Merge branch 'master' of github.com:RWTH-ACS/S2SS

contrib/liveusb/etc/image-release

@@ -0,0 +1 @@
+0.5-turin

contrib/liveusb/etc/image/setup.sh

@@ -0,0 +1 @@
+setup.sh

contrib/liveusb/etc/modprobe.d/blacklist.conf

@@ -0,0 +1,3 @@
+blacklist snd_hda_intel
+blacklist nouveau
+blacklist mei_me

contrib/liveusb/etc/modprobe.d/e1000e.conf

@@ -0,0 +1,3 @@
+# More conservative interrupt throttling for better latency
+# https://www.kernel.org/doc/Documentation/networking/e1000e.txt
+option e1000e InterruptThrottleRate=1

contrib/liveusb/etc/sysconfig/ip6tables

@@ -0,0 +1,31 @@
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+
+# Allow loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# Allow established connections, and those not coming from the outside
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Allow HTTP
+-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT
+
+# Allow SSH
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT
+
+# Allow Tinc
+-A INPUT -p udp --dport tinc -j ACCEPT
+-A INPUT -p tcp --dport tinc -j ACCEPT
+
+# Accept Pings
+-A INPUT -p icmpv6 -j ACCEPT
+
+# Reject everything else
+-A INPUT -j REJECT
+
+# We wont act as a router
+-A FORWARD -j REJECT
+
+COMMIT

contrib/liveusb/etc/sysconfig/iptables

@@ -0,0 +1,34 @@
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+
+# Allow loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# Allow established connections, and those not coming from the outside
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Allow HTTP
+-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT
+
+# Allow VPN
+-A INPUT -s 10.0.0.0/8 -j ACCEPT
+
+# Allow SSH
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT
+
+# Allow Tinc
+-A INPUT -p udp --dport tinc -j ACCEPT
+-A INPUT -p tcp --dport tinc -j ACCEPT
+
+# Accept Pings
+-A INPUT -p icmp -j ACCEPT
+
+# Reject everything else
+-A INPUT -j REJECT
+
+# We wont act as a router
+-A FORWARD -j REJECT
+
+COMMIT

contrib/liveusb/etc/sysconfig/network

@@ -0,0 +1 @@
+NETWORKING=yes

contrib/liveusb/etc/systemd/system/dhclient.service

@@ -1,11 +1,15 @@
 [Unit]
 Description=dhclient on all interfaces
 Wants=network.target
-Before=network.target
  
 [Service]
 Type=forking
-ExecStart=/sbin/dhclient -4
+ExecStart=/sbin/dhclient -4 -w
+
+Restart=on-failure
+RestartSec=10
+
+TimeoutSec=60
  
 [Install]
 WantedBy=network.target

contrib/liveusb/etc/systemd/system/setup.service

@@ -1,17 +1,16 @@
 [Unit]
 Description=S2SS LiveUSB Image setup
-Requires=dhclient.service network.service
-After=dhclient.service
+Requires=network-online.target
 
 [Service]
 Type=simple
-ExecStart=/s2ss/contrib/liveusb/setup.sh
+ExecStart=/etc/image/setup.sh
 RemainAfterExit=yes
 
-TimeoutSec=120
-
 Restart=on-failure
 RestartSec=10
 
+TimeoutSec=60
+
 [Install]
 WantedBy=multi-user.target

contrib/liveusb/setup.sh

@@ -4,12 +4,21 @@ set -e
 
 RECIPIENTS="stvogel@eonerc.rwth-aachen.de,mstevic@eonerc.rwth-aachen.de"
 
-SERVER=tux.0l.de
+SERVER=s2ss.0l.de
 USER=acs
 
 PORT=$(shuf -i 60000-65535 -n 1)
 
+# wait for working network connection
+while ! curl http://canihazip.com/s &> /dev/null; do
+	sleep 1
+done
+
 IP=$(curl -s http://canihazip.com/s)
+HOSTNAME=$(dig +short -x $IP)
+if [ -z "$HOSTNAME" ]; then
+	HOSTNAME=$(hostname)
+fi
 
 # check if system has net connectivity. otherwise die...
 ssh -q -o ConnectTimeout=2 $USER@$SERVER
@@ -27,6 +36,7 @@ To: $RECIPIENTS
 
 There's a new host with the S2SS LiveUSB Image running:
 
