summaryrefslogtreecommitdiff
path: root/src/openvpn/init.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-01-20 12:01:07 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-01-20 12:01:07 +0100
commit9653b1bffea4e96c1eb7c1814e8bed21fea62321 (patch)
tree485f02f91b424955a45c1cc12876c31d3d957f9b /src/openvpn/init.c
parent41ffafc126abd9af67061f4931b7614f3cb898b0 (diff)
Imported Upstream version 2.3.10upstream/2.3.10
Diffstat (limited to 'src/openvpn/init.c')
-rw-r--r--src/openvpn/init.c68
1 files changed, 54 insertions, 14 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 71c91a2..2148777 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -840,7 +840,7 @@ void
init_options_dev (struct options *options)
{
if (!options->dev && options->dev_node) {
- char *dev_node = strdup(options->dev_node); /* POSIX basename() implementaions may modify its arguments */
+ char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
options->dev = basename (dev_node);
}
}
@@ -973,31 +973,30 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
struct context_0 *c0 = c->c0;
- if (c->first_time && c0 && !c0->uid_gid_set)
+ if (c0 && !c0->uid_gid_chroot_set)
{
/* chroot if requested */
if (c->options.chroot_dir)
{
if (no_delay)
platform_chroot (c->options.chroot_dir);
- else
+ else if (c->first_time)
msg (M_INFO, "NOTE: chroot %s", why_not);
}
- /* set user and/or group that we want to setuid/setgid to */
- if (no_delay)
- {
- platform_group_set (&c0->platform_state_group);
- platform_user_set (&c0->platform_state_user);
- c0->uid_gid_set = true;
- }
- else if (c0->uid_gid_specified)
+ /* set user and/or group if we want to setuid/setgid */
+ if (c0->uid_gid_specified)
{
- msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
+ if (no_delay) {
+ platform_group_set (&c0->platform_state_group);
+ platform_user_set (&c0->platform_state_user);
+ }
+ else if (c->first_time)
+ msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
}
#ifdef ENABLE_MEMSTATS
- if (c->options.memstats_fn)
+ if (c->first_time && c->options.memstats_fn)
mstats_open(c->options.memstats_fn);
#endif
@@ -1016,10 +1015,16 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
else
msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
}
- else
+ else if (c->first_time)
msg (M_INFO, "NOTE: setcon %s", why_not);
}
#endif
+
+ /* Privileges are going to be dropped by now (if requested), be sure
+ * to prevent any future privilege dropping attempts from now on.
+ */
+ if (no_delay)
+ c0->uid_gid_chroot_set = true;
}
}
@@ -1453,6 +1458,9 @@ do_open_tun (struct context *c)
c->plugins,
OPENVPN_PLUGIN_UP,
c->c1.tuntap->actual_name,
+#ifdef WIN32
+ c->c1.tuntap->adapter_index,
+#endif
dev_type_string (c->options.dev, c->options.dev_type),
TUN_MTU_SIZE (&c->c2.frame),
EXPANDED_SIZE (&c->c2.frame),
@@ -1463,6 +1471,15 @@ do_open_tun (struct context *c)
"up",
c->c2.es);
+#ifdef WIN32
+ if (c->options.block_outside_dns)
+ {
+ dmsg (D_LOW, "Blocking outside DNS");
+ if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+ msg (M_FATAL, "Blocking DNS failed!");
+ }
+#endif
+
/* possibly add routes */
if (!c->options.route_delay_defined)
do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1493,6 +1510,9 @@ do_open_tun (struct context *c)
c->plugins,
OPENVPN_PLUGIN_UP,
c->c1.tuntap->actual_name,
+#ifdef WIN32
+ c->c1.tuntap->adapter_index,
+#endif
dev_type_string (c->options.dev, c->options.dev_type),
TUN_MTU_SIZE (&c->c2.frame),
EXPANDED_SIZE (&c->c2.frame),
@@ -1530,6 +1550,9 @@ do_close_tun (struct context *c, bool force)
if (c->c1.tuntap && c->c1.tuntap_owned)
{
const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
+#ifdef WIN32
+ DWORD adapter_index = c->c1.tuntap->adapter_index;
+#endif
const in_addr_t local = c->c1.tuntap->local;
const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
@@ -1553,6 +1576,9 @@ do_close_tun (struct context *c, bool force)
c->plugins,
OPENVPN_PLUGIN_ROUTE_PREDOWN,
tuntap_actual,
+#ifdef WIN32
+ adapter_index,
+#endif
NULL,
TUN_MTU_SIZE (&c->c2.frame),
EXPANDED_SIZE (&c->c2.frame),
@@ -1578,6 +1604,9 @@ do_close_tun (struct context *c, bool force)
c->plugins,
OPENVPN_PLUGIN_DOWN,
tuntap_actual,
+#ifdef WIN32
+ adapter_index,
+#endif
NULL,
TUN_MTU_SIZE (&c->c2.frame),
EXPANDED_SIZE (&c->c2.frame),
@@ -1589,6 +1618,14 @@ do_close_tun (struct context *c, bool force)
"down",
c->c2.es);
+#ifdef WIN32
+ if (c->options.block_outside_dns)
+ {
+ if (!win_wfp_uninit())
+ msg (M_FATAL, "Uninitialising WFP failed!");
+ }
+#endif
+
/* actually close tun/tap device based on --down-pre flag */
if (c->options.down_pre)
do_close_tun_simple (c);
@@ -1601,6 +1638,9 @@ do_close_tun (struct context *c, bool force)
c->plugins,
OPENVPN_PLUGIN_DOWN,
tuntap_actual,
+#ifdef WIN32
+ adapter_index,
+#endif
NULL,
TUN_MTU_SIZE (&c->c2.frame),
EXPANDED_SIZE (&c->c2.frame),