From patchwork Thu Dec 12 07:47:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3992 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:750c:b0:5e7:b9eb:58e8 with SMTP id r12csp1399814mai; Wed, 11 Dec 2024 23:48:09 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVFL2JKBsEGGoPDS5nlcEWRxPSBNNKBHnF5Y019P/pXaGh14p9Pcg6OCmjnToIyV7KEOYFiQ3oP3UE=@openvpn.net X-Google-Smtp-Source: AGHT+IGUphPdDITBXqv5mIahZMJ/Ygf7ingwv3H8ZyiBpmBkLUnO1Sf0S76GHXHQlql7i0bAdNy7 X-Received: by 2002:a05:6830:388f:b0:71e:1568:9411 with SMTP id 46e09a7af769-71e29b920b5mr1141477a34.1.1733989688742; Wed, 11 Dec 2024 23:48:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1733989688; cv=none; d=google.com; s=arc-20240605; b=k9/2AcxPi50qW9wfR5SAG3gX51Dbwlo8247XZC/TnNkTLn7T0iKM3I3Mvy0S1eVnLW bnsN3qvn7JuQc7u9uphNTQJuN4Pz5qT5EPlaH2kWy3gNIcorw3RSHUAzaIkcZfiZ4YJr UuviXP3olx6tS8j0XSEBeRjHQ7eysn1o++J/iZ+JevZvTq6aMC6XKhNDA0oCvLz83bCl 6heiztkA/CmtO+FvCusy4SB9eH1eKFK+eI2yFYSfEZyKMsPFFlA4KcK9JSh6Z9VTrsKB OIUeQV6yQPOJnCg5JXIQBc+d0G5eT4OQVTlNHJKRnkx22cAvwJwyeW+uvIsNjw/myVDf Whzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=p+JK4Zc6TQKfW2OgRfOshaqZdNTbYfp7weoMKI43J8o=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=PKm/kfCZbsM0yCOWe/miu5FeUV4rDIQCZSPvGxMGOqVIqc7rU6tekxr7uW2RfI6p12 MHzBj3E4Cb66JuSDdy2engDz43ETb5vBUC6T33Z0roJuQRnOEIQ0IqK9xAhOWkG6ADFF SEzvmYfjYomUGs1rkwd8rdxKhgFyxLfW3zac5XCaRXpsnGZQC/pRR2XH2u3uz7eZNWPI yhpIWNsJiVr7gE4PKdUiQM/JXiT2uxslnys04+MmYoLT1slDqQ8Ebgl67wFba1b4PK19 r164dOtH2qAUk+6Y0mSTHCscujlFFS3KpDPCdSjoMiviK2VB8Y+CgiX0vQ0pCmH35R0z CLkQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GbaF8MO+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="khxZET/S"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ZBdMEHqS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71dc4a1bd16si6272656a34.192.2024.12.11.23.48.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Dec 2024 23:48:08 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GbaF8MO+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="khxZET/S"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ZBdMEHqS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tLdvY-0002rO-JL; Thu, 12 Dec 2024 07:48:05 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tLdvX-0002rD-FQ for openvpn-devel@lists.sourceforge.net; Thu, 12 Dec 2024 07:48:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jdHWzU9Sem366MSV72LkZ7CV1NjmgfhyL7SvHxQZrVM=; b=GbaF8MO+Zgx17T4x/7v/a5BZyZ QwMO2mrAdfM3cJU/ykLmCPWE6GDlVYciKx1WmX/fBizGgaGw5HN3w5p9U42VGE6kwoSRk1BdXvJCD Uyv3iZRtxzGQ/DTKyN1VT5hd42+etbMBrJ9sxivKT/zEEJ976ubZZ6x+uY3zIWZkoE+o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=jdHWzU9Sem366MSV72LkZ7CV1NjmgfhyL7SvHxQZrVM=; b=k hxZET/SKaM583LsruDM+8yc0CJ/B1ulRJfhPhBwQMgo6pIVstg5SZXOi2YUBNCnfTVL0zeVWj1RYp U6Rd0mGLZ/vslmoFiV05R5yARLPUdwyliMDbYNinEY9bCjthfesREp55UaCBGpOnv2vae+UI0GITk SPw46YqwcdF33RdE=; Received: from mail-wm1-f48.google.com ([209.85.128.48]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tLdvW-00065D-6c for openvpn-devel@lists.sourceforge.net; Thu, 12 Dec 2024 07:48:04 +0000 Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4361ecebc4dso1656385e9.0 for ; Wed, 11 Dec 2024 23:48:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1733989671; x=1734594471; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=jdHWzU9Sem366MSV72LkZ7CV1NjmgfhyL7SvHxQZrVM=; b=ZBdMEHqSYpUdFEWoPmyXM7eafJgsQ6W64T41BtgzE19SfIMm4APPWMona5NhbfrQ+t 1IYLt+QfDqfU4kbgVkcUzsqtJte1hI9fkEevYUhG23/zMISiYG1YMKUyfhC7Qw40zyx5 JmDjI8CJqDyWcIZEJ+7aPhf3EIUHaQSUNnuJDJKXSpSHFJNDhQBaEU40vQuekzv4cuw7 FiQt8yh8aatNdQDx6+xv0BCFXTrV93ApsLevqkZpxhmtE8u2lUJXlaSaknLAvnwT5H9M Pa9beiel0A59/j7khJQVLDJSuEg1xF5Yr6xKRjdpJwAQPEr7UMRgO2l7csp5PO3R+3gb mN/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733989671; x=1734594471; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jdHWzU9Sem366MSV72LkZ7CV1NjmgfhyL7SvHxQZrVM=; b=dG7io1hGMsr/H+yC/Wk7MXEqsenUkDmgzJpYmFkyqfYa9UAfHgwfuRYj50aUuvm8rx