/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2002 Dag-Erling Smørgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define TCPSTATES /* load state names */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define sstosin(ss) ((struct sockaddr_in *)(ss)) #define sstosin6(ss) ((struct sockaddr_in6 *)(ss)) #define sstosun(ss) ((struct sockaddr_un *)(ss)) #define sstosa(ss) ((struct sockaddr *)(ss)) static bool opt_4; /* Show IPv4 sockets */ static bool opt_6; /* Show IPv6 sockets */ static bool opt_A; /* Show kernel address of pcb */ static bool opt_C; /* Show congestion control */ static bool opt_c; /* Show connected sockets */ static bool opt_f; /* Show FIB numbers */ static bool opt_I; /* Show spliced socket addresses */ static bool opt_i; /* Show inp_gencnt */ static int opt_j; /* Show specified jail */ static bool opt_L; /* Don't show IPv4 or IPv6 loopback sockets */ static bool opt_l; /* Show listening sockets */ static bool opt_n; /* Don't resolve UIDs to user names */ static bool opt_q; /* Don't show header */ static bool opt_S; /* Show protocol stack if applicable */ static bool opt_s; /* Show protocol state if applicable */ static bool opt_U; /* Show remote UDP encapsulation port number */ static bool opt_u; /* Show Unix domain sockets */ static u_int opt_v; /* Verbose mode */ static bool opt_w; /* Automatically size the columns */ /* * Default protocols to use if no -P was defined. */ static const char *default_protos[] = {"sctp", "tcp", "udp", "divert" }; static size_t default_numprotos = nitems(default_protos); static int *protos; /* protocols to use */ static size_t numprotos; /* allocated size of protos[] */ static int *ports; #define INT_BIT (sizeof(int)*CHAR_BIT) #define SET_PORT(p) do { ports[p / INT_BIT] |= 1 << (p % INT_BIT); } while (0) #define CHK_PORT(p) (ports[p / INT_BIT] & (1 << (p % INT_BIT))) struct addr { union { struct sockaddr_storage address; struct { /* unix(4) faddr */ kvaddr_t conn; kvaddr_t firstref; kvaddr_t nextref; }; }; unsigned int encaps_port; int state; struct addr *next; }; struct sock { union { RB_ENTRY(sock) socket_tree; /* tree of pcbs with socket */ SLIST_ENTRY(sock) socket_list; /* list of pcbs w/o socket */ }; RB_ENTRY(sock) pcb_tree; kvaddr_t socket; kvaddr_t pcb; kvaddr_t splice_socket; uint64_t inp_gencnt; int shown; int vflag; int family; int proto; int state; int fibnum; const char *protoname; char stack[TCP_FUNCTION_NAME_LEN_MAX]; char cc[TCP_CA_NAME_MAX]; struct addr *laddr; struct addr *faddr; }; static RB_HEAD(socks_t, sock) socks = RB_INITIALIZER(&socks); static int64_t socket_compare(const struct sock *a, const struct sock *b) { return ((int64_t)(a->socket/2 - b->socket/2)); } RB_GENERATE_STATIC(socks_t, sock, socket_tree, socket_compare); static RB_HEAD(pcbs_t, sock) pcbs = RB_INITIALIZER(&pcbs); static int64_t pcb_compare(const struct sock *a, const struct sock *b) { return ((int64_t)(a->pcb/2 - b->pcb/2)); } RB_GENERATE_STATIC(pcbs_t, sock, pcb_tree, pcb_compare); static SLIST_HEAD(, sock) nosocks = SLIST_HEAD_INITIALIZER(&nosocks); struct file { RB_ENTRY(file) file_tree; kvaddr_t xf_data; pid_t xf_pid; uid_t xf_uid; int xf_fd; }; static RB_HEAD(files_t, file) ftree = RB_INITIALIZER(&ftree); static int64_t file_compare(const struct file *a, const struct file *b) { return ((int64_t)(a->xf_data/2 - b->xf_data/2)); } RB_GENERATE_STATIC(files_t, file, file_tree, file_compare); static struct file *files; static int nfiles; static cap_channel_t *capnet; static cap_channel_t *capnetdb; static