0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 17:51:53 +00:00

Additional CLI sockets may now be restricted

This allows to have one main socket for the heavy operations
very restricted just for the appropriate users, whereas the
looking glass socket may be more open.

Implemented an idea originally submitted and requested by Akamai.
This commit is contained in:
Maria Matejka 2024-06-24 13:46:12 +02:00
parent 5b53fe36e7
commit 064ac4dbb4
6 changed files with 32 additions and 11 deletions

View File

@ -100,7 +100,6 @@ CF_DECLS
mpls_label_stack *mls; mpls_label_stack *mls;
const struct adata *bs; const struct adata *bs;
struct aggr_item_node *ai; struct aggr_item_node *ai;
struct cli_config *cli;
} }
%token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT %token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT

View File

@ -1253,6 +1253,11 @@ socket multiple times and BIRD may behave weirdly if this happens. On shutdown,
the additional sockets get removed immediately and only the main socket stays the additional sockets get removed immediately and only the main socket stays
until the very end. until the very end.
<p>The remote control socket can be also set as restricted by
<cf/cli "name" { restrict; };/ instead of sending the <cf/restrict/ command
after connecting. The user may still overload the daemon by requesting insanely
complex filters so you shouldn't expose this socket to public anyway.
<sect>Usage <sect>Usage
<label id="remote-control-usage"> <label id="remote-control-usage">

View File

@ -306,7 +306,7 @@ cli_event(void *data)
} }
cli * cli *
cli_new(void *priv) cli_new(void *priv, struct cli_config *cf)
{ {
pool *p = rp_new(cli_pool, "CLI"); pool *p = rp_new(cli_pool, "CLI");
cli *c = mb_alloc(p, sizeof(cli)); cli *c = mb_alloc(p, sizeof(cli));
@ -321,6 +321,12 @@ cli_new(void *priv)
c->parser_pool = lp_new_default(c->pool); c->parser_pool = lp_new_default(c->pool);
c->show_pool = lp_new_default(c->pool); c->show_pool = lp_new_default(c->pool);
c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE); c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE);
c->config = cf;
config_add_obstacle(cf->config);
if (cf->restricted)
c->restricted = 1;
ev_schedule(c->event); ev_schedule(c->event);
return c; return c;
} }
@ -413,6 +419,7 @@ cli_free(cli *c)
c->cleanup(c); c->cleanup(c);
if (c == cmd_reconfig_stored_cli) if (c == cmd_reconfig_stored_cli)
cmd_reconfig_stored_cli = NULL; cmd_reconfig_stored_cli = NULL;
config_del_obstacle(c->config->config);
rfree(c->pool); rfree(c->pool);
} }

View File

@ -29,6 +29,7 @@ struct cli_out {
typedef struct cli { typedef struct cli {
node n; /* Node in list of all log hooks */ node n; /* Node in list of all log hooks */
struct cli_config *config; /* Configuration of the appropriate cli */
pool *pool; pool *pool;
void *priv; /* Private to sysdep layer */ void *priv; /* Private to sysdep layer */
byte *rx_buf, *rx_pos; /* sysdep */ byte *rx_buf, *rx_pos; /* sysdep */
@ -60,6 +61,7 @@ struct cli_config {
const char *name; const char *name;
struct config *config; struct config *config;
uint uid, gid, mode; uint uid, gid, mode;
_Bool restricted;
}; };
#include "lib/tlists.h" #include "lib/tlists.h"
@ -81,7 +83,7 @@ static inline void cli_separator(cli *c)
/* Functions provided to sysdep layer */ /* Functions provided to sysdep layer */
cli *cli_new(void *); cli *cli_new(void *, struct cli_config *);
void cli_init(void); void cli_init(void);
void cli_free(cli *); void cli_free(cli *);
void cli_kick(cli *); void cli_kick(cli *);

View File

@ -14,6 +14,7 @@ CF_HDR
CF_DEFINES CF_DEFINES
static struct log_config *this_log; static struct log_config *this_log;
static struct cli_config *this_cli_config;
CF_DECLS CF_DECLS
@ -21,7 +22,6 @@ CF_KEYWORDS(LOG, SYSLOG, NAME, STDERR, UDP, PORT, CLI)
CF_KEYWORDS(ALL, DEBUG, TRACE, INFO, REMOTE, WARNING, ERROR, AUTH, FATAL, BUG) CF_KEYWORDS(ALL, DEBUG, TRACE, INFO, REMOTE, WARNING, ERROR, AUTH, FATAL, BUG)
CF_KEYWORDS(DEBUG, LATENCY, LIMIT, WATCHDOG, WARNING, TIMEOUT, THREADS) CF_KEYWORDS(DEBUG, LATENCY, LIMIT, WATCHDOG, WARNING, TIMEOUT, THREADS)
%type <cli> cli_opts
%type <i> log_mask log_mask_list log_cat cfg_timeout %type <i> log_mask log_mask_list log_cat cfg_timeout
%type <t> cfg_name %type <t> cfg_name
%type <tf> timeformat_which %type <tf> timeformat_which
@ -127,18 +127,26 @@ mrtdump_base:
conf: cli ; conf: cli ;
cli: CLI text cli_opts { cli: CLI text cli_opts {
$3->name = $2; this_cli_config->name = $2;
cli_config_add_tail(&new_config->cli, $3); cli_config_add_tail(&new_config->cli, this_cli_config);
this_cli_config = NULL;
} ; } ;
cli_opts: ';' { cli_opts: cli_opts_begin '{' cli_opts_block '}' ';' | cli_opts_begin ';' ;
$$ = cfg_alloc(sizeof *$$);
*$$ = (typeof (*$$)) { cli_opts_begin: {
this_cli_config = cfg_alloc(sizeof *this_cli_config);
*this_cli_config = (typeof (*this_cli_config)) {
.config = new_config, .config = new_config,
.mode = 0660, .mode = 0660,
}; };
}; };
cli_opts_block:
/* EMPTY */ |
cli_opts_block RESTRICT { this_cli_config->restricted = 1; }
;
conf: debug_unix ; conf: debug_unix ;
debug_unix: debug_unix:

View File

@ -538,7 +538,7 @@ cli_connect(sock *s, uint size UNUSED)
s->rx_hook = cli_rx; s->rx_hook = cli_rx;
s->tx_hook = cli_tx; s->tx_hook = cli_tx;
s->err_hook = cli_err; s->err_hook = cli_err;
s->data = c = cli_new(s); s->data = c = cli_new(s, ((struct cli_listener *) s->data)->config);
s->pool = c->pool; /* We need to have all the socket buffers allocated in the cli pool */ s->pool = c->pool; /* We need to have all the socket buffers allocated in the cli pool */
s->fast_rx = 1; s->fast_rx = 1;
c->rx_pos = c->rx_buf; c->rx_pos = c->rx_buf;
@ -555,7 +555,7 @@ cli_listen(struct cli_config *cf)
s->type = SK_UNIX_PASSIVE; s->type = SK_UNIX_PASSIVE;
s->rx_hook = cli_connect; s->rx_hook = cli_connect;
s->err_hook = cli_connect_err; s->err_hook = cli_connect_err;
s->data = cf; s->data = l;
s->rbsize = 1024; s->rbsize = 1024;
s->fast_rx = 1; s->fast_rx = 1;