From 08ff0af8986099e6fb1d8a94c7ce62c83e4df7f1 Mon Sep 17 00:00:00 2001
From: Maria Matejka <mq@ucw.cz>
Date: Mon, 24 Jun 2024 13:46:12 +0200
Subject: [PATCH] Additional CLI sockets may now be restricted

This allows to have one main socket for the heavy operations
very restricted just for the appropriate users, whereas the
looking glass socket may be more open.

Implemented an idea originally submitted and requested by Akamai.
---
 conf/confbase.Y      |  1 -
 doc/bird.sgml        |  5 +++++
 nest/cli.c           |  6 +++++-
 nest/cli.h           |  3 ++-
 sysdep/unix/config.Y | 20 ++++++++++++++------
 sysdep/unix/main.c   |  4 ++--
 6 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/conf/confbase.Y b/conf/confbase.Y
index 4bf70ccf..cdbdf1ce 100644
--- a/conf/confbase.Y
+++ b/conf/confbase.Y
@@ -100,7 +100,6 @@ CF_DECLS
   mpls_label_stack *mls;
   const struct adata *bs;
   struct aggr_item_node *ai;
-  struct cli_config *cli;
 }
 
 %token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT
diff --git a/doc/bird.sgml b/doc/bird.sgml
index 5acdf7c1..e2050c13 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1253,6 +1253,11 @@ socket multiple times and BIRD may behave weirdly if this happens. On shutdown,
 the additional sockets get removed immediately and only the main socket stays
 until the very end.
 
+<p>The remote control socket can be also set as restricted by
+<cf/cli "name" { restrict; };/ instead of sending the <cf/restrict/ command
+after connecting. The user may still overload the daemon by requesting insanely
+complex filters so you shouldn't expose this socket to public anyway.
+
 <sect>Usage
 <label id="remote-control-usage">
 
diff --git a/nest/cli.c b/nest/cli.c
index b54a0d76..4601f863 100644
--- a/nest/cli.c
+++ b/nest/cli.c
@@ -306,7 +306,7 @@ cli_event(void *data)
 }
 
 cli *
-cli_new(void *priv)
+cli_new(void *priv, struct cli_config *cf)
 {
   pool *p = rp_new(cli_pool, "CLI");
   cli *c = mb_alloc(p, sizeof(cli));
@@ -321,6 +321,10 @@ cli_new(void *priv)
   c->parser_pool = lp_new_default(c->pool);
   c->show_pool = lp_new_default(c->pool);
   c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE);
+
+  if (cf->restricted)
+    c->restricted = 1;
+
   ev_schedule(c->event);
   return c;
 }
diff --git a/nest/cli.h b/nest/cli.h
index c20f9c47..afcb6d55 100644
--- a/nest/cli.h
+++ b/nest/cli.h
@@ -60,6 +60,7 @@ struct cli_config {
   const char *name;
   struct config *config;
   uint uid, gid, mode;
+  _Bool restricted;
 };
 #include "lib/tlists.h"
 
@@ -81,7 +82,7 @@ static inline void cli_separator(cli *c)
 
 /* Functions provided to sysdep layer */
 
-cli *cli_new(void *);
+cli *cli_new(void *, struct cli_config *);
 void cli_init(void);
 void cli_free(cli *);
 void cli_kick(cli *);
diff --git a/sysdep/unix/config.Y b/sysdep/unix/config.Y
index 665b0b09..7607f34a 100644
--- a/sysdep/unix/config.Y
+++ b/sysdep/unix/config.Y
@@ -14,6 +14,7 @@ CF_HDR
 CF_DEFINES
 
 static struct log_config *this_log;
+static struct cli_config *this_cli_config;
 
 CF_DECLS
 
@@ -21,7 +22,6 @@ CF_KEYWORDS(LOG, SYSLOG, NAME, STDERR, UDP, PORT, CLI)
 CF_KEYWORDS(ALL, DEBUG, TRACE, INFO, REMOTE, WARNING, ERROR, AUTH, FATAL, BUG)
 CF_KEYWORDS(DEBUG, LATENCY, LIMIT, WATCHDOG, WARNING, TIMEOUT, THREADS)
 
-%type <cli> cli_opts
 %type <i> log_mask log_mask_list log_cat cfg_timeout
 %type <t> cfg_name
 %type <tf> timeformat_which
@@ -127,18 +127,26 @@ mrtdump_base:
 conf: cli ;
 
 cli: CLI text cli_opts {
-  $3->name = $2;
-  cli_config_add_tail(&new_config->cli, $3);
+  this_cli_config->name = $2;
+  cli_config_add_tail(&new_config->cli, this_cli_config);
+  this_cli_config = NULL;
 } ;
 
-cli_opts: ';' {
-  $$ = cfg_alloc(sizeof *$$);
-  *$$ = (typeof (*$$)) {
+cli_opts: cli_opts_begin '{' cli_opts_block '}' ';' | cli_opts_begin ';' ;
+
+cli_opts_begin: {
+  this_cli_config = cfg_alloc(sizeof *this_cli_config);
+  *this_cli_config = (typeof (*this_cli_config)) {
     .config = new_config,
     .mode = 0660,
   };
 };
 
+cli_opts_block:
+  /* EMPTY */ |
+  cli_opts_block RESTRICT { this_cli_config->restricted = 1; }
+;
+
 conf: debug_unix ;
 
 debug_unix:
diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c
index 17f7edb5..880cc3c4 100644
--- a/sysdep/unix/main.c
+++ b/sysdep/unix/main.c
@@ -538,7 +538,7 @@ cli_connect(sock *s, uint size UNUSED)
   s->rx_hook = cli_rx;
   s->tx_hook = cli_tx;
   s->err_hook = cli_err;
-  s->data = c = cli_new(s);
+  s->data = c = cli_new(s, ((struct cli_listener *) s->data)->config);
   s->pool = c->pool;		/* We need to have all the socket buffers allocated in the cli pool */
   s->fast_rx = 1;
   c->rx_pos = c->rx_buf;
@@ -555,7 +555,7 @@ cli_listen(struct cli_config *cf)
   s->type = SK_UNIX_PASSIVE;
   s->rx_hook = cli_connect;
   s->err_hook = cli_connect_err;
-  s->data = cf;
+  s->data = l;
   s->rbsize = 1024;
   s->fast_rx = 1;