+Version: $(cat /etc/image-release)
 Reverse SSH tunnel port: $PORT
 Internet IP: $IP
 Hostname: $HOSTNAME

server/Makefile

@@ -15,15 +15,13 @@ LDLIBS = -pthread -lrt -lm -lconfig
 CFLAGS  = -std=gnu99 -Iinclude/ -MMD -Wall -O3
 CFLAGS += -D_XOPEN_SOURCE=500 -D_GNU_SOURCE -DV=$(V)
 
-# Add git commit hash
-ifneq (,$(shell which git))
-	CFLAGS += -D_GIT_REV='"$(shell git rev-parse --short HEAD)"'
-endif
-
-# Conditional debug flags
+# Add more compiler flags
 ifdef DEBUG
 	CFLAGS += -O0 -g
 endif
+ifneq (,$(shell which git))
+	CFLAGS += -D_GIT_REV='"$(shell git rev-parse --short HEAD)"'
+endif
 
 # Enabled GTFPGA support when libpci is available
 ifneq (,$(wildcard /usr/include/pci/pci.h))
@@ -42,7 +40,7 @@ ifneq (,$(wildcard $(OPALDIR)/include_target/AsyncApi.h))
 	override OBJS    += opal.o
 endif
 
-.PHONY: all clean
+.PHONY: all clean strip protected
 
 # Default target: build everything
 all: $(TARGETS)
@@ -54,10 +52,14 @@ receive: receive.o $(OBJS)
 random: random.o $(OBJS)
 test: test.o $(OBJS)
 
+protected: CFLAGS += -DPROTECT -DVALID_UNTIL=$(shell date -d "now +5months" +%s) -s -O3 -fvisibility=hidden
+protected: clean strip
+
 strip: $(TARGETS)
 	strip	--remove-section=.comment \
 		--remove-section=.note \
-		--strip-unneeded \
+		--strip-debug \
+		--strip-all \
 		$(TARGETS) 
 	
 

server/include/license.h

@@ -0,0 +1,47 @@
+#ifdef PROTECT
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <sys/ptrace.h>
+
+/** Check for correct license */
+static inline __attribute__((always_inline)) int check_license()
+{
+	const struct {
+		char *file, *content;
+		off_t offset;
+	} checks[] = {
+		{ "/sys/class/dmi/id/product_uuid", "5002E503-4904-EB05-7406-0C0700080009" },
+		{ "/sys/class/net/eth0/address" , "50:e5:49:eb:74:0c" },
+		{ "/etc/machine-id", "0d8399d0216314f083b9ed2053a354a8" },
+		{ "/dev/sda2", "\x53\xf6\xb5\xeb\x8b\x16\x46\xdc\x8d\x8f\x5b\x70\xb8\xc9\x1a\x2a", 0x468 }, /* EXT4 UUID */
+	};
+
+	if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
+		return -1;
+
+	if (time(NULL) > VALID_UNTIL)
+		return -1;
+
+	FILE *f;
+	char buf[128];
+	
+	for (int i = 0; i < ARRAY_LEN(checks); i++) {
+		f = fopen(checks[i].file, "r");
+		if (!f)
+			return -1;
+
+		fseek(f, checks[i].offset, SEEK_SET);
+		fgets(buf, sizeof(buf), f);
+		fclose(f);
+
+		if (strncmp(buf, checks[i].content, strlen(checks[i].content)))
+			return -1;
+	}
+
+	return 0;
+}
+#else
+ #define check_license() (0)
+#endif

server/include/utils.h

@@ -14,6 +14,7 @@
 #include <errno.h>
 #include <sched.h>
 #include <string.h>
+#include <time.h>
 #include <sys/types.h>
 
 #include "log.h"

server/src/server.c

@@ -18,6 +18,7 @@
 #include "cfg.h"
 #include "path.h"
 #include "node.h"
+#include "license.h"
 
 #ifdef ENABLE_OPAL_ASYNC
 #include "opal.h"
@@ -128,6 +129,9 @@ int main(int argc, char *argv[])
 	if (getuid() != 0)
 		error("The server requires superuser privileges!");
 
+	if (check_license())
+		error("You're not allowed to use this software!");
+
 	/* Initialize lists */
 	list_init(&nodes, (dtor_cb_t) node_destroy);
 	list_init(&paths, (dtor_cb_t) path_destroy);

server/src/utils.c

@@ -8,13 +8,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <time.h>
 #include <errno.h>
 #include <unistd.h>
 #include <netdb.h>
 #include <math.h>
 #include <signal.h>
 #include <pthread.h>
+#include <fstab.h>
 
 #ifdef ENABLE_OPAL_ASYNC
 #define RTLAB