving the final pledge into irc.c:ircConnect() and thus
complicating the code around pledge across two C modules, simply
stub out an mnemonic ircHandshake() and call that explicitly.

This restores behaviour gained with
981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which
was reverted for other reasons.
2021-07-13 15:21:57 -04:00
C. McEnroe 54d899196c FreeBSD: Avoid caph_stream_rights(3)
caph_stream_rights(3) doesn't exist before FreeBSD 13.0 and there's
no good reason to create that dependency. I still run servers on
FreeBSD 12.

This is a partial revert of cbc9545cb3.
2021-07-13 15:16:22 -04:00
C. McEnroe c76d76205f Zero out server password after sending
Also send it directly using ircSend to avoid copying it and logging
it to <debug>.
2021-07-13 15:16:22 -04:00
Klemens Nanni 9559fe9d23 Make -o/printCert not load any files, pledge even earlier
No point in trying to load a self-signed server certificate which we
are about to get from the server in the first place.

No need to read client certificate/key files when all we want is the
server certificate:  in TLS the server always sends its certificate
before the client replies with any key material, i.e. catgirl sending
client data is useless.

catgirl(1) synopsis also notes how these options are irrelevant in the
-o/printCert case.

As a result, ircConfig() no longer requires any filesystem I/O in this
case, so hoist the purely network I/O related pledge() call to enforce
this -- more secure, self-documenting code!
2021-07-13 15:16:22 -04:00
Klemens Nanni 5bfba6df52 OpenBSD: merge unveil and pledge logic a bit
This reads somewhat clearer as code is grouped by features instead of
security mechanisms by simply merging identical tests/conditions.

No functional change.
2021-07-13 15:16:22 -04:00
Klemens Nanni 7793ca36bb OpenBSD: unveil logs regardless of restrict mode
Simplify logic and decouple the two features such that the code gets
even more self-ducumenting.

Previously `catgirl -R -l' would never unveil and therefore "proc exec"
could execute arbitrary paths without "rpath" as is usual unveil/pledge
semantic.

Now that `catgirl -l' alone triggers unveil(2), previous "proc exec"
alone is not enough since the first unveil() hides everything else from
filesystem;  unveil all of root executable-only in order to restore
non-restrict mode's visibility.

This leaves yields distinct cases wrt. filesystem visibility
(hoisted save file functionality excluded):

1. restrict on,  log off:  no access
2. restrict on,  log on :  logdir write/create
3. restrict off, log off:  all exec-only
4. restrict off, log on :  logdir write/create, all else exec-only

In the first case `unveil("/", "")' could be used but with no benefit as
the later lack of "rpath wpath cpath", i.e. filesystem access is revoked
entirely by pledge alone already.

Practically, this does not change functionality but improves correctness
and readability.
2021-07-13 15:16:22 -04:00
C. McEnroe ca50352169 OpenBSD: unveil the log directory specifically
The call to logOpen() will have already created the directory. Still
use dataMkdir() as a convenient way to get the created path.
2021-06-28 09:57:10 -04:00
C. McEnroe cbc9545cb3 FreeBSD: Use capsicum_helpers.h 2021-06-28 09:11:02 -04:00
C. McEnroe 1239ffa689 FreeBSD: Limit rights on stdio and socket 2021-06-25 11:50:14 -04:00
C. McEnroe a0cc519829 Move setting CLOEXEC on socket to ircConnect 2021-06-25 11:50:14 -04:00
C. McEnroe 16b34e5cd2 FreeBSD: Enter capabilities mode if restricted 2021-06-25 11:50:14 -04:00
C. McEnroe fece6e6eb6 Keep log directory open, use mkdirat(2) and openat(2) 2021-06-25 11:50:14 -04:00
C. McEnroe 65280c0b60 Replace SIGWINCH XXX comment with better explanation 2021-06-21 18:27:35 -04:00
Klemens Nanni b6cedf7dba Register SIGWINCH handler before TLS connect
Otherwise resizing the terminal will end catgirl until a handler is
registered, e.g. while in ircConnect():

	catgirl: tls_handshake: (null)

Hoist registration right after uiInitEarly() as earliest possible point
in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e.
initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
2021-06-21 18:11:09 -04:00
Klemens Nanni 3a38e36717 OpenBSD: Only unveil used directories
dataMkdir() already picked the appropiate directory so make it
return that such that unveilData() can go as only that one directory
needs unveiling.
2021-06-20 20:21:00 -04:00
C. McEnroe a5a225c52c Add -m mode option to set user modes 2021-06-18 12:28:09 -04:00
C. McEnroe a8c1f02976 Clean up if restricted && logEnable, pipe creation 2021-06-17 18:26:09 -04:00
C. McEnroe d2bec49931 Send PINGs when server is quiet and die if no response
Every time we receive from the server, reset a timer. The first
time the timer triggers, send a PING. The second time the timer
triggers, die from ping timeout.

