| Commit message (Collapse) | Author | Age |
|
|
|
| |
It's a short summary trying to cover different systems...
|
|
|
|
|
|
|
| |
This reads somewhat clearer as code is grouped by features instead of
security mechanisms by simply merging identical tests/conditions.
No functional change.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify logic and decouple the two features such that the code gets
even more self-ducumenting.
Previously `catgirl -R -l' would never unveil and therefore "proc exec"
could execute arbitrary paths without "rpath" as is usual unveil/pledge
semantic.
Now that `catgirl -l' alone triggers unveil(2), previous "proc exec"
alone is not enough since the first unveil() hides everything else from
filesystem; unveil all of root executable-only in order to restore
non-restrict mode's visibility.
This leaves yields distinct cases wrt. filesystem visibility
(hoisted save file functionality excluded):
1. restrict on, log off: no access
2. restrict on, log on : logdir write/create
3. restrict off, log off: all exec-only
4. restrict off, log on : logdir write/create, all else exec-only
In the first case `unveil("/", "")' could be used but with no benefit as
the later lack of "rpath wpath cpath", i.e. filesystem access is revoked
entirely by pledge alone already.
Practically, this does not change functionality but improves correctness
and readability.
|
|
|
|
|
|
| |
Otherwise we won't have any certificate to print yet.
Fixes 981ebc4f12b88fbf52ed0352428a0612dd2c2568.
|
| |
|
|
|
|
|
| |
The restrict option now enables real sandboxing on the two main
target systems.
|
|
|
|
|
| |
The call to logOpen() will have already created the directory. Still
use dataMkdir() as a convenient way to get the created path.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
The first call to ircFormat, which calls tls_write(3) in turn, will
perform the handshake anyway. This way the handshake happens after
the final pledge(2) call.
|
| |
|
| |
|
| |
|
|
|
|
| |
Maybe no one will ever do it but I think it's a fun idea.
|
|
|
|
|
| |
There was no reason to ever require whitespace before the macro
name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise resizing the terminal will end catgirl until a handler is
registered, e.g. while in ircConnect():
catgirl: tls_handshake: (null)
Hoist registration right after uiInitEarly() as earliest possible point
in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e.
initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
|
|
|
|
|
| |
Resizing the window early on may return early due to SIGWINCH.
Continue asynchronously in that case instead of exiting.
|
|
|
|
|
|
| |
I think I didn't use these originally because they were misconfigured
on tilde.chat, but they work now, and supposedly server aliases
should be more secure/reliable.
|
| |
|
|
|
|
|
| |
Otherwise a lingering process from /copy for example could hold the
lock.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat"
ciphers to support irc.mozilla.org which now yields NXDOMAIN.
All modern networks (should) support secure ciphers, so drop the
hopefully unneeded list of less secure ciphers by avoiding
tls_config_set_ciphers(3) and therefore sticking to the "secure" aka.
"default" set of ciphers in libtls.
A quick check shows that almost all of the big/known IRC networks
support TLS1.3 already; those who do not at least comply with
SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this:
echo \
irc.hackint.org \
irc.tilde.chat \
irc.libera.chat \
irc.efnet.nl \
irc.oftc.net |
xargs -tn1 \
openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
|
|
|
|
|
|
| |
dataMkdir() already picked the appropiate directory so make it
return that such that unveilData() can go as only that one directory
needs unveiling.
|
| |
|
| |
|
|
|
|
| |
For blocking sockets it should be retried immediately.
|
| |
|
|
|
|
| |
Used by Solanum for "actually using host".
|
|
|
|
|
| |
Case-insensitivity was copied from regular complete(), but other
commands which take substrings (/open and /copy) match case-sensitively.
|
|
|
|
|
| |
This could just iterate over idNames instead, but using complete
means more recently used windows will match first.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'pick chat network' binding on F1 lists tmux windows as follows
and tmux's `choose-tree -Z' lets you jump to the window by pressing the
key denoted inside parantheses.
