2020-02-05 22:16:58 +00:00
|
|
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
2021-11-07 20:11:50 +00:00
|
|
|
//go:build !windows && !js
|
2020-02-05 22:16:58 +00:00
|
|
|
|
|
|
|
package safesocket
|
|
|
|
|
|
|
|
import (
|
2021-10-27 22:53:28 +01:00
|
|
|
"errors"
|
2020-02-05 22:16:58 +00:00
|
|
|
"fmt"
|
2020-03-30 06:04:20 +01:00
|
|
|
"log"
|
2020-02-05 22:16:58 +00:00
|
|
|
"net"
|
|
|
|
"os"
|
2021-02-15 16:40:52 +00:00
|
|
|
"os/exec"
|
2020-03-03 19:47:21 +00:00
|
|
|
"path/filepath"
|
2020-03-30 06:04:20 +01:00
|
|
|
"runtime"
|
2020-02-05 22:16:58 +00:00
|
|
|
)
|
|
|
|
|
safesocket: add ConnectionStrategy, provide control over fallbacks
fee2d9fad added support for cmd/tailscale to connect to IPNExtension.
It came in two parts: If no socket was provided, dial IPNExtension first,
and also, if dialing the socket failed, fall back to IPNExtension.
The second half of that support caused the integration tests to fail
when run on a machine that was also running IPNExtension.
The integration tests want to wait until the tailscaled instances
that they spun up are listening. They do that by dialing the new
instance. But when that dial failed, it was falling back to IPNExtension,
so it appeared (incorrectly) that tailscaled was running.
Hilarity predictably ensued.
If a user (or a test) explicitly provides a socket to dial,
it is a reasonable assumption that they have a specific tailscaled
in mind and don't want to fall back to IPNExtension.
It is certainly true of the integration tests.
Instead of adding a bool to Connect, split out the notion of a
connection strategy. For now, the implementation remains the same,
but with the details hidden a bit. Later, we can improve that.
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-12-08 21:55:55 +00:00
|
|
|
func connect(s *ConnectionStrategy) (net.Conn, error) {
|
2021-10-27 22:53:28 +01:00
|
|
|
if runtime.GOOS == "js" {
|
|
|
|
return nil, errors.New("safesocket.Connect not yet implemented on js/wasm")
|
|
|
|
}
|
2022-11-29 04:08:35 +00:00
|
|
|
return net.Dial("unix", s.path)
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2020-02-25 16:46:26 +00:00
|
|
|
func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
|
2020-02-05 22:16:58 +00:00
|
|
|
// Unix sockets hang around in the filesystem even after nobody
|
|
|
|
// is listening on them. (Which is really unfortunate but long-
|
|
|
|
// entrenched semantics.) Try connecting first; if it works, then
|
|
|
|
// the socket is still live, so let's not replace it. If it doesn't
|
|
|
|
// work, then replace it.
|
|
|
|
//
|
|
|
|
// Note that there's a race condition between these two steps. A
|
|
|
|
// "proper" daemon usually uses a dance involving pidfiles to first
|
|
|
|
// ensure that no other instances of itself are running, but that's
|
|
|
|
// beyond the scope of our simple socket library.
|
2020-02-18 20:33:28 +00:00
|
|
|
c, err := net.Dial("unix", path)
|
2020-02-05 22:16:58 +00:00
|
|
|
if err == nil {
|
|
|
|
c.Close()
|
2021-02-15 16:40:52 +00:00
|
|
|
if tailscaledRunningUnderLaunchd() {
|
|
|
|
return nil, 0, fmt.Errorf("%v: address already in use; tailscaled already running under launchd (to stop, run: $ sudo launchctl stop com.tailscale.tailscaled)", path)
|
|
|
|
}
|
2020-02-18 20:33:28 +00:00
|
|
|
return nil, 0, fmt.Errorf("%v: address already in use", path)
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
2020-02-18 20:33:28 +00:00
|
|
|
_ = os.Remove(path)
|
2021-01-21 19:29:38 +00:00
|
|
|
|
|
|
|
perm := socketPermissionsForOS()
|
|
|
|
|
|
|
|
sockDir := filepath.Dir(path)
|
|
|
|
if _, err := os.Stat(sockDir); os.IsNotExist(err) {
|
|
|
|
os.MkdirAll(sockDir, 0755) // best effort
|
|
|
|
|
|
|
|
// If we're on a platform where we want the socket
|
|
|
|
// world-readable, open up the permissions on the
|
|
|
|
// just-created directory too, in case a umask ate
|
|
|
|
// it. This primarily affects running tailscaled by
|
|
|
|
// hand as root in a shell, as there is no umask when
|
|
|
|
// running under systemd.
|
|
|
|
if perm == 0666 {
|
|
|
|
if fi, err := os.Stat(sockDir); err == nil && fi.Mode()&0077 == 0 {
|
|
|
|
if err := os.Chmod(sockDir, 0755); err != nil {
|
|
|
|
log.Print(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-02-18 20:33:28 +00:00
|
|
|
pipe, err := net.Listen("unix", path)
|
2020-02-05 22:16:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, 0, err
|
|
|
|
}
|
2021-01-21 19:29:38 +00:00
|
|
|
os.Chmod(path, perm)
|
2020-02-05 22:16:58 +00:00
|
|
|
return pipe, 0, err
|
|
|
|
}
|
2020-03-30 06:04:20 +01:00
|
|
|
|
2021-02-15 16:40:52 +00:00
|
|
|
func tailscaledRunningUnderLaunchd() bool {
|
|
|
|
if runtime.GOOS != "darwin" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
plist, err := exec.Command("launchctl", "list", "com.tailscale.tailscaled").Output()
|
|
|
|
_ = plist // parse it? https://github.com/DHowett/go-plist if we need something.
|
|
|
|
running := err == nil
|
|
|
|
return running
|
|
|
|
}
|
|
|
|
|
2021-01-15 16:43:23 +00:00
|
|
|
// socketPermissionsForOS returns the permissions to use for the
|
|
|
|
// tailscaled.sock.
|
|
|
|
func socketPermissionsForOS() os.FileMode {
|
2021-03-02 19:12:14 +00:00
|
|
|
if PlatformUsesPeerCreds() {
|
2021-01-15 16:43:23 +00:00
|
|
|
return 0666
|
|
|
|
}
|
|
|
|
// Otherwise, root only.
|
|
|
|
return 0600
|
|
|
|
}
|