diff --git a/contrib/liveusb/etc/image-release b/contrib/liveusb/etc/image-release new file mode 100644 index 000000000..bd8b58947 --- /dev/null +++ b/contrib/liveusb/etc/image-release @@ -0,0 +1 @@ +0.5-turin diff --git a/contrib/liveusb/etc/image/setup.sh b/contrib/liveusb/etc/image/setup.sh new file mode 120000 index 000000000..a645eb309 --- /dev/null +++ b/contrib/liveusb/etc/image/setup.sh @@ -0,0 +1 @@ +setup.sh \ No newline at end of file diff --git a/contrib/liveusb/etc/modprobe.d/blacklist.conf b/contrib/liveusb/etc/modprobe.d/blacklist.conf new file mode 100644 index 000000000..6874104fc --- /dev/null +++ b/contrib/liveusb/etc/modprobe.d/blacklist.conf @@ -0,0 +1,3 @@ +blacklist snd_hda_intel +blacklist nouveau +blacklist mei_me diff --git a/contrib/liveusb/etc/modprobe.d/e1000e.conf b/contrib/liveusb/etc/modprobe.d/e1000e.conf new file mode 100644 index 000000000..74dea577d --- /dev/null +++ b/contrib/liveusb/etc/modprobe.d/e1000e.conf @@ -0,0 +1,3 @@ +# More conservative interrupt throttling for better latency +# https://www.kernel.org/doc/Documentation/networking/e1000e.txt +option e1000e InterruptThrottleRate=1 diff --git a/contrib/liveusb/etc/sysconfig/ip6tables b/contrib/liveusb/etc/sysconfig/ip6tables new file mode 100644 index 000000000..13f6e5ed7 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/ip6tables @@ -0,0 +1,31 @@ +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT + +# Allow loopback traffic +-A INPUT -i lo -j ACCEPT + +# Allow established connections, and those not coming from the outside +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Allow HTTP +-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT + +# Allow SSH +-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT + +# Allow Tinc +-A INPUT -p udp --dport tinc -j ACCEPT +-A INPUT -p tcp --dport tinc -j ACCEPT + +# Accept Pings +-A INPUT -p icmpv6 -j ACCEPT + +# Reject everything else +-A INPUT -j REJECT + +# We wont act as a router +-A FORWARD -j REJECT + +COMMIT diff --git a/contrib/liveusb/etc/sysconfig/iptables b/contrib/liveusb/etc/sysconfig/iptables new file mode 100644 index 000000000..cfdd9d2f3 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/iptables @@ -0,0 +1,34 @@ +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT + +# Allow loopback traffic +-A INPUT -i lo -j ACCEPT + +# Allow established connections, and those not coming from the outside +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Allow HTTP +-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT + +# Allow VPN +-A INPUT -s 10.0.0.0/8 -j ACCEPT + +# Allow SSH +-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT + +# Allow Tinc +-A INPUT -p udp --dport tinc -j ACCEPT +-A INPUT -p tcp --dport tinc -j ACCEPT + +# Accept Pings +-A INPUT -p icmp -j ACCEPT + +# Reject everything else +-A INPUT -j REJECT + +# We wont act as a router +-A FORWARD -j REJECT + +COMMIT diff --git a/contrib/liveusb/etc/sysconfig/network b/contrib/liveusb/etc/sysconfig/network new file mode 100644 index 000000000..61c4a5ad8 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/network @@ -0,0 +1 @@ +NETWORKING=yes diff --git a/contrib/liveusb/etc/systemd/system/dhclient.service b/contrib/liveusb/etc/systemd/system/dhclient.service index 002f7ad7d..71f78f25f 100644 --- a/contrib/liveusb/etc/systemd/system/dhclient.service +++ b/contrib/liveusb/etc/systemd/system/dhclient.service @@ -1,11 +1,15 @@ [Unit] Description=dhclient on all interfaces Wants=network.target -Before=network.target [Service] Type=forking -ExecStart=/sbin/dhclient -4 +ExecStart=/sbin/dhclient -4 -w + +Restart=on-failure +RestartSec=10 + +TimeoutSec=60 [Install] WantedBy=network.target diff --git a/contrib/liveusb/etc/systemd/system/setup.service b/contrib/liveusb/etc/systemd/system/setup.service index 50206d3cc..b5ea9a011 100644 --- a/contrib/liveusb/etc/systemd/system/setup.service +++ b/contrib/liveusb/etc/systemd/system/setup.service @@ -1,17 +1,16 @@ [Unit] Description=S2SS LiveUSB Image setup -Requires=dhclient.service network.service -After=dhclient.service +Requires=network-online.target [Service] Type=simple -ExecStart=/s2ss/contrib/liveusb/setup.sh +ExecStart=/etc/image/setup.sh RemainAfterExit=yes -TimeoutSec=120 - Restart=on-failure RestartSec=10 +TimeoutSec=60 + [Install] WantedBy=multi-user.target diff --git a/contrib/liveusb/setup.sh b/contrib/liveusb/setup.sh index