/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2002 Dag-Erling Smørgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> #include <sys/param.h> #include <sys/file.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> #include <sys/jail.h> #include <sys/user.h> #include <sys/queue.h> #include <sys/tree.h> #include <sys/un.h> #include <sys/unpcb.h> #include <net/route.h> #include <netinet/in.h> #include <netinet/in_pcb.h> #include <netinet/sctp.h> #include <netinet/tcp.h> #define TCPSTATES /* load state names */ #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> #include <netinet/tcp_var.h> #include <arpa/inet.h> #include <capsicum_helpers.h> #include <ctype.h> #include <err.h> #include <errno.h> #include <inttypes.h> #include <jail.h> #include <netdb.h> #include <pwd.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <libcasper.h> #include <casper/cap_net.h> #include <casper/cap_netdb.h> #include <casper/cap_pwd.h> #include <casper/cap_sysctl.h> #define sstosin(ss) ((struct sockaddr_in *)(ss)) #define sstosin6(ss) ((struct sockaddr_in6 *)(ss)) #define sstosun(ss) ((struct sockaddr_un *)(ss)) #define sstosa(ss) ((struct sockaddr *)(ss)) static int opt_4; /* Show IPv4 sockets */ static int opt_6; /* Show IPv6 sockets */ static int opt_C; /* Show congestion control */ static int opt_c; /* Show connected sockets */ static int opt_i; /* Show inp_gencnt */ static int opt_j; /* Show specified jail */ static int opt_L; /* Don't show IPv4 or IPv6 loopback sockets */ static int opt_l; /* Show listening sockets */ static int opt_n; /* Don't resolve UIDs to user names */ static int opt_q; /* Don't show header */ static int opt_S; /* Show protocol stack if applicable */ static int opt_s; /* Show protocol state if applicable */ static int opt_U; /* Show remote UDP encapsulation port number */ static int opt_u; /* Show Unix domain sockets */ static int opt_v; /* Verbose mode */ static int opt_w; /* Wide print area for addresses */ /* * Default protocols to use if no -P was defined. */ static const char *default_protos[] = {"sctp", "tcp", "udp", "divert" }; static size_t default_numprotos = nitems(default_protos); static int *protos; /* protocols to use */ static size_t numprotos; /* allocated size of protos[] */ static int *ports; #define INT_BIT (sizeof(int)*CHAR_BIT) #define SET_PORT(p) do { ports[p / INT_BIT] |= 1 << (p % INT_BIT); } while (0) #define CHK_PORT(p) (ports[p / INT_BIT] & (1 << (p % INT_BIT))) struct addr { union { struct sockaddr_storage address; struct { /* unix(4) faddr */ kvaddr_t conn; kvaddr_t firstref; kvaddr_t nextref; }; }; unsigned int encaps_port; int state; struct addr *next; }; struct sock { union { RB_ENTRY(sock) socket_tree; /* tree of pcbs with socket */ SLIST_ENTRY(sock) socket_list; /* list of pcbs w/o socket */ }; RB_ENTRY(sock) pcb_tree; kvaddr_t socket; kvaddr_t pcb; uint64_t inp_gencnt; int shown; int vflag; int family; int proto; int state; const char *protoname; char stack[TCP_FUNCTION_NAME_LEN_MAX]; char cc[TCP_CA_NAME_MAX]; struct addr *laddr; struct addr *faddr; }; static RB_HEAD(socks_t, sock) socks = RB_INITIALIZER(&socks); static int64_t socket_compare(const struct sock *a, const struct sock *b) { return ((int64_t)(a->socket/2 - b->socket/2)); } RB_GENERATE_STATIC(socks_t, sock, socket_tree, socket_compare); static RB_HEAD(pcbs_t, sock) pcbs = RB_INITIALIZER(&pcbs); static int64_t pcb_compare(const struct sock *a, const struct sock *b) { return ((int64_t)(a->pcb/2 - b->pcb/2)); } RB_GENERATE_STATIC(pcbs_t, sock, pcb_tree, pcb_compare); static SLIST_HEAD(, sock) nosocks = SLIST_HEAD_INITIALIZER(&nosocks); struct file { RB_ENTRY(file) file_tree; kvaddr_t xf_data; pid_t xf_pid; uid_t xf_uid; int xf_fd; }; static RB_HEAD(files_t, file) ftree = RB_INITIALIZER(&ftree); static int64_t file_compare(const struct file *a, const struct file *b) { return ((int64_t)(a->xf_data/2 - b->xf_data/2)); } RB_GENERATE_STATIC(files_t, file, file_tree, file_compare); static struct file *files; static int nfiles; static cap_channel_t *capnet; static cap_channel_t *capnetdb; static cap_channel_t *capsysctl; static cap_channel_t *cappwd; static int