cap_channel_t *capsysctl; static cap_channel_t *cappwd; static bool _check_ksize(size_t received_size, size_t expected_size, const char *struct_name) { if (received_size != expected_size) { warnx("%s size mismatch: expected %zd, received %zd", struct_name, expected_size, received_size); return false; } return true; } #define check_ksize(_sz, _struct) (_check_ksize(_sz, sizeof(_struct), #_struct)) static void _enforce_ksize(size_t received_size, size_t expected_size, const char *struct_name) { if (received_size != expected_size) { errx(1, "fatal: struct %s size mismatch: expected %zd, received %zd", struct_name, expected_size, received_size); } } #define enforce_ksize(_sz, _struct) (_enforce_ksize(_sz, sizeof(_struct), #_struct)) static int get_proto_type(const char *proto) { struct protoent *pent; if (strlen(proto) == 0) return (0); if (capnetdb != NULL) pent = cap_getprotobyname(capnetdb, proto); else pent = getprotobyname(proto); if (pent == NULL) { warn("cap_getprotobyname"); return (-1); } return (pent->p_proto); } static void init_protos(int num) { int proto_count = 0; if (num > 0) { proto_count = num; } else { /* Find the maximum number of possible protocols. */ while (getprotoent() != NULL) proto_count++; endprotoent(); } if ((protos = malloc(sizeof(int) * proto_count)) == NULL) err(1, "malloc"); numprotos = proto_count; } static int parse_protos(char *protospec) { char *prot; int proto_type, proto_index; if (protospec == NULL) return (-1); init_protos(0); proto_index = 0; while ((prot = strsep(&protospec, ",")) != NULL) { if (strlen(prot) == 0) continue; proto_type = get_proto_type(prot); if (proto_type != -1) protos[proto_index++] = proto_type; } numprotos = proto_index; return (proto_index); } static void parse_ports(const char *portspec) { const char *p, *q; int port, end; if (ports == NULL) if ((ports = calloc(65536 / INT_BIT, sizeof(int))) == NULL) err(1, "calloc()"); p = portspec; while (*p != '\0') { if (!isdigit(*p)) errx(1, "syntax error in port range"); for (q = p; *q != '\0' && isdigit(*q); ++q) /* nothing */ ; for (port = 0; p < q; ++p) port = port * 10 + digittoint(*p); if (port < 0 || port > 65535) errx(1, "invalid port number"); SET_PORT(port); switch (*p) { case '-': ++p; break; case ',': ++p; /* fall through */ case '\0': default: continue; } for (q = p; *q != '\0' && isdigit(*q); ++q) /* nothing */ ; for (end = 0; p < q; ++p) end = end * 10 + digittoint(*p); if (end < port || end > 65535) errx(1, "invalid port number"); while (port++ < end) SET_PORT(port); if (*p == ',') ++p; } } static void sockaddr(struct sockaddr_storage *ss, int af, void *addr, int port) { struct sockaddr_in *sin4; struct sockaddr_in6 *sin6; bzero(ss, sizeof(*ss)); switch (af) { case AF_INET: sin4 = sstosin(ss); sin4->sin_len = sizeof(*sin4); sin4->sin_family = af; sin4->sin_port = port; sin4->sin_addr = *(struct in_addr *)addr; break; case AF_INET6: sin6 = sstosin6(ss); sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = af; sin6->sin6_port = port; sin6->sin6_addr = *(struct in6_addr *)addr; #define s6_addr16 __u6_addr.