diff options
-rw-r--r-- | arch.c | 10 | ||||
-rw-r--r-- | conf.c | 6 | ||||
-rw-r--r-- | isolation.c | 18 | ||||
-rw-r--r-- | log.c | 12 | ||||
-rw-r--r-- | passt.c | 41 | ||||
-rw-r--r-- | pasta.c | 9 |
6 files changed, 38 insertions, 58 deletions
@@ -18,6 +18,8 @@ #include <string.h> #include <unistd.h> +#include "log.h" + /** * arch_avx2_exec() - Switch to AVX2 build if supported * @argv: Arguments from command line @@ -28,10 +30,8 @@ void arch_avx2_exec(char **argv) char exe[PATH_MAX] = { 0 }; const char *p; - if (readlink("/proc/self/exe", exe, PATH_MAX - 1) < 0) { - perror("readlink /proc/self/exe"); - exit(EXIT_FAILURE); - } + if (readlink("/proc/self/exe", exe, PATH_MAX - 1) < 0) + die_perror("Failed to read own /proc/self/exe link"); p = strstr(exe, ".avx2"); if (p && strlen(p) == strlen(".avx2")) @@ -42,7 +42,7 @@ void arch_avx2_exec(char **argv) snprintf(new_path, PATH_MAX + sizeof(".avx2"), "%s.avx2", exe); execve(new_path, argv, environ); - perror("Can't run AVX2 build, using non-AVX2 version"); + warn_perror("Can't run AVX2 build, using non-AVX2 version"); } } #else @@ -1093,10 +1093,8 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid) const struct passwd *pw; /* cppcheck-suppress getpwnamCalled */ pw = getpwnam("nobody"); - if (!pw) { - perror("getpwnam"); - exit(EXIT_FAILURE); - } + if (!pw) + die_perror("Can't get password file entry for nobody"); *uid = pw->pw_uid; *gid = pw->pw_gid; diff --git a/isolation.c b/isolation.c index ca2c68b..c936674 100644 --- a/isolation.c +++ b/isolation.c @@ -316,34 +316,34 @@ int isolate_prefork(const struct ctx *c) flags |= CLONE_NEWPID; if (unshare(flags)) { - perror("unshare"); + err_perror("Failed to detach isolating namespaces"); return -errno; } if (mount("", "/", "", MS_UNBINDABLE | MS_REC, NULL)) { - perror("mount /"); + err_perror("Failed to remount /"); return -errno; } if (mount("", TMPDIR, "tmpfs", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, "nr_inodes=2,nr_blocks=0")) { - perror("mount tmpfs"); + err_perror("Failed to mount empty tmpfs for pivot_root()"); return -errno; } if (chdir(TMPDIR)) { - perror("chdir"); + err_perror("Failed to change directory into empty tmpfs"); return -errno; } if (syscall(SYS_pivot_root, ".", ".")) { - perror("pivot_root"); + err_perror("Failed to pivot_root() into empty tmpfs"); return -errno; } if (umount2(".", MNT_DETACH | UMOUNT_NOFOLLOW)) { - perror("umount2"); + err_perror("Failed to unmount original root filesystem"); return -errno; } @@ -388,8 +388,6 @@ void isolate_postfork(const struct ctx *c) } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) || - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { - perror("prctl"); - exit(EXIT_FAILURE); - } + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) + die_perror("Failed to apply seccomp filter"); } @@ -206,10 +206,8 @@ void logfile_init(const char *name, const char *path, size_t size) char nl = '\n', exe[PATH_MAX] = { 0 }; int n; - if (readlink("/proc/self/exe", exe, PATH_MAX - 1) < 0) { - perror("readlink /proc/self/exe"); - exit(EXIT_FAILURE); - } + if (readlink("/proc/self/exe", exe, PATH_MAX - 1) < 0) + die_perror("Failed to read own /proc/self/exe