xprintf(const char *fmt, ...) { va_list ap; int len; va_start(ap, fmt); len = vprintf(fmt, ap); va_end(ap); if (len < 0) err(1, "printf()"); return (len); } static bool _check_ksize(size_t received_size, size_t expected_size, const char *struct_name) { if (received_size != expected_size) { warnx("%s size mismatch: expected %zd, received %zd", struct_name, expected_size, received_size); return false; } return true; } #define check_ksize(_sz, _struct) (_check_ksize(_sz, sizeof(_struct), #_struct)) static void _enforce_ksize(size_t received_size, size_t expected_size, const char *struct_name) { if (received_size != expected_size) { errx(1, "fatal: struct %s size mismatch: expected %zd, received %zd", struct_name, expected_size, received_size); } } #define enforce_ksize(_sz, _struct) (_enforce_ksize(_sz, sizeof(_struct), #_struct)) static int get_proto_type(const char *proto) { struct protoent *pent; if (strlen(proto) == 0) return (0); if (capnetdb != NULL) pent = cap_getprotobyname(capnetdb, proto); else pent = getprotobyname(proto); if (pent == NULL) { warn("cap_getprotobyname"); return (-1); } return (pent->p_proto); } static void init_protos(int num) { int proto_count = 0; if (num > 0) { proto_count = num; } else { /* Find the maximum number of possible protocols. */ while (getprotoent() != NULL) proto_count++; endprotoent(); } if ((protos = malloc(sizeof(int) * proto_count)) == NULL) err(1, "malloc"); numprotos = proto_count; } static int parse_protos(char *protospec) { char *prot; int proto_type, proto_index; if (protospec == NULL) return (-1); init_protos(0); proto_index = 0; while ((prot = strsep(&protospec, ",")) != NULL) { if (strlen(prot) == 0) continue; proto_type = get_proto_type(prot); if (proto_type != -1) protos[proto_index++] = proto_type; } numprotos = proto_index; return (proto_index); } static void parse_ports(const char *portspec) { const char *p, *q; int port, end; if (ports == NULL) if ((ports = calloc(65536 / INT_BIT, sizeof(int))) == NULL) err(1, "calloc()"); p = portspec; while (*p != '\0') { if (!isdigit(*p)) errx(1, "syntax error in port range"); for (q = p; *q != '\0' && isdigit(*q); ++q) /* nothing */ ; for (port = 0; p < q; ++p) port = port * 10 + digittoint(*p); if (port < 0 || port > 65535) errx(1, "invalid port number"); SET_PORT(port); switch (*p) { case '-': ++p; break; case ',': ++p; /* fall through */ case '\0': default: continue; } for (q = p; *q != '\0' && isdigit(*q); ++q) /* nothing */ ; for (end = 0; p < q; ++p) end = end * 10 + digittoint(*p); if (end < port || end > 65535) errx(1, "invalid port number"); while (port++ < end) SET_PORT(port); if (*p == ',') ++p; } } static void sockaddr(struct sockaddr_storage *ss, int af, void *addr, int port) { struct sockaddr_in *sin4; struct sockaddr_in6 *sin6; bzero(ss, sizeof(*ss)); switch (af) { case AF_INET: sin4 = sstosin(ss); sin4->sin_len = sizeof(*sin4); sin4->sin_family = af; sin4->sin_port = port; sin4->sin_addr = *(struct in_addr *)addr; break; case AF_INET6: sin6 = sstosin6(ss); sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = af; sin6->sin6_port = port; sin6->sin6_addr = *(struct in6_addr *)addr; #define s6_addr16 __u6_addr.__u6_addr16 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { sin6->sin6_scope_id = ntohs(sin6->sin6_addr.s6_addr16[1]); sin6->sin6_addr.s6_addr16[1] = 0; } break; default: abort(); } } static void free_socket(struct sock *sock) { struct addr *cur, *next; cur = sock->laddr; while (cur != NULL) { next = cur->next; free(cur); cur = next; } cur = sock->faddr; while (cur != NULL) { next = cur->next; free(cur); cur = next; } free(sock); } static void gather_sctp(void) { struct sock *sock; struct addr *laddr, *prev_laddr, *faddr, *prev_faddr; struct xsctp_inpcb *xinpcb; struct xsctp_tcb *xstcb; struct xsctp_raddr *xraddr; struct xsctp_laddr *xladdr; const char *varname; size_t len, offset; char *buf; int vflag; int no_stcb, local_all_loopback, foreign_all_loopback; vflag = 0; if (opt_4) vflag |= INP_IPV4; if (opt_6) vflag |= INP_IPV6; varname = "net.inet.sctp.assoclist"; if (cap_sysctlbyname(capsysctl, varname, 0, &len, 0, 0) < 0) { if (errno != ENOENT) err(1, "cap_sysctlbyname()"); return; } if ((buf = (char *)malloc(len)) == NULL) { err(1, "malloc()"); return; } if (cap_sysctlbyname(capsysctl, varname, buf, &len, 0, 0) < 0) { err(1, "cap_sysctlbyname()"); free(buf); return; } xinpcb = (struct xsctp_inpcb *)(void *)buf; offset = sizeof(struct xsctp_inpcb); while ((offset < len) && (xinpcb->last == 0)) { if ((sock = calloc(1, sizeof *sock)) == NULL) err(1, "malloc()"); sock->socket = xinpcb->socket; sock->proto = IPPROTO_SCTP; sock->protoname = "sctp"; if (xinpcb->maxqlen == 0) sock->state = SCTP_CLOSED; else sock->state = SCTP_LISTEN; if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) { sock->family = AF_INET6; /* * Currently there is no way to distinguish between * IPv6 only sockets or dual family sockets. * So mark it as dual socket. */ sock->vflag = INP_IPV6 | INP_IPV4; } else { sock->family = AF_INET; sock->vflag = INP_IPV4; } prev_laddr = NULL; local_all_loopback = 1; while (offset < len) { xladdr = (struct xsctp_laddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_laddr); if (xladdr->last == 1) break; if ((laddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); switch (xladdr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xladdr->address.sin.sin_addr)) local_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&laddr->address, AF_INET, &xladdr->address.sin.sin_addr, htons(xinpcb->local_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xladdr->address.sin6.sin6_addr)) local_all_loopback = 0; sockaddr(&laddr->address, AF_INET6, &xladdr->address.sin6.sin6_addr, htons(xinpcb->local_port)); break; default: errx(1, "address family %d not supported", xladdr->address.sa.sa_family); } laddr->next = NULL; if (prev_laddr == NULL) sock->laddr = laddr; else prev_laddr->next = laddr; prev_laddr = laddr; } if (sock->laddr == NULL) { if ((sock->laddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); sock->laddr->address.ss_family = sock->family; if (sock->family == AF_INET) sock->laddr->address.ss_len = sizeof(struct sockaddr_in); else sock->laddr->address.ss_len = sizeof(struct sockaddr_in6); local_all_loopback = 0; } if ((sock->faddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); sock->faddr->address.ss_family = sock->family; if (sock->family == AF_INET) sock->faddr->address.ss_len = sizeof(struct sockaddr_in); else sock->faddr->address.ss_len = sizeof(struct sockaddr_in6); no_stcb = 1; while (offset < len) { xstcb = (struct xsctp_tcb *)(void *)(buf + offset); offset += sizeof(struct xsctp_tcb); if (no_stcb) { if (opt_l && (sock->vflag & vflag) && (!opt_L || !local_all_loopback) && ((xinpcb->flags & SCTP_PCB_FLAGS_UDPTYPE) || (xstcb->last == 1))) { RB_INSERT(socks_t, &socks, sock); } else { free_socket(sock); } } if (xstcb->last == 1) break; no_stcb = 0; if (opt_c) { if ((sock = calloc(1, sizeof *sock)) == NULL) err(1, "malloc()"); sock->socket = xinpcb->socket; sock->proto = IPPROTO_SCTP; sock->protoname = "sctp"; sock->state = (int)xstcb->state; if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) { sock->family = AF_INET6; /* * Currently there is no way to distinguish * between IPv6 only sockets or dual family * sockets. So mark it as dual socket. */ sock->vflag = INP_IPV6 | INP_IPV4; } else { sock->family = AF_INET; sock->vflag = INP_IPV4; } } prev_laddr = NULL; local_all_loopback = 1; while (offset < len) { xladdr = (struct xsctp_laddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_laddr); if (xladdr->last == 1) break; if (!opt_c) continue; laddr = calloc(1, sizeof(struct addr)); if (laddr == NULL) err(1, "malloc()"); switch (xladdr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xladdr->address.sin.sin_addr)) local_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&laddr->address, AF_INET, &xladdr->address.sin.sin_addr, htons(xstcb->local_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xladdr->address.sin6.sin6_addr)) local_all_loopback = 0; sockaddr(&laddr->address, AF_INET6, &xladdr->address.sin6.sin6_addr, htons(xstcb->local_port)); break; default: errx(1, "address family %d not supported", xladdr->address.sa.sa_family); } laddr->next = NULL; if (prev_laddr == NULL) sock->laddr = laddr; else prev_laddr->next = laddr; prev_laddr = laddr; } prev_faddr = NULL; foreign_all_loopback = 1; while (offset < len) { xraddr = (struct xsctp_raddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_raddr); if (xraddr->last == 1) break; if (!opt_c) continue; faddr = calloc(1, sizeof(struct addr)); if (faddr == NULL) err(1, "malloc()"); switch (xraddr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xraddr->address.sin.sin_addr)) foreign_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&faddr->address, AF_INET, &xraddr->address.sin.sin_addr, htons(xstcb->remote_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xraddr->address.sin6.sin6_addr)) foreign_all_loopback = 0; sockaddr(&faddr->address, AF_INET6, &xraddr->address.sin6.sin6_addr, htons(xstcb->remote_port)); break; default: errx(1, "address family %d not supported", xraddr->address.sa.sa_family); } faddr->encaps_port = xraddr->encaps_port; faddr->state = xraddr->state; faddr->next = NULL; if (prev_faddr == NULL) sock->faddr = faddr; else prev_faddr->next = faddr; prev_faddr = faddr; } if (opt_c) { if ((sock->vflag & vflag) && (!opt_L || !(local_all_loopback || foreign_all_loopback))) { RB_INSERT(socks_t, &socks, sock); } else { free_socket(sock); } } } xinpcb = (struct xsctp_inpcb *)(void *)(buf + offset); offset += sizeof(struct xsctp_inpcb); } free(buf); } static void gather_inet(int proto) { struct xinpgen *xig, *exig; struct xinpcb *xip; struct xtcpcb *xtp = NULL; struct xsocket *so; struct sock *sock; struct addr *laddr, *faddr; const char *varname, *protoname; size_t len, bufsize; void *buf; int retry, vflag; vflag = 0; if (opt_4) vflag |= INP_IPV4; if (opt_6) vflag |= INP_IPV6; switch (proto) { case IPPROTO_TCP: varname = "net.inet.tcp.pcblist"; protoname = "tcp"; break; case IPPROTO_UDP: varname = "net.inet.udp.pcblist"; protoname = "udp"; break; case IPPROTO_DIVERT: varname = "net.inet.divert.pcblist"; protoname = "div"; break; default: errx(1, "protocol %d not supported", proto); } buf = NULL; bufsize = 8192; retry = 5; do { for (;;) { if ((buf = realloc(buf, bufsize)) == NULL) err(1, "realloc()"); len = bufsize; if (cap_sysctlbyname(capsysctl, varname, buf, &len, NULL, 0) == 0) break; if (errno == ENOENT) goto out; if (errno != ENOMEM || len != bufsize) err(1, "cap_sysctlbyname()"); bufsize *= 2; } xig = (struct xinpgen *)buf; exig = (struct xinpgen *)(void *) ((char *)buf + len - sizeof *exig); enforce_ksize(xig->xig_len, struct xinpgen); enforce_ksize(exig->xig_len, struct xinpgen); } while (xig->xig_gen != exig->xig_gen && retry--); if (xig->xig_gen != exig->xig_gen && opt_v) warnx("warning: data may be inconsistent"); for (;;) { xig = (struct xinpgen *)(void *)((char *)xig + xig->xig_len); if (xig >= exig) break; switch (proto) { case IPPROTO_TCP: xtp = (struct xtcpcb *)xig; xip = &xtp->xt_inp; if (!check_ksize(xtp->xt_len, struct xtcpcb)) goto out; protoname = xtp->t_flags & TF_TOE ? "toe" : "tcp"; break; case IPPROTO_UDP: case IPPROTO_DIVERT: xip = (struct xinpcb *)xig; if (!check_ksize(xip->xi_len, struct xinpcb)) goto out; break; default: errx(1, "protocol %d not supported", proto); } so = &xip->xi_socket; if ((xip->inp_vflag & vflag) == 0) continue; if (xip->inp_vflag & INP_IPV4) { if ((xip->inp_fport == 0 && !opt_l) || (xip->inp_fport != 0 && !opt_c)) continue; #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (opt_L && (__IN_IS_ADDR_LOOPBACK(&xip->inp_faddr) || __IN_IS_ADDR_LOOPBACK(&xip->inp_laddr))) continue; #undef __IN_IS_ADDR_LOOPBACK } else if (xip->inp_vflag & INP_IPV6) { if ((xip->inp_fport == 0 && !opt_l) || (xip->inp_fport != 0 && !opt_c)) continue; if (opt_L && (IN6_IS_ADDR_LOOPBACK(&xip->in6p_faddr) || IN6_IS_ADDR_LOOPBACK(&xip->in6p_laddr))) continue; } else { if (opt_v) warnx("invalid vflag 0x%x", xip->inp_vflag); continue; } if ((sock = calloc(1, sizeof(*sock))) == NULL) err(1, "malloc()"); if ((laddr = calloc(1, sizeof *laddr)) == NULL) err(1, "malloc()"); if ((faddr = calloc(1, sizeof *faddr)) == NULL) err(1, "malloc()"); sock->socket = so->xso_so; sock->proto = proto; sock->inp_gencnt = xip->inp_gencnt; if (xip->inp_vflag & INP_IPV4) { sock->family = AF_INET; sockaddr(&laddr->address, sock->family, &xip->inp_laddr, xip->inp_lport); sockaddr(&faddr->address, sock->family, &xip->inp_faddr, xip->inp_fport); } else if (xip->inp_vflag & INP_IPV6) { sock->family = AF_INET6; sockaddr(&laddr->address, sock->family, &xip->in6p_laddr, xip->inp_lport); sockaddr(&faddr->address, sock->family, &xip->in6p_faddr, xip->inp_fport); } if (proto == IPPROTO_TCP) faddr->encaps_port = xtp->xt_encaps_port; laddr->next = NULL; faddr->next = NULL; sock->laddr = laddr; sock->faddr = faddr; sock->vflag = xip->inp_vflag; if (proto == IPPROTO_TCP) { sock->state = xtp->t_state; memcpy(sock->stack, xtp->xt_stack, TCP_FUNCTION_NAME_LEN_MAX); memcpy(sock->cc, xtp->xt_cc, TCP_CA_NAME_MAX); } sock->protoname = protoname; if (sock->socket != 0) RB_INSERT(socks_t, &socks, sock); else SLIST_INSERT_HEAD(&nosocks, sock, socket_list); } out: free(buf); } static void gather_unix(int proto) { struct xunpgen *xug, *exug; struct xunpcb *xup; struct sock *sock; struct addr *laddr, *faddr; const char *varname, *protoname; size_t len, bufsize; void *buf; int retry; switch (proto) { case SOCK_STREAM: varname = "net.local.stream.pcblist"; protoname = "stream"; break; case SOCK_DGRAM: varname = "net.local.dgram.pcblist"; protoname = "dgram"; break; case SOCK_SEQPACKET: varname = "net.local.seqpacket.pcblist"; protoname = "seqpac"; break; default: abort(); } buf = NULL; bufsize = 8192; retry = 5; do { for (;;) { if ((buf = realloc(buf, bufsize)) == NULL) err(1, "realloc()"); len = bufsize; if (cap_sysctlbyname(capsysctl, varname, buf, &len, NULL, 0) == 0) break; if (errno != ENOMEM || len != bufsize) err(1, "cap_sysctlbyname()"); bufsize *= 2; } xug = (struct xunpgen *)buf; exug = (struct xunpgen *)(void *) ((char *)buf + len - sizeof(*exug)); if (!check_ksize(xug->xug_len, struct xunpgen) || !check_ksize(exug->xug_len, struct xunpgen)) goto out; } while (xug->xug_gen != exug->xug_gen && retry--); if (xug->xug_gen != exug->xug_gen && opt_v) warnx("warning: data may be inconsistent"); for (;;) { xug = (struct xunpgen *)(void *)((char *)xug + xug->xug_len); if (xug >= exug) break; xup = (struct xunpcb *)xug; if (!check_ksize(xup->xu_len, struct xunpcb)) goto out; if ((xup->unp_conn == 0 && !opt_l) || (xup->unp_conn != 0 && !opt_c)) continue; if ((sock = calloc(1, sizeof(*sock))) == NULL) err(1, "malloc()"); if ((laddr = calloc(1, sizeof *laddr)) == NULL) err(1, "malloc()"); if ((faddr = calloc(1, sizeof *faddr)) == NULL) err(1, "malloc()"); sock->socket = xup->xu_socket.xso_so; sock->pcb = xup->xu_unpp; sock->proto = proto; sock->family = AF_UNIX; sock->protoname = protoname; if (xup->xu_addr.sun_family == AF_UNIX) laddr->address = *(struct sockaddr_storage *)(void *)&xup->xu_addr; faddr->conn = xup->unp_conn; faddr->firstref = xup->xu_firstref; faddr->nextref = xup->xu_nextref; laddr->next = NULL; faddr->next = NULL; sock->laddr = laddr; sock->faddr = faddr; RB_INSERT(socks_t, &socks, sock); RB_INSERT(pcbs_t, &pcbs, sock); } out: free(buf); } static void getfiles(void) { struct xfile *xfiles; size_t len, olen; olen = len = sizeof(*xfiles); if ((xfiles = malloc(len)) == NULL) err(1, "malloc()"); while (cap_sysctlbyname(capsysctl, "kern.file", xfiles, &len, 0, 0) == -1) { if (errno != ENOMEM || len != olen) err(1, "cap_sysctlbyname()"); olen = len *= 2; if ((xfiles = realloc(xfiles, len)) == NULL) err(1, "realloc()"); } if (len > 0) enforce_ksize(xfiles->xf_size, struct xfile); nfiles = len / sizeof(*xfiles); if ((files = malloc(nfiles * sizeof(struct file))) == NULL) err(1, "malloc()"); for (int i = 0; i < nfiles; i++) { files[i].xf_data = xfiles[i].xf_data; files[i].xf_pid = xfiles[i].xf_pid; files[i].xf_uid = xfiles[i].xf_uid; files[i].xf_fd = xfiles[i].xf_fd; RB_INSERT(files_t, &ftree, &files[i]); } free(xfiles); } static int printaddr(struct sockaddr_storage *ss) { struct sockaddr_un *sun; char addrstr[NI_MAXHOST] = { '\0', '\0' }; int error, off, port = 0; switch (ss->ss_family) { case AF_INET: if (sstosin(ss)->sin_addr.s_addr == INADDR_ANY) addrstr[0] = '*'; port = ntohs(sstosin(ss)->sin_port); break; case AF_INET6: if (IN6_IS_ADDR_UNSPECIFIED(&sstosin6(ss)->sin6_addr)) addrstr[0] = '*'; port = ntohs(sstosin6(ss)->sin6_port); break; case AF_UNIX: sun = sstosun(ss); off = (int)((char *)&sun->sun_path - (char *)sun); return (xprintf("%.