I'm not sure about these two intervals: 2 minutes of idle before a
PING, 30s for the server to respond to the PING.
2021-06-15 16:59:24 -04:00
Klemens Nanni b690bd0b83 OpenBSD: Simplify promise creation after seprintf() introduction
Just truncate the initial promises back to the final ones after pledging
for the first time, saving code and memory.

Assign `ptr' in all initial `seprintf()' calls for consistency while
here.
2021-06-15 13:20:09 -04:00
Klemens Nanni 3e0b38e48e OpenBSD: pledge final promises earlier
No need to wait for so long.

This also brings all the pledge code on one screen and helps show how
ircConnect() is the only relevant part in between initial and final
promises.
2021-06-14 17:15:11 -04:00
Klemens Nanni 1ccadd7c72 Treat `-T's optional argument as optional
`-T[format]' is not possible with getopt(3) but getopt_long(3) supports
"T::" exactly for that, so make the command line option go in line with
configuration files and documentation.

While here, check `has_arg' explicitly as getopt_long(3) only documents
mnemonic values not numerical ones.
2021-06-14 17:00:15 -04:00
Klemens Nanni 788eb772c8 OpenBSD: no need to read data files (logs)
One of the last changes missed this, but it is a NOOP anyway since
"rpath" is not pledged any longer.
2021-06-13 14:02:59 -04:00
Klemens Nanni 772c9789b7 OpenBSD: Drop now unneeded file system access for save file
All opening happens before unveil/pledge and the file handle is kept
open read/write so it can be used without any pledge.

Simpler/less code and less chances to write other files (accidentially).
2021-06-11 20:57:40 -04:00
Klemens Nanni cdd4ccf16f Open save file once in uiLoad() and keep it open until uiSave()
Opening the same file *path* twice is a TOCTOU, although not a critical
one: worst case we load from one file and save to another - the impact
depends on how and when catgirl is started the next anyway.

More importantly, keeping the file handle open at runtime allows us to
drop all filesystem related promises for `-s/save' on OpenBSD.

uiLoad() now opens "r+", meaning "Open for reading and writing." up
front so uiSave() can write to it.  In the case of a nonexistent save
file, it now opens with "w" meaning "Open for writing.  The file is
created if it does not exist.", i.e. the same write/create semantics as
"w" except uiLoad() no longer truncates. existing files.

uiSave() now truncates the save file to avoid appending in general.
2021-06-11 20:57:40 -04:00
Klemens Nanni 4aa3da5786 OpenBSD: Hoist loading save file to drop filesystem read-access
After TLS cert/key files, the save file is the only file being read from;
do so before pleding and drop the "rpath" promise all together:  log files
will only be created and written to.
2021-06-11 12:51:00 -04:00
C. McEnroe 275d657b8b Move unveilAll back into main
It doesn't do as much anymore, so move it back inline.
2021-06-10 15:40:45 -04:00
Klemens Nanni 552cd49833 OpenBSD: Drop now unneeded promise from initial pledge
Both ssl(8) as well as ncurses(3) related files are now read completely
by the time of ircConfig() and uiInitEarly() respectively, so read
access to the filesystem is no longer needed at all unless the "log" or
"save" options are used.
2021-06-10 14:44:35 -04:00
Klemens Nanni 71a84aa502 OpenBSD: Remove now obsolete unveil code
Previous tls_default_ca_cert_file(3) hoisting makes this possible: all
TLS related files are fully loaded into memory by ircConfig() such that
ircConnect() will not do any file I/O.

Call ircConfig() before pledge(2) in the `-o' "print cert" case so this
works out -- that order should have been preserved in the previous
a989e15 "OpenBSD: hoist -o/printCert code to simplify" but fixing it now
nicely demonstrates the achivement even more so.
2021-06-10 14:44:35 -04:00
C. McEnroe e066a954f5 Replace catf with seprintf 2021-06-09 11:56:35 -04:00
Klemens Nanni 3d931d0f5a OpenBSD: pledge minimum promises from the start
catgirl needs:
- "stdio tty" at all times
- "rpath inet dns" once at startup for terminfo(5) and ssl(8)
- "proc exec" iff -R/restrict options is disabled
- "rpath wpath cpath" iff -s/save or -l/log options is enabled

Status quo:  catgirl starts with the superset of all possible promises
"stdio rpath wpath cpath inet dns tty proc exec", drops offline with
"stdio rpath wpath cpath tty proc exec" and possibly drops to either of
"stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty"
depending on the options used.