Set `base-index 1' so as to make window indices match up the hotkey
number instead of being off-by-one due to the session itself being the
first entry in the list.
(0) - chat-5: 8 windows (group chat: chat-0,chat-1,chat-2,chat-3,chat-4,chat-5,chat-6) (attached)
(1) ├─> 1: hackint: "example.com"
(2) ├─> 2: efnet: "example.com"
...
PS: Update existing sessions by updating chat.tmux.conf, pressing F5
then running `prefix-: move-window -r' to renumber all windows.
|
|
|
|
|
|
|
|
|
| |
Every time we receive from the server, reset a timer. The first
time the timer triggers, send a PING. The second time the timer
triggers, die from ping timeout.
I'm not sure about these two intervals: 2 minutes of idle before a
PING, 30s for the server to respond to the PING.
|
|
|
|
|
|
|
|
| |
Just truncate the initial promises back to the final ones after pledging
for the first time, saving code and memory.
Assign `ptr' in all initial `seprintf()' calls for consistency while
here.
|
|
|
|
|
|
|
|
| |
No need to wait for so long.
This also brings all the pledge code on one screen and helps show how
ircConnect() is the only relevant part in between initial and final
promises.
|
|
|
|
|
|
|
|
|
| |
`-T[format]' is not possible with getopt(3) but getopt_long(3) supports
"T::" exactly for that, so make the command line option go in line with
configuration files and documentation.
While here, check `has_arg' explicitly as getopt_long(3) only documents
mnemonic values not numerical ones.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise "/exec sh </dev/tty" takes over and catgirl must effectively
be killed to stop the madness; with this diff:
catgirl input| /exec sh </dev/tty
catgirl output| /bin/sh: cannot open /dev/tty: Device not configured
catgirl output| Process exits with status 1
Do the same for `-C/Copy', `-N/notify' and `-O/open' alike.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No point in creating (sub)directories when the given root failed already
as is the case when e.g. XDG_DATA_HOME/catgirl/ itself is bogus
(cleaned stderr intermangled with ncurses setup/catgirl output):
$ env -i TERM=xterm XDG_DATA_HOME=/ ./catgirl -h irc.hackint.eu -n nobody -l
catgirl: //catgirl/: Permission denied
catgirl: //catgirl/log: No such file or directory
catgirl: //catgirl/log/hackint: No such file or directory
catgirl: //catgirl/log/hackint/NickServ: No such file or directory
catgirl: //catgirl/: Permission denied
catgirl: //catgirl/log/hackint/NickServ/2021-06-13.log: No such file or directory
|
|
|
|
|
| |
One of the last changes missed this, but it is a NOOP anyway since
"rpath" is not pledged any longer.
|
|
|
|
| |
Missed this one.
|
| |
|
|
|
|
|
| |
Prevents two instances of catgirl from using the same save file and
clobbering each other's data.
|
|
|
|
|
|
| |
Avoids another small TOCTOU. Rewind before loading since "a+" sets
the file position at the end. Remove unnecessary fseek after
truncation, since "a+" always writes at the end of the file.
|
|
|
|
|
|
|
| |
All opening happens before unveil/pledge and the file handle is kept
open read/write so it can be used without any pledge.
Simpler/less code and less chances to write other files (accidentially).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Opening the same file *path* twice is a TOCTOU, although not a critical
one: worst case we load from one file and save to another - the impact
depends on how and when catgirl is started the next anyway.
More importantly, keeping the file handle open at runtime allows us to
drop all filesystem related promises for `-s/save' on OpenBSD.
uiLoad() now opens "r+", meaning "Open for reading and writing." up
front so uiSave() can write to it. In the case of a nonexistent save
file, it now opens with "w" meaning "Open for writing. The file is
created if it does not exist.", i.e. the same write/create semantics as
"w" except uiLoad() no longer truncates. existing files.
uiSave() now truncates the save file to avoid appending in general.
|