*s", sun->sun_len - off, sun->sun_path)); } if (addrstr[0] == '\0') { error = cap_getnameinfo(capnet, sstosa(ss), ss->ss_len, addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST); if (error) errx(1, "cap_getnameinfo()"); } if (port == 0) return xprintf("%s:*", addrstr); else return xprintf("%s:%d", addrstr, port); } static const char * getprocname(pid_t pid) { static struct kinfo_proc proc; size_t len; int mib[4]; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = (int)pid; len = sizeof(proc); if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0) == -1) { /* Do not warn if the process exits before we get its name. */ if (errno != ESRCH) warn("cap_sysctl()"); return ("??"); } return (proc.ki_comm); } static int getprocjid(pid_t pid) { static struct kinfo_proc proc; size_t len; int mib[4]; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = (int)pid; len = sizeof(proc); if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0) == -1) { /* Do not warn if the process exits before we get its jid. */ if (errno != ESRCH) warn("cap_sysctl()"); return (-1); } return (proc.ki_jid); } static int check_ports(struct sock *s) { int port; struct addr *addr; if (ports == NULL) return (1); if ((s->family != AF_INET) && (s->family != AF_INET6)) return (1); for (addr = s->laddr; addr != NULL; addr = addr->next) { if (s->family == AF_INET) port = ntohs(sstosin(&addr->address)->sin_port); else port = ntohs(sstosin6(&addr->address)->sin6_port); if (CHK_PORT(port)) return (1); } for (addr = s->faddr; addr != NULL; addr = addr->next) { if (s->family == AF_INET) port = ntohs(sstosin(&addr->address)->sin_port); else port = ntohs(sstosin6(&addr->address)->sin6_port); if (CHK_PORT(port)) return (1); } return (0); } static const char * sctp_conn_state(int state) { switch (state) { case SCTP_CLOSED: return "CLOSED"; break; case SCTP_BOUND: return "BOUND"; break; case SCTP_LISTEN: return "LISTEN"; break; case SCTP_COOKIE_WAIT: return "COOKIE_WAIT"; break; case SCTP_COOKIE_ECHOED: return "COOKIE_ECHOED"; break; case SCTP_ESTABLISHED: return "ESTABLISHED"; break; case SCTP_SHUTDOWN_SENT: return "SHUTDOWN_SENT"; break; case SCTP_SHUTDOWN_RECEIVED: return "SHUTDOWN_RECEIVED"; break; case SCTP_SHUTDOWN_ACK_SENT: return "SHUTDOWN_ACK_SENT"; break; case SCTP_SHUTDOWN_PENDING: return "SHUTDOWN_PENDING"; break; default: return "UNKNOWN"; break; } } static const char * sctp_path_state(int state) { switch (state) { case SCTP_UNCONFIRMED: return "UNCONFIRMED"; break; case SCTP_ACTIVE: return "ACTIVE"; break; case SCTP_INACTIVE: return "INACTIVE"; break; default: return "UNKNOWN"; break; } } static void displaysock(struct sock *s, int pos) { int first, offset; struct addr *laddr, *faddr; while (pos < 30) pos += xprintf(" "); pos += xprintf("%s", s->protoname); if (s->vflag & INP_IPV4) pos += xprintf("4"); if (s->vflag & INP_IPV6) pos += xprintf("6"); if (s->vflag & (INP_IPV4 | INP_IPV6)) pos += xprintf(" "); laddr = s->laddr; faddr = s->faddr; first = 1; while (laddr != NULL || faddr != NULL) { offset = 37; while (pos < offset) pos += xprintf(" "); switch (s->family) { case AF_INET: case AF_INET6: if (laddr != NULL) { pos += printaddr(&laddr->address); if (s->family == AF_INET6 && pos >= 58) pos += xprintf(" "); } offset += opt_w ? 46 : 22; while (pos < offset) pos += xprintf(" "); if (faddr != NULL) pos += printaddr(&faddr->address); offset += opt_w ? 46 : 22; break; case AF_UNIX: if ((laddr == NULL) || (faddr == NULL)) errx(1, "laddr = %p or faddr = %p is NULL", (void *)laddr, (void *)faddr); if (laddr->address.ss_len == 0 && faddr->conn == 0) { pos += xprintf("(not connected)"); offset += opt_w ? 