Such step-by-step reduction is straight forward and easy to model along
the process runtime, but it comes with the drawback of starting with
too broad promises right from the beginning, i.e. `catgirl -R -h host'
is able to execute code and write to filesystems even though it must
never do so according the (un)used options.

Lay out required promises up front and pledge in two stages:
1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns"
   plus potential "rpath wpath cpath" plus potential "proc exec"
2. final rutime,  i.e. fixed "stdio tty"
   plus potential "rpath wpath cpath" plus potential "proc exec"

This way the above mentioned usage example can never execute or write
files, hence less potential for bugs and more accurate modelling of
catgirl's runtime -- dropping "inet dns" alone in between also becomes
obsolete with this approach.
2021-06-09 09:41:22 -04:00
Klemens Nanni c97a9eb870 OpenBSD: unveil after ncurses(3) init to support TERMINFO
initscr(3) in uiInitEarly() attempts more than /usr/share/terminfo/, see
`mandoc -O tag=TERMINFO ncurses`.

Even though non-default terminfo handling seems rare and it is unlikely
to have ever caused a problem for catgirl users on OpenBSD, the current
is still wrong by oversimplifying it.

Avoid the entire curses/unveil clash by setting up the screen before
unveiling.
2021-06-09 09:21:51 -04:00
Klemens Nanni a989e156a1 OpenBSD: hoist -o/printCert code to simplify
Nothing but the TLS handshake is required, so skip all other setup.

On OpenBSD, unveil() handling needs fixing which will involve code
reshuffling -- this is the first related but standalone step.

Also pledge this one-off code path individually such with simpler and
tighter promises while here.
2021-06-09 09:21:17 -04:00
C. McEnroe 7ea14eec84 Pad kiosk username with zero, not space
Oops!
2021-06-06 10:24:22 -04:00
Klemens Nanni 0fe004c5c4 OpenBSD: unveil XDG directories only when needed
The (not perfectly obvious) way catgirl crafts directories gets triggered
by unveilAll() even if no passed option requires filesystem access:

	$ env -i TERM=xterm ./catgirl -h irc.hackint.eu -R -n nobody
	catgirl: HOME unset

Here unveil(2) is used due to the "restrict" option, but besides terminfo(5)
and certificates catgirl does not need any other files, yet it tries to init
the data path -- passing XDG_DATA_HOME=/var/empty makes above invocation work
showing how the then successful path setup is not required.

Fix this by not unveiling the unneeded data path in the first place.
2021-06-06 10:18:52 -04:00
C. McEnroe 6d5bcf72c1 Hash the username in kiosk mode
So that the first part of $SSH_CLIENT can be passed as username.
2021-05-27 11:45:47 -04:00
C. McEnroe 6435dfdda5 Disable nick and channel colors with hash bound 0 2021-03-08 10:47:18 -05:00
C. McEnroe 06fb025496 Error if hash bound is less than 2
Bad things happen otherwise.
2021-02-25 22:36:06 -05:00
C. McEnroe d6ff9e53cf Change default timestamp format to %X
This respects the user's locale settings.
2021-01-27 14:18:20 -05:00
C. McEnroe c118c594e3 Add toggleable display of timestamps 2021-01-27 00:15:46 -05:00
Klemens Nanni bc3bd95648 Drop filesystem access iff possible
Log files and state save/restore both require read/write access to
the filesystem, both during start and exit.

If neither features are used, catgirl may run with "stdio tty".
2021-01-23 00:48:19 -05:00
Klemens Nanni 837c9efce4 Drop exec capability iff restricted
Nothing must be executed when running /copy, et al.
2021-01-23 00:48:19 -05:00
Klemens Nanni c93c56e4e5 Drop network capability after ircConnect()
catgirl has no reconnect feature and generally must not do
anything but read/write from/to the connected socket which
does not require "inet" or "dns" promises.
2021-01-23 00:48:19 -05:00
Klemens Nanni a19f48d840 Call pledge(2) after unveil(2)
Simplify logic, be more idiomatic and finalize by pledging after
all unveiling is done by omitting the "unveil" promise and thereby
not allowing further calls to it.
2021-01-23 00:48:19 -05:00
C. McEnroe 95bb627ffb Separate kiosk mode from restrict mode
Restrict mode will focus on sandboxing, while kiosk will continue
to restrict IRC access through a public kiosk. Kiosk mode without
restrict mode allows execution of man 1 catgirl with /help, assuming
external sandboxing.

The /list and /part commands are also added to the list of disabled
commands in kiosk mode, since they are pointless without access to
/join.
2021-01-23 00:48:15 -05:00
C. McEnroe 063f2aaa0c Add -I highlight option and /highlight 2021-01-16 14:15:00 -05:00
C. McEnroe 5a490945ea Rename ignore code to filter 2021-01-16 13:36:39 -05:00