T2bwKLmpzjFdJyPGnINlxtnWiozzUptHfm+aiaWS012jinCYpz2BhEIzN71bDCpn1ZtQ Rm/eNpXUjGQ8lPz2qFr1TLC67FM2eQ3UUNIA55s6fs4wf4QnoRgdj/KogVD3di34YukN v2EppbfmnX4KQmnxKLCk+7m8vUOUYR+wWoWNnlVzBmloNIOchkhsS2tg3vIsXvYOG4Xk 09Xm3Wjl272VUNLrHoBU5KWRydxCPWtpOc06prAVo4ouRWVWCrg5H51HCqM7+qotmJdV V9Iw== X-Gm-Message-State: AOJu0YwtrWqrKThEIIths35ntElH1ga9J2LT/Gh710egQbDG6ZImCFSV ceZngIDqJZmo4KNgRiOmxuNyY71EZJIIHRFvflbz7qW3kuY3hMau6aPhvbtj6BBhta2pREYKJro P X-Gm-Gg: ASbGncuCBF/kD8/BlrW+DnylMKNM0VRhcKIcXGdAjUIaiQ/8l8zcYpMTsnBXraJc96o po6YzgQ3uTKDnSjF/XWaqQTJv+e7ztzl5I7d2eA67xCDOGqnkSdDyBOphLY9vhqf5kh5ziNYP/m +yN3gIvaUxrxLdG9kCb1CGl88t/5zEuXWnon12PpnowlAqx/3BWC9+P6ho3sLOPBuEq99eyr/kZ BaXUQjJvCzbvlWPPCqMfpNozooWRymr3XZzd+icUb0VKIGnVnLGGoc1gpkyepweDEX0O7SXmVCQ /q33wLPIXDnpyRJ2aYOKKcGnRUBcJorJIB+TSvddik6OBDgB X-Received: by 2002:a05:600c:ac7:b0:436:aaf:7eb9 with SMTP id 5b1f17b1804b1-4362285f79fmr16571065e9.20.1733989670380; Wed, 11 Dec 2024 23:47:50 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43625716d4dsm8162125e9.37.2024.12.11.23.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 23:47:48 -0800 (PST) From: "d12fk (Code Review)" X-Google-Original-From: "d12fk (Code Review)" X-Gerrit-PatchSet: 1 Date: Thu, 12 Dec 2024 07:47:48 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I6b67e3a00dd84bf348b6af28115ee11138c3a111 X-Gerrit-Change-Number: 839 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: bd13f84e0b4e8a4629abb16cd11689d39d64c233 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.48 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.48 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.48 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.48 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tLdvW-00065D-6c Subject: [Openvpn-devel] [M] Change in openvpn[master]: dns: support running up/down script with privsep X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: heiko@openvpn.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818219971674871862?= X-GMAIL-MSGID: =?utf-8?q?1818219971674871862?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/839?usp=email to review the following change. Change subject: dns: support running up/down script with privsep ...................................................................... dns: support running up/down script with privsep With --user / --group privileges are dropped after init. Unfortunately this affects --dns-script when tearing down previous modifications. To keep the privileges for just that, the concept of a dns script runner in introduced. It's basically a fork of openvpn at the time the modifications to DNS are made. Its only capability is running the --dns-script up/down when asked to. The parent openvpn process signals this by writing to a pipe the runner is waiting on. Scripts need to ready to receive variables from a file instead of the process environment. A shameless and effective workaround to keep the protocol between the two processes simple. Change-Id: I6b67e3a00dd84bf348b6af28115ee11138c3a111 Signed-off-by: Heiko Hund --- M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/env_set.c M src/openvpn/env_set.h M src/openvpn/init.c M src/openvpn/openvpn.h 6 files changed, 222 insertions(+), 10 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/39/839/1 diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 2f21ed5..14c1270 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -532,13 +532,20 @@ } static int -do_run_up_down_script(bool up, const struct dns_options *o, const struct tuntap *tt) +do_run_up_down_script(bool up, const char *vars_file, const struct dns_options *o, const struct tuntap *tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); struct env_set *es = env_set_create(&gc); - script_env_set(up, o, tt, es); + if (vars_file) + { + setenv_str(es, "dns_vars_file", vars_file); + } + else + { + script_env_set(up, o, tt, es); + } argv_printf(&argv, "%s", o->script); argv_msg(M_INFO, &argv); @@ -549,11 +556,171 @@ return res; } +static bool +run_script_runner(bool up, struct options *o, const struct tuntap *tt, struct dns_script_runner_info *script_runner) +{ + int dns_pipe_fd[2]; + int ack_pipe_fd[2]; + if (pipe(dns_pipe_fd) != 0 + || pipe(ack_pipe_fd) != 0) + { + msg(M_ERR, "run_dns_up_down: unable to create pipes"); + return false; + } + script_runner->pid = fork(); + if (script_runner->pid == -1) + { + msg(M_ERR, "run_dns_up_down: unable to fork"); + close(dns_pipe_fd[0]); + close(dns_pipe_fd[1]); + close(ack_pipe_fd[0]); + close(ack_pipe_fd[1]); + return false; + } + else if (script_runner->pid > 0) + { + /* Parent process */ + close(dns_pipe_fd[0]); + close(ack_pipe_fd[1]); + script_runner->fds[0] = ack_pipe_fd[0]; + script_runner->fds[1] = dns_pipe_fd[1]; + } + else + { + /* Script runner process, close unused FDs */ + for (int fd = 3; fd < 100; ++fd) + { + if (fd != dns_pipe_fd[0] + && fd != ack_pipe_fd[1]) + { + close(fd); + } + } + + /* Ignore signals */ + signal(SIGINT, SIG_IGN); + signal(SIGHUP, SIG_IGN); + signal(SIGTERM, SIG_IGN); + signal(SIGUSR1, SIG_IGN); + signal(SIGUSR2, SIG_IGN); + signal(SIGPIPE, SIG_IGN); + + while (1) + { + ssize_t rlen, wlen; + char path[PATH_MAX]; + + /* Block here until parent sends a path */ + rlen = read(dns_pipe_fd[0], &path, sizeof(path)); + if (rlen < 1) + { + if (rlen == -1 && errno != EINTR) + { + continue; + } + close(dns_pipe_fd[0]); + close(ack_pipe_fd[1]); + exit(0); + } + + path[sizeof(path) - 1] = '\0'; + int res = do_run_up_down_script(up, path, &o->dns_options, tt); + platform_unlink(path); + + /* Unblock parent process */ + while (1) + { + wlen = write(ack_pipe_fd[1], &res, sizeof(res)); + if ((wlen == -1 && errno != EINTR) || wlen < sizeof(res)) + { + /* Not much we can do about errors but exit */ + close(dns_pipe_fd[0]); + close(ack_pipe_fd[1]); + exit(0); + } + else if (wlen == sizeof(res)) + { + break; + } + } + + up = !up; /* do the opposite next time */ + } + } + + return true; +} + +static const char * +write_dns_vars_file(bool up, const struct options *o, const struct tuntap *tt, struct gc_arena *gc) +{ + struct env_set *es = env_set_create(gc); + const char *dvf = platform_create_temp_file(o->tmp_dir, "dvf", gc); + + script_env_set(up, &o->dns_options, tt, es); + env_set_write_file(dvf, es); + + return dvf; +} + static void -run_up_down_script(bool up, struct options *o, const struct tuntap *tt) +run_up_down_script(bool up, struct options *o, const struct tuntap *tt, struct dns_script_runner_info *script_runner) { int status; - status = do_run_up_down_script(up, &o->dns_options, tt); + + if (!script_runner->required) + { + /* Run dns script directly */ + status = do_run_up_down_script(up, NULL, &o->dns_options, tt); + } + else + { + if (script_runner->pid < 1) + { + /* Need to set up privilege preserving child first */ + if (!run_script_runner(up, o, tt, script_runner)) + { + return; + } + } + + struct gc_arena gc = gc_new(); + int rfd = script_runner->fds[0]; + int wfd = script_runner->fds[1]; + const char *dvf = write_dns_vars_file(up, o, tt, &gc); + size_t dvf_size = strlen(dvf) + 1; + + while (1) + { + ssize_t len = write(wfd, dvf, dvf_size); + if (len < dvf_size) + { + if (len == -1 && errno == EINTR) + { + continue; + } + msg(M_ERR, "could not send dns vars filename"); + } + break; + } + + while (1) + { + ssize_t len = read(rfd, &status, sizeof(status)); + if (len < sizeof(status)) + { + if (len == -1 && errno == EINTR) + { + continue; + } + msg(M_ERR, "could not receive dns script status"); + } + break; + } + + gc_free(&gc); + } + msg(M_INFO, "dns script exited with