92 : 44; break; } /* Local bind(2) address, if any. */ if (laddr->address.ss_len > 0) pos += printaddr(&laddr->address); /* Remote peer we connect(2) to, if any. */ if (faddr->conn != 0) { struct sock *p; pos += xprintf("%s-> ", laddr->address.ss_len > 0 ? " " : ""); p = RB_FIND(pcbs_t, &pcbs, &(struct sock){ .pcb = faddr->conn }); if (__predict_false(p == NULL)) { /* XXGL: can this happen at all? */ pos += xprintf("??"); } else if (p->laddr->address.ss_len == 0) { struct file *f; f = RB_FIND(files_t, &ftree, &(struct file){ .xf_data = p->socket }); pos += xprintf("[%lu %d]", (u_long)f->xf_pid, f->xf_fd); } else pos += printaddr(&p->laddr->address); } /* Remote peer(s) connect(2)ed to us, if any. */ if (faddr->firstref != 0) { struct sock *p; struct file *f; kvaddr_t ref = faddr->firstref; bool fref = true; pos += xprintf(" <- "); while ((p = RB_FIND(pcbs_t, &pcbs, &(struct sock){ .pcb = ref })) != 0) { f = RB_FIND(files_t, &ftree, &(struct file){ .xf_data = p->socket }); pos += xprintf("%s[%lu %d]", fref ? "" : ",", (u_long)f->xf_pid, f->xf_fd); ref = p->faddr->nextref; fref = false; } } offset += opt_w ? 92 : 44; break; default: abort(); } if (opt_i) { if (s->proto == IPPROTO_TCP || s->proto == IPPROTO_UDP) { while (pos < offset) pos += xprintf(" "); pos += xprintf("%" PRIu64, s->inp_gencnt); } offset += 9; } if (opt_U) { if (faddr != NULL && ((s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) || (s->proto == IPPROTO_TCP && s->state != TCPS_CLOSED && s->state != TCPS_LISTEN))) { while (pos < offset) pos += xprintf(" "); pos += xprintf("%u", ntohs(faddr->encaps_port)); } offset += 7; } if (opt_s) { if (faddr != NULL && s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) { while (pos < offset) pos += xprintf(" "); pos += xprintf("%s", sctp_path_state(faddr->state)); } offset += 13; } if (first) { if (opt_s) { if (s->proto == IPPROTO_SCTP || s->proto == IPPROTO_TCP) { while (pos < offset) pos += xprintf(" "); switch (s->proto) { case IPPROTO_SCTP: pos += xprintf("%s", sctp_conn_state(s->state)); break; case IPPROTO_TCP: if (s->state >= 0 && s->state < TCP_NSTATES) pos += xprintf("%s", tcpstates[s->state]); else pos += xprintf("?"); break; } } offset += 13; } if (opt_S) { if (s->proto == IPPROTO_TCP) { while (pos < offset) pos += xprintf(" "); pos += xprintf("%.*s", TCP_FUNCTION_NAME_LEN_MAX, s->stack); } offset += TCP_FUNCTION_NAME_LEN_MAX + 1; } if (opt_C) { if (s->proto == IPPROTO_TCP) { while (pos < offset) pos += xprintf(" "); xprintf("%.*s", TCP_CA_NAME_MAX, s->cc); } offset += TCP_CA_NAME_MAX + 1; } } if (laddr != NULL) laddr = laddr->next; if (faddr != NULL) faddr = faddr->next; if ((laddr != NULL) || (faddr != NULL)) { xprintf("\n"); pos = 0; } first = 0; } xprintf("\n"); } static void display(void) { struct passwd *pwd; struct file *xf; struct sock *s; int n, pos; if (opt_q != 1) { printf("%-8s %-10s %-5s %-3s %-6s %-*s %-*s", "USER", "COMMAND", "PID", "FD", "PROTO", opt_w ? 45 : 21, "LOCAL ADDRESS", opt_w ? 45 : 21, "FOREIGN ADDRESS"); if (opt_i) printf(" %-8s", "ID"); if (opt_U) printf(" %-6s", "ENCAPS"); if (opt_s) { printf(" %-12s", "PATH STATE"); printf(" %-12s", "CONN STATE"); } if (opt_S) printf(" %-*.*s", TCP_FUNCTION_NAME_LEN_MAX, TCP_FUNCTION_NAME_LEN_MAX, "STACK"); if (opt_C) printf(" %-.*s", TCP_CA_NAME_MAX, "CC"); printf("\n"); } cap_setpassent(cappwd, 1); for (xf = files, n = 0; n < nfiles; ++n, ++xf) { if (xf->xf_data == 0) continue; if (opt_j >= 0 && opt_j != getprocjid(xf->xf_pid)) continue; s = RB_FIND(socks_t, &socks, &(struct sock){ .socket = xf->xf_data}); if (s != NULL && check_ports(s)) { s->shown = 1; pos = 0; if (opt_n || (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL) pos += xprintf("%lu ", (u_long)xf->xf_uid); else pos += xprintf("%s ", pwd->pw_name); while (pos < 9) pos += xprintf(" "); pos += xprintf("%.10s", getprocname(xf->xf_pid)); while (pos < 20) pos += xprintf(" "); pos += xprintf("%5lu ", (u_long)xf->xf_pid); while (pos < 26) pos += xprintf(" "); pos += xprintf("%-3d ", xf->xf_fd); displaysock(s, pos); } } if (opt_j >= 0) return; SLIST_FOREACH(s, &nosocks, socket_list) { if (!check_ports(s)) continue; pos = xprintf("%-8s %-10s %-5s %-2s ", "?", "?", "?", "?"); displaysock(s, pos); } RB_FOREACH(s, socks_t, &socks) { if (s->shown) continue; if (!check_ports(s)) continue; pos = xprintf("%-8s %-10s %-5s %-2s ", "?", "?", "?", "?"); displaysock(s, pos); } } static int set_default_protos(void) { struct protoent *prot; const char *pname; size_t