cb42fa00a..e2918ff18 100755 --- a/contrib/liveusb/setup.sh +++ b/contrib/liveusb/setup.sh @@ -4,12 +4,21 @@ set -e RECIPIENTS="stvogel@eonerc.rwth-aachen.de,mstevic@eonerc.rwth-aachen.de" -SERVER=tux.0l.de +SERVER=s2ss.0l.de USER=acs PORT=$(shuf -i 60000-65535 -n 1) +# wait for working network connection +while ! curl http://canihazip.com/s &> /dev/null; do + sleep 1 +done + IP=$(curl -s http://canihazip.com/s) +HOSTNAME=$(dig +short -x $IP) +if [ -z "$HOSTNAME" ]; then + HOSTNAME=$(hostname) +fi # check if system has net connectivity. otherwise die... ssh -q -o ConnectTimeout=2 $USER@$SERVER @@ -27,6 +36,7 @@ To: $RECIPIENTS There's a new host with the S2SS LiveUSB Image running: +Version: $(cat /etc/image-release) Reverse SSH tunnel port: $PORT Internet IP: $IP Hostname: $HOSTNAME diff --git a/server/Makefile b/server/Makefile index 2057109e4..a99b24aa7 100644 --- a/server/Makefile +++ b/server/Makefile @@ -15,15 +15,13 @@ LDLIBS = -pthread -lrt -lm -lconfig CFLAGS = -std=gnu99 -Iinclude/ -MMD -Wall -O3 CFLAGS += -D_XOPEN_SOURCE=500 -D_GNU_SOURCE -DV=$(V) -# Add git commit hash -ifneq (,$(shell which git)) - CFLAGS += -D_GIT_REV='"$(shell git rev-parse --short HEAD)"' -endif - -# Conditional debug flags +# Add more compiler flags ifdef DEBUG CFLAGS += -O0 -g endif +ifneq (,$(shell which git)) + CFLAGS += -D_GIT_REV='"$(shell git rev-parse --short HEAD)"' +endif # Enabled GTFPGA support when libpci is available ifneq (,$(wildcard /usr/include/pci/pci.h)) @@ -42,7 +40,7 @@ ifneq (,$(wildcard $(OPALDIR)/include_target/AsyncApi.h)) override OBJS += opal.o endif -.PHONY: all clean +.PHONY: all clean strip protected # Default target: build everything all: $(TARGETS) @@ -54,10 +52,14 @@ receive: receive.o $(OBJS) random: random.o $(OBJS) test: test.o $(OBJS) +protected: CFLAGS += -DPROTECT -DVALID_UNTIL=$(shell date -d "now +5months" +%s) -s -O3 -fvisibility=hidden +protected: clean strip + strip: $(TARGETS) strip --remove-section=.comment \ --remove-section=.note \ - --strip-unneeded \ + --strip-debug \ + --strip-all \ $(TARGETS) diff --git a/server/include/license.h b/server/include/license.h new file mode 100644 index 000000000..187bb1f94 --- /dev/null +++ b/server/include/license.h @@ -0,0 +1,47 @@ +#ifdef PROTECT + +#include +#include +#include +#include + +/** Check for correct license */ +static inline __attribute__((always_inline)) int check_license() +{ + const struct { + char *file, *content; + off_t offset; + } checks[] = { + { "/sys/class/dmi/id/product_uuid", "5002E503-4904-EB05-7406-0C0700080009" }, + { "/sys/class/net/eth0/address" , "50:e5:49:eb:74:0c" }, + { "/etc/machine-id", "0d8399d0216314f083b9ed2053a354a8" }, + { "/dev/sda2", "\x53\xf6\xb5\xeb\x8b\x16\x46\xdc\x8d\x8f\x5b\x70\xb8\xc9\x1a\x2a", 0x468 }, /* EXT4 UUID */ + }; + + if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) + return -1; + + if (time(NULL) > VALID_UNTIL) + return -1; + + FILE *f; + char buf[128]; + + for (int i = 0; i < ARRAY_LEN(checks); i++) { + f = fopen(checks[i].file, "r"); + if (!f) + return -1; + + fseek(f, checks[i].offset, SEEK_SET); + fgets(buf, sizeof(buf), f); + fclose(f); + + if (strncmp(buf, checks[i].content, strlen(checks[i].content))) + return -1; + } + + return 0; +} +#else + #define check_license() (0) +#endif diff --git a/server/include/utils.h b/server/include/utils.h index 9148443a9..9e43fb125 100644 --- a/server/include/utils.h +++ b/server/include/utils.h @@ -14,6 +14,7 @@ #include #include #include +#include #include #include "log.h" diff --git a/server/src/server.c b/server/src/server.c index 602f3b184..2060a3260 100644 --- a/server/src/server.c +++ b/server/src/server.c @@ -18,6 +18,7 @@ #include "cfg.h" #include "path.h" #include "node.h" +#include "license.h" #ifdef ENABLE_OPAL_ASYNC #include "opal.h" @@ -128,6 +129,9 @@ int main(int argc, char *argv[]) if (getuid() != 0) error("The server requires superuser privileges!"); + if (check_license()) + error("You're not allowed to use this software!"); + /* Initialize lists */ list_init(&nodes, (dtor_cb_t) node_destroy); list_init(&paths, (dtor_cb_t) path_destroy); diff --git a/server/src/utils.c b/server/src/utils.c index 3b1b0a950..33214e92d 100644 --- a/server/src/utils.c +++ b/server/src/utils.c @@ -8,13 +8,13 @@ #include #include #include -#include #include #include #include #include #include #include +#include #ifdef ENABLE_OPAL_ASYNC #define RTLAB