link"); log_file = open(path, O_CREAT | O_TRUNC | O_APPEND | O_RDWR | O_CLOEXEC, S_IRUSR | S_IWUSR); @@ -222,10 +220,8 @@ void logfile_init(const char *name, const char *path, size_t size) name, exe, getpid()); if (write(log_file, log_header, n) <= 0 || - write(log_file, &nl, 1) <= 0) { - perror("Couldn't write to log file\n"); - exit(EXIT_FAILURE); - } + write(log_file, &nl, 1) <= 0) + die_perror("Couldn't write to log file"); /* For FALLOC_FL_COLLAPSE_RANGE: VFS block size can be up to one page */ log_cut_size = ROUND_UP(log_size * LOGFILE_CUT_RATIO / 100, PAGE_SIZE); @@ -136,14 +136,13 @@ static void secret_init(struct ctx *c) } if (dev_random >= 0) close(dev_random); - if (random_read < sizeof(c->hash_secret)) { + + if (random_read < sizeof(c->hash_secret)) #else if (getrandom(&c->hash_secret, sizeof(c->hash_secret), - GRND_RANDOM) < 0) { + GRND_RANDOM) < 0) #endif /* !HAS_GETRANDOM */ - perror("TCP initial sequence getrandom"); - exit(EXIT_FAILURE); - } + die_perror("Failed to get random bytes for hash table and TCP"); } /** @@ -250,20 +249,16 @@ int main(int argc, char **argv) madvise(pkt_buf, TAP_BUF_BYTES, MADV_HUGEPAGE); c.epollfd = epoll_create1(EPOLL_CLOEXEC); - if (c.epollfd == -1) { - perror("epoll_create1"); - exit(EXIT_FAILURE); - } + if (c.epollfd == -1) + die_perror("Failed to create epoll file descriptor"); + + if (getrlimit(RLIMIT_NOFILE, &limit)) + die_perror("Failed to get maximum value of open files limit"); - if (getrlimit(RLIMIT_NOFILE, &limit)) { - perror("getrlimit"); - exit(EXIT_FAILURE); - } c.nofile = limit.rlim_cur = limit.rlim_max; - if (setrlimit(RLIMIT_NOFILE, &limit)) { - perror("setrlimit"); - exit(EXIT_FAILURE); - } + if (setrlimit(RLIMIT_NOFILE, &limit)) + die_perror("Failed to set current limit for open files"); + sock_probe_mem(&c); conf(&c, argc, argv); @@ -293,10 +288,8 @@ int main(int argc, char **argv) pcap_init(&c); if (!c.foreground) { - if ((devnull_fd = open("/dev/null", O_RDWR | O_CLOEXEC)) < 0) { - perror("/dev/null open"); - exit(EXIT_FAILURE); - } + if ((devnull_fd = open("/dev/null", O_RDWR | O_CLOEXEC)) < 0) + die_perror("Failed to open /dev/null"); } if (isolate_prefork(&c)) @@ -320,10 +313,8 @@ loop: /* NOLINTNEXTLINE(bugprone-branch-clone): intervals can be the same */ /* cppcheck-suppress [duplicateValueTernary, unmatchedSuppression] */ nfds = epoll_wait(c.epollfd, events, EPOLL_EVENTS, TIMER_INTERVAL); - if (nfds == -1 && errno != EINTR) { - perror("epoll_wait"); - exit(EXIT_FAILURE); - } + if (nfds == -1 && errno != EINTR) + die_perror("epoll_wait() failed in main loop"); clock_gettime(CLOCK_MONOTONIC, &now); @@ -197,8 +197,7 @@ static int pasta_spawn_cmd(void *arg) a = (const struct pasta_spawn_cmd_arg *)arg; execvp(a->exe, a->argv); - perror("execvp"); - exit(EXIT_FAILURE); + die_perror("Failed to start command or shell"); } /** @@ -261,10 +260,8 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, CLONE_NEWUTS | CLONE_NEWNS | SIGCHLD, (void *)&arg); - if (pasta_child_pid == -1) { - perror("clone"); - exit(EXIT_FAILURE); - } + if (pasta_child_pid == -1) + die_perror("Failed to clone process with detached namespaces"); NS_CALL(pasta_wait_for_ns, c); if (c->pasta_netns_fd < 0) |