pindex; init_protos(default_numprotos); for (pindex = 0; pindex < default_numprotos; pindex++) { pname = default_protos[pindex]; prot = cap_getprotobyname(capnetdb, pname); if (prot == NULL) err(1, "cap_getprotobyname: %s", pname); protos[pindex] = prot->p_proto; } numprotos = pindex; return (pindex); } /* * Return the vnet property of the jail, or -1 on error. */ static int jail_getvnet(int jid) { struct iovec jiov[6]; int vnet; size_t len = sizeof(vnet); if (sysctlbyname("kern.features.vimage", &vnet, &len, NULL, 0) != 0) return (0); vnet = -1; jiov[0].iov_base = __DECONST(char *, "jid"); jiov[0].iov_len = sizeof("jid"); jiov[1].iov_base = &jid; jiov[1].iov_len = sizeof(jid); jiov[2].iov_base = __DECONST(char *, "vnet"); jiov[2].iov_len = sizeof("vnet"); jiov[3].iov_base = &vnet; jiov[3].iov_len = sizeof(vnet); jiov[4].iov_base = __DECONST(char *, "errmsg"); jiov[4].iov_len = sizeof("errmsg"); jiov[5].iov_base = jail_errmsg; jiov[5].iov_len = JAIL_ERRMSGLEN; jail_errmsg[0] = '\0'; if (jail_get(jiov, nitems(jiov), 0) < 0) { if (!jail_errmsg[0]) snprintf(jail_errmsg, JAIL_ERRMSGLEN, "jail_get: %s", strerror(errno)); return (-1); } return (vnet); } static void usage(void) { fprintf(stderr, "usage: sockstat [-46CciLlnqSsUuvw] [-j jid] [-p ports] [-P protocols]\n"); exit(1); } int main(int argc, char *argv[]) { cap_channel_t *capcas; cap_net_limit_t *limit; const char *pwdcmds[] = { "setpassent", "getpwuid" }; const char *pwdfields[] = { "pw_name" }; int protos_defined = -1; int o, i; opt_j = -1; while ((o = getopt(argc, argv, "46Ccij:Llnp:P:qSsUuvw")) != -1) switch (o) { case '4': opt_4 = 1; break; case '6': opt_6 = 1; break; case 'C': opt_C = 1; break; case 'c': opt_c = 1; break; case 'i': opt_i = 1; break; case 'j': opt_j = jail_getid(optarg); if (opt_j < 0) errx(1, "jail_getid: %s", jail_errmsg); break; case 'L': opt_L = 1; break; case 'l': opt_l = 1; break; case 'n': opt_n = 1; break; case 'p': parse_ports(optarg); break; case 'P': protos_defined = parse_protos(optarg); break; case 'q': opt_q = 1; break; case 'S': opt_S = 1; break; case 's': opt_s = 1; break; case 'U': opt_U = 1; break; case 'u': opt_u = 1; break; case 'v': ++opt_v; break; case 'w': opt_w = 1; break; default: usage(); } argc -= optind; argv += optind; if (argc > 0) usage(); if (opt_j > 0) { switch (jail_getvnet(opt_j)) { case -1: errx(2, "jail_getvnet: %s", jail_errmsg); case JAIL_SYS_NEW: if (jail_attach(opt_j) < 0) err(3, "jail_attach()"); /* Set back to -1 for normal output in vnet jail. */ opt_j = -1; break; default: break; } } capcas = cap_init(); if (capcas == NULL) err(1, "Unable to contact Casper"); if (caph_enter_casper() < 0) err(1, "Unable to enter capability mode"); capnet = cap_service_open(capcas, "system.net"); if (capnet == NULL) err(1, "Unable to open system.net service"); capnetdb = cap_service_open(capcas, "system.netdb"); if (capnetdb == NULL) err(1, "Unable to open system.netdb service"); capsysctl = cap_service_open(capcas, "system.sysctl"); if (capsysctl == NULL) err(1, "Unable to open system.sysctl service"); cappwd = cap_service_open(capcas, "system.pwd"); if (cappwd == NULL) err(1, "Unable to open system.pwd service"); cap_close(capcas); limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME); if (limit == NULL) err(1, "Unable to init cap_net limits"); if (cap_net_limit(limit) < 0) err(1, "Unable to apply limits"); if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0) err(1, "Unable to apply pwd commands limits"); if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0) err(1, "Unable to apply pwd commands limits"); if ((!opt_4 && !opt_6) && protos_defined != -1) opt_4 = opt_6 = 1; if (!opt_4 && !opt_6 && !opt_u) opt_4 = opt_6 = opt_u = 1; if ((opt_4 || opt_6) && protos_defined == -1) protos_defined = set_default_protos(); if (!opt_c && !opt_l) opt_c = opt_l = 1; if (opt_4 || opt_6) { for (i = 0; i < protos_defined; i++) if (protos[i] == IPPROTO_SCTP) gather_sctp(); else gather_inet(protos[i]); } if (opt_u || (protos_defined == -1 && !opt_4 && !opt_6)) { gather_unix(SOCK_STREAM); gather_unix(SOCK_DGRAM); gather_unix(SOCK_SEQPACKET); } getfiles(); display(); exit(0); }