status %d", status); } @@ -639,7 +806,7 @@ } void -run_dns_up_down(bool up, struct options *o, const struct tuntap *tt) +run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_script_runner_info *dsri) { if (!o->dns_options.servers) { @@ -676,6 +843,6 @@ #ifdef _WIN32 run_up_down_service(up, o, tt); #else - run_up_down_script(up, o, tt); + run_up_down_script(up, o, tt, dsri); #endif /* ifdef _WIN32 */ } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 39a3393..47f7e5d 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -68,6 +68,14 @@ const char *sni; }; +struct dns_script_runner_info { + bool required; + int fds[2]; +#if !defined(_WIN32) + pid_t pid; +#endif +}; + struct dns_options { struct dns_domain *search_domains; struct dns_server *servers_prepull; @@ -153,8 +161,10 @@ * @param up Boolean to set this call to "up" when true * @param o Pointer to the program options * @param tt Pointer to the connection's tuntap struct + * @param dsri Pointer to the script runner info struct */ -void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt); +void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, + struct dns_script_runner_info *dsri); /** * Puts the DNS options into an environment set. diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c index 81ab59e..3fe23fd 100644 --- a/src/openvpn/env_set.c +++ b/src/openvpn/env_set.c @@ -33,6 +33,7 @@ #include "env_set.h" #include "run_command.h" +#include "platform.h" /* * Set environmental variable (int or string). @@ -235,6 +236,30 @@ } void +env_set_write_file(const char *path, const struct env_set *es) +{ + FILE *fp = platform_fopen(path, "w"); + if (!fp) + { + msg(M_ERR, "could not write env set to '%s'", path); + return; + } + + if (es) + { + const struct env_item *item = es->list; + while (item) + { + fputs(item->string, fp); + fputc('\n', fp); + item = item->next; + } + } + + fclose(fp); +} + +void env_set_inherit(struct env_set *es, const struct env_set *src) { const struct env_item *e; diff --git a/src/openvpn/env_set.h b/src/openvpn/env_set.h index 4294d6e..70d01e2 100644 --- a/src/openvpn/env_set.h +++ b/src/openvpn/env_set.h @@ -91,6 +91,14 @@ void env_set_print(int msglevel, const struct env_set *es); +/** + * Write a struct env_set to a file. Each item on one line. + * + * @param path The filepath to write to. + * @param es Pointer to the env_set to write. + */ +void env_set_write_file(const char *path, const struct env_set *es); + void env_set_inherit(struct env_set *es, const struct env_set *src); /* returns true if environmental variable name starts with 'password' */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 36a9bca..541915f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2008,7 +2008,7 @@ c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); } - run_dns_up_down(true, &c->options, c->c1.tuntap); + run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.dsri); /* run the up script */ run_up_down(c->options.up_script, @@ -2048,7 +2048,7 @@ /* explicitly set the ifconfig_* env vars */ do_ifconfig_setenv(c->c1.tuntap, c->c2.es); - run_dns_up_down(true, &c->options, c->c1.tuntap); + run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.dsri); /* run the up script if user specified --up-restart */ if (c->options.up_restart) @@ -2138,7 +2138,7 @@ adapter_index = c->c1.tuntap->adapter_index; #endif - run_dns_up_down(false, &c->options, c->c1.tuntap); + run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.dsri); if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 8dfcab4..391bf04 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -45,6 +45,7 @@ #include "pool.h" #include "plugin.h" #include "manage.h" +#include "dns.h" /* * Our global key schedules, packaged thusly @@ -120,6 +121,7 @@ struct context_persist { int restart_sleep_seconds; + struct dns_script_runner_info dsri; };