__u6_addr16 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { sin6->sin6_scope_id = ntohs(sin6->sin6_addr.s6_addr16[1]); sin6->sin6_addr.s6_addr16[1] = 0; } break; default: abort(); } } static void free_socket(struct sock *sock) { struct addr *cur, *next; cur = sock->laddr; while (cur != NULL) { next = cur->next; free(cur); cur = next; } cur = sock->faddr; while (cur != NULL) { next = cur->next; free(cur); cur = next; } free(sock); } static void gather_sctp(void) { struct sock *sock; struct addr *laddr, *prev_laddr, *faddr, *prev_faddr; struct xsctp_inpcb *xinpcb; struct xsctp_tcb *xstcb; struct xsctp_raddr *xraddr; struct xsctp_laddr *xladdr; const char *varname; size_t len, offset; char *buf; int vflag; int no_stcb, local_all_loopback, foreign_all_loopback; vflag = 0; if (opt_4) vflag |= INP_IPV4; if (opt_6) vflag |= INP_IPV6; varname = "net.inet.sctp.assoclist"; if (cap_sysctlbyname(capsysctl, varname, 0, &len, 0, 0) < 0) { if (errno != ENOENT) err(1, "cap_sysctlbyname()"); return; } if ((buf = (char *)malloc(len)) == NULL) { err(1, "malloc()"); return; } if (cap_sysctlbyname(capsysctl, varname, buf, &len, 0, 0) < 0) { err(1, "cap_sysctlbyname()"); free(buf); return; } xinpcb = (struct xsctp_inpcb *)(void *)buf; offset = sizeof(struct xsctp_inpcb); while ((offset < len) && (xinpcb->last == 0)) { if ((sock = calloc(1, sizeof *sock)) == NULL) err(1, "malloc()"); sock->socket = xinpcb->socket; sock->proto = IPPROTO_SCTP; sock->protoname = "sctp"; if (xinpcb->maxqlen == 0) sock->state = SCTP_CLOSED; else sock->state = SCTP_LISTEN; if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) { sock->family = AF_INET6; /* * Currently there is no way to distinguish between * IPv6 only sockets or dual family sockets. * So mark it as dual socket. */ sock->vflag = INP_IPV6 | INP_IPV4; } else { sock->family = AF_INET; sock->vflag = INP_IPV4; } prev_laddr = NULL; local_all_loopback = 1; while (offset < len) { xladdr = (struct xsctp_laddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_laddr); if (xladdr->last == 1) break; if ((laddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); switch (xladdr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xladdr->address.sin.sin_addr)) local_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&laddr->address, AF_INET, &xladdr->address.sin.sin_addr, htons(xinpcb->local_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xladdr->address.sin6.sin6_addr)) local_all_loopback = 0; sockaddr(&laddr->address, AF_INET6, &xladdr->address.sin6.sin6_addr, htons(xinpcb->local_port)); break; default: errx(1, "address family %d not supported", xladdr->address.sa.sa_family); } laddr->next = NULL; if (prev_laddr == NULL) sock->laddr = laddr; else prev_laddr->next = laddr; prev_laddr = laddr; } if (sock->laddr == NULL) { if ((sock->laddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); sock->laddr->address.ss_family = sock->family; if (sock->family == AF_INET) sock->laddr->address.ss_len = sizeof(struct sockaddr_in); else sock->laddr->address.ss_len = sizeof(struct sockaddr_in6); local_all_loopback = 0; } if ((sock->faddr = calloc(1, sizeof(struct addr))) == NULL) err(1, "malloc()"); sock->faddr->address.ss_family = sock->family; if (sock->family == AF_INET) sock->faddr->address.ss_len = sizeof(struct sockaddr_in); else sock->faddr->address.ss_len = sizeof(struct sockaddr_in6); no_stcb = 1; while (offset < len) { xstcb = (struct xsctp_tcb *)(void *)(buf + offset); offset += sizeof(struct xsctp_tcb); if (no_stcb) { if (opt_l && (sock->vflag & vflag) && (!opt_L || !local_all_loopback) && ((xinpcb->flags & SCTP_PCB_FLAGS_UDPTYPE) || (xstcb->last == 1))) { RB_INSERT(socks_t, &socks, sock); } else { free_socket(sock); } } if (xstcb->last == 1) break; no_stcb = 0; if (opt_c) { if ((sock = calloc(1, sizeof *sock)) == NULL) err(1, "malloc()"); sock->socket = xinpcb->socket; sock->proto = IPPROTO_SCTP; sock->protoname = "sctp"; sock->state = (int)xstcb->state; if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) { sock->family = AF_INET6; /* * Currently there is no way to distinguish * between IPv6 only sockets or dual family * sockets. So mark it as dual socket. */ sock->vflag = INP_IPV6 | INP_IPV4; } else { sock->family = AF_INET; sock->vflag = INP_IPV4; } } prev_laddr = NULL; local_all_loopback = 1; while (offset < len) { xladdr = (struct xsctp_laddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_laddr); if (xladdr->last == 1) break; if (!opt_c) continue; laddr = calloc(1, sizeof(struct addr)); if (laddr == NULL) err(1, "malloc()"); switch (xladdr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xladdr->address.sin.sin_addr)) local_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&laddr->address, AF_INET, &xladdr->address.sin.sin_addr, htons(xstcb->local_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xladdr->address.sin6.sin6_addr)) local_all_loopback = 0; sockaddr(&laddr->address, AF_INET6, &xladdr->address.sin6.sin6_addr, htons(xstcb->local_port)); break; default: errx(1, "address family %d not supported", xladdr->address.sa.sa_family); } laddr->next = NULL; if (prev_laddr == NULL) sock->laddr = laddr; else prev_laddr->next = laddr; prev_laddr = laddr; } prev_faddr = NULL; foreign_all_loopback = 1; while (offset < len) { xraddr = (struct xsctp_raddr *)(void *)(buf + offset); offset += sizeof(struct xsctp_raddr); if (xraddr->last == 1) break; if (!opt_c) continue; faddr = calloc(1, sizeof(struct addr)); if (faddr == NULL) err(1, "malloc()"); switch (xraddr->address.sa.sa_family) { case AF_INET: #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (!__IN_IS_ADDR_LOOPBACK( &xraddr->address.sin.sin_addr)) foreign_all_loopback = 0; #undef __IN_IS_ADDR_LOOPBACK sockaddr(&faddr->address, AF_INET, &xraddr->address.sin.sin_addr, htons(xstcb->remote_port)); break; case AF_INET6: if (!IN6_IS_ADDR_LOOPBACK( &xraddr->address.sin6.sin6_addr)) foreign_all_loopback = 0; sockaddr(&faddr->address, AF_INET6, &xraddr->address.sin6.sin6_addr, htons(xstcb->remote_port)); break; default: errx(1, "address family %d not supported", xraddr->address.sa.sa_family); } faddr->encaps_port = xraddr->encaps_port; faddr->state = xraddr->state; faddr->next = NULL; if (prev_faddr == NULL) sock->faddr = faddr; else prev_faddr->next = faddr; prev_faddr = faddr; } if (opt_c) { if ((sock->vflag & vflag) && (!opt_L || !(local_all_loopback || foreign_all_loopback))) { RB_INSERT(socks_t, &socks, sock); } else { free_socket(sock); } } } xinpcb = (struct xsctp_inpcb *)(void *)(buf + offset); offset += sizeof(struct xsctp_inpcb); } free(buf); } static void gather_inet(int proto) { struct xinpgen *xig, *exig; struct xinpcb *xip; struct xtcpcb *xtp = NULL; struct xsocket *so; struct sock *sock; struct addr *laddr, *faddr; const char *varname, *protoname; size_t len, bufsize; void *buf; int retry, vflag; vflag = 0; if (opt_4) vflag |= INP_IPV4; if (opt_6) vflag |= INP_IPV6; switch (proto) { case IPPROTO_TCP: varname = "net.inet.tcp.pcblist"; protoname = "tcp"; break; case IPPROTO_UDP: varname = "net.inet.udp.pcblist"; protoname = "udp"; break; case IPPROTO_DIVERT: varname = "net.inet.divert.pcblist"; protoname = "div"; break; default: errx(1, "protocol %d not supported", proto); } buf = NULL; bufsize = 8192; retry = 5; do { for (;;) { if ((buf = realloc(buf, bufsize)) == NULL) err(1, "realloc()"); len = bufsize; if (cap_sysctlbyname(capsysctl, varname, buf, &len, NULL, 0) == 0) break; if (errno == ENOENT) goto out; if (errno != ENOMEM || len != bufsize) err(1, "cap_sysctlbyname()"); bufsize *= 2; } xig = (struct xinpgen *)buf; exig = (struct xinpgen *)(void *) ((char *)buf + len - sizeof *exig); enforce_ksize(xig->xig_len, struct xinpgen); enforce_ksize(exig->xig_len, struct xinpgen); } while (xig->xig_gen != exig->xig_gen && retry--); if (xig->xig_gen != exig->xig_gen && opt_v) warnx("warning: data may be inconsistent"); for (;;) { xig = (struct xinpgen *)(void *)((char *)xig + xig->xig_len); if (xig >= exig) break; switch (proto) { case IPPROTO_TCP: xtp = (struct xtcpcb *)xig; xip = &xtp->xt_inp; if (!check_ksize(xtp->xt_len, struct xtcpcb)) goto out; protoname = xtp->t_flags & TF_TOE ? "toe" : "tcp"; break; case IPPROTO_UDP: case IPPROTO_DIVERT: xip = (struct xinpcb *)xig; if (!check_ksize(xip->xi_len, struct xinpcb)) goto out; break; default: errx(1, "protocol %d not supported", proto); } so = &xip->xi_socket; if ((xip->inp_vflag & vflag) == 0) continue; if (xip->inp_vflag & INP_IPV4) { if ((xip->inp_fport == 0 && !opt_l) || (xip->inp_fport != 0 && !opt_c)) continue; #define __IN_IS_ADDR_LOOPBACK(pina) \ ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) if (opt_L && (__IN_IS_ADDR_LOOPBACK(&xip->inp_faddr) || __IN_IS_ADDR_LOOPBACK(&xip->inp_laddr))) continue; #undef __IN_IS_ADDR_LOOPBACK } else if (xip->inp_vflag & INP_IPV6) { if ((xip->inp_fport == 0 && !opt_l) || (xip->inp_fport != 0 && !opt_c)) continue; if (opt_L && (IN6_IS_ADDR_LOOPBACK(&xip->in6p_faddr) || IN6_IS_ADDR_LOOPBACK(&xip->in6p_laddr))) continue; } else { if (opt_v) warnx("invalid vflag 0x%x", xip->inp_vflag); continue; } if ((sock = calloc(1, sizeof(*sock))) == NULL) err(1, "malloc()"); if ((laddr = calloc(1, sizeof *laddr)) == NULL) err(1, "malloc()"); if ((faddr = calloc(1, sizeof *faddr)) == NULL) err(1, "malloc()"); sock->socket = so->xso_so; sock->pcb = so->so_pcb; sock->splice_socket = so->so_splice_so; sock->proto = proto; sock->inp_gencnt = xip->inp_gencnt; sock->fibnum = so->so_fibnum; if (xip->inp_vflag & INP_IPV4) { sock->family = AF_INET; sockaddr(&laddr->address, sock->family, &xip->inp_laddr, xip->inp_lport); sockaddr(&faddr->address, sock->family, &xip->inp_faddr, xip->inp_fport); } else if (xip->inp_vflag & INP_IPV6) { sock->family = AF_INET6; sockaddr(&laddr->address, sock->family, &xip->in6p_laddr, xip->inp_lport); sockaddr(&faddr->address, sock->family, &xip->in6p_faddr, xip->inp_fport); } if (proto == IPPROTO_TCP) faddr->encaps_port = xtp->xt_encaps_port; laddr->next = NULL; faddr->next = NULL; sock->laddr = laddr; sock->faddr = faddr; sock->vflag = xip->inp_vflag; if (proto == IPPROTO_TCP) { sock->state = xtp->t_state; memcpy(sock->stack, xtp->xt_stack, TCP_FUNCTION_NAME_LEN_MAX); memcpy(sock->cc, xtp->xt_cc, TCP_CA_NAME_MAX); } sock->protoname = protoname; if (sock->socket != 0) RB_INSERT(socks_t, &socks, sock); else SLIST_INSERT_HEAD(&nosocks, sock, socket_list); } out: free(buf); } static void gather_unix(int proto) { struct xunpgen *xug, *exug; struct xunpcb *xup; struct sock *sock; struct addr *laddr, *faddr; const char *varname, *protoname; size_t len, bufsize; void *buf; int retry; switch (proto) { case SOCK_STREAM: varname = "net.local.stream.pcblist"; protoname = "stream"; break; case SOCK_DGRAM: varname = "net.local.dgram.pcblist"; protoname = "dgram"; break; case SOCK_SEQPACKET: varname = "net.local.seqpacket.pcblist"; protoname = "seqpac"; break; default: abort(); } buf = NULL; bufsize = 8192; retry = 5; do { for (;;) { if ((buf = realloc(buf, bufsize)) == NULL) err(1, "realloc()"); len = bufsize; if (cap_sysctlbyname(capsysctl, varname, buf, &len, NULL, 0) == 0) break; if (errno != ENOMEM || len != bufsize) err(1, "cap_sysctlbyname()"); bufsize *= 2; } xug = (struct xunpgen *)buf; exug = (struct xunpgen *)(void *) ((char *)buf + len - sizeof(*exug)); if (!check_ksize(xug->xug_len, struct xunpgen) || !check_ksize(exug->xug_len, struct xunpgen)) goto out; } while (xug->xug_gen != exug->xug_gen && retry--); if (xug->xug_gen != exug->xug_gen && opt_v) warnx("warning: data may be inconsistent"); for (;;) { xug = (struct xunpgen *)(void *)((char *)xug + xug->xug_len); if (xug >= exug) break; xup = (struct xunpcb *)xug; if (!check_ksize(xup->xu_len, struct xunpcb)) goto out; if ((xup->unp_conn == 0 && !opt_l) || (xup->unp_conn != 0 && !opt_c)) continue; if ((sock = calloc(1, sizeof(*sock))) == NULL) err(1, "malloc()"); if ((laddr = calloc(1, sizeof *laddr)) == NULL) err(1, "malloc()"); if ((faddr = calloc(1, sizeof *faddr)) == NULL) err(1, "malloc()"); sock->socket = xup->xu_socket.xso_so; sock->pcb = xup->xu_unpp; sock->proto = proto; sock->family = AF_UNIX; sock->protoname = protoname; if (xup->xu_addr.sun_family == AF_UNIX) laddr->address = *(struct sockaddr_storage *)(void *)&xup->xu_addr; faddr->conn = xup->unp_conn; faddr->firstref = xup->xu_firstref; faddr->nextref = xup->xu_nextref; laddr->next = NULL; faddr->next = NULL; sock->laddr = laddr; sock->faddr = faddr; RB_INSERT(socks_t, &socks, sock); RB_INSERT(pcbs_t, &pcbs, sock); } out: free(buf); } static void getfiles(void) { struct xfile *xfiles; size_t len, olen; olen = len = sizeof(*xfiles); if ((xfiles = malloc(len)) == NULL) err(1, "malloc()"); while (cap_sysctlbyname(capsysctl, "kern.file", xfiles, &len, 0, 0) == -1) { if (errno != ENOMEM || len != olen) err(1, "cap_sysctlbyname()"); olen = len *= 2; if ((xfiles = realloc(xfiles, len)) == NULL) err(1, "realloc()"); } if (len > 0) enforce_ksize(xfiles->xf_size, struct xfile); nfiles = len / sizeof(*xfiles); if ((files = malloc(nfiles * sizeof(struct file))) == NULL) err(1, "malloc()"); for (int i = 0; i < nfiles; i++) { files[i].xf_data = xfiles[i].xf_data; files[i].xf_pid = xfiles[i].xf_pid; files[i].xf_uid = xfiles[i].xf_uid; files[i].xf_fd = xfiles[i].xf_fd; RB_INSERT(files_t, &ftree, &files[i]); } free(xfiles); } static int formataddr(struct sockaddr_storage *ss, char *buf, size_t bufsize) { struct sockaddr_un *sun; char addrstr[NI_MAXHOST] = { '\0', '\0' }; int error, off, port = 0; switch (ss->ss_family) { case AF_INET: if (sstosin(ss)->sin_addr.s_addr == INADDR_ANY) addrstr[0] = '*'; port = ntohs(sstosin(ss)->sin_port); break; case AF_INET6: if (IN6_IS_ADDR_UNSPECIFIED(&sstosin6(ss)->sin6_addr)) addrstr[0] = '*'; port = ntohs(sstosin6(ss)->sin6_port); break; case AF_UNIX: sun = sstosun(ss); off = (int)((char *)&sun->sun_path - (char *)sun); return snprintf(buf, bufsize, "%.*s", sun->sun_len - off, sun->sun_path); } if (addrstr[0] == '\0') { error = cap_getnameinfo(capnet, sstosa(ss), ss->ss_len, addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST); if (error) errx(1, "cap_getnameinfo()"); } if (port == 0) return snprintf(buf, bufsize, "%s:*", addrstr); return snprintf(buf, bufsize, "%s:%d", addrstr, port); } static const char * getprocname(pid_t pid) { static struct kinfo_proc proc; size_t len; int mib[4]; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = (int)pid; len = sizeof(proc); if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0) == -1) { /* Do not warn if the process exits before we get its name. */ if (errno != ESRCH) warn("cap_sysctl()"); return ("??"); } return (proc.ki_comm); } static int getprocjid(pid_t pid) { static struct kinfo_proc proc; size_t len; int mib[4]; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = (int)pid; len = sizeof(proc); if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0) == -1) { /* Do not warn if the process exits before we get its jid. */ if (errno != ESRCH) warn("cap_sysctl()"); return (-1); } return (proc.ki_jid); } static int check_ports(struct sock *s) { int port; struct addr *addr; if (ports == NULL) return (1); if ((s->family != AF_INET) && (s->family != AF_INET6)) return (1); for (addr = s->laddr; addr != NULL; addr = addr->next) { if (s->family == AF_INET) port = ntohs(sstosin(&addr->address)->sin_port); else port = ntohs(sstosin6(&addr->address)->sin6_port); if (CHK_PORT(port)) return (1); } for (addr = s->faddr; addr != NULL; addr = addr->next) { if (s->family == AF_INET) port = ntohs(sstosin(&addr->address)->sin_port); else port = ntohs(sstosin6(&addr->address)->sin6_port); if (CHK_PORT(port)) return (1); } return (0); } static const char * sctp_conn_state(int state) { switch (state) { case SCTP_CLOSED: return "CLOSED"; break; case SCTP_BOUND: return "BOUND"; break; case SCTP_LISTEN: return "LISTEN"; break; case SCTP_COOKIE_WAIT: return "COOKIE_WAIT"; break; case SCTP_COOKIE_ECHOED: return "COOKIE_ECHOED"; break; case SCTP_ESTABLISHED: return "ESTABLISHED"; break; case SCTP_SHUTDOWN_SENT: return "SHUTDOWN_SENT"; break; case SCTP_SHUTDOWN_RECEIVED: return "SHUTDOWN_RECEIVED"; break; case SCTP_SHUTDOWN_ACK_SENT: return "SHUTDOWN_ACK_SENT"; break; case SCTP_SHUTDOWN_PENDING: return "SHUTDOWN_PENDING"; break; default: return "UNKNOWN"; break; } } static const char * sctp_path_state(int state) { switch (state) { case SCTP_UNCONFIRMED: return "UNCONFIRMED"; break; case SCTP_ACTIVE: return "ACTIVE"; break; case SCTP_INACTIVE: return "INACTIVE"; break; default: return "UNKNOWN"; break; } } static int format_unix_faddr(struct addr *faddr, char *buf, size_t bufsize) { #define SAFEBUF (buf == NULL ? NULL : buf + pos) #define SAFESIZE (buf == NULL ? 0 : bufsize - pos) size_t pos = 0; /* Remote peer we connect(2) to, if any. */ if (faddr->conn != 0) { struct sock *p; pos += strlcpy(SAFEBUF, "-> ", SAFESIZE); p = RB_FIND(pcbs_t, &pcbs, &(struct sock){ .pcb = faddr->conn }); if (__predict_false(p == NULL)) { /* XXGL: can this happen at all? */ pos += snprintf(SAFEBUF, SAFESIZE, "??"); } else if (p->laddr->address.ss_len == 0) { struct file *f; f = RB_FIND(files_t, &ftree, &(struct file){ .xf_data = p->socket }); if (f != NULL) { pos += snprintf(SAFEBUF, SAFESIZE, "[%lu %d]", (u_long)f->xf_pid, f->xf_fd); } } else pos += formataddr(&p->laddr->address, SAFEBUF, SAFESIZE); } /* Remote peer(s) connect(2)ed to us, if any. */ if (faddr->firstref != 0) { struct sock *p; struct file *f; kvaddr_t ref = faddr->firstref; bool fref = true; pos += snprintf(SAFEBUF, SAFESIZE, " <- "); while ((p = RB_FIND(pcbs_t, &pcbs, &(struct sock){ .pcb = ref })) != 0) { f = RB_FIND(files_t, &ftree, &(struct file){ .xf_data = p->socket }); if (f != NULL) { pos += snprintf(SAFEBUF, SAFESIZE, "%s[%lu %d]", fref ? "" : ",", (u_long)f->xf_pid, f->xf_fd); } ref = p->faddr->nextref; fref = false; } } return pos; } struct col_widths { int user; int command; int pid; int fd; int proto; int local_addr; int foreign_addr; int pcb_kva; int fib; int splice_address; int inp_gencnt; int encaps; int path_state; int conn_state; int stack; int cc; }; static void calculate_sock_column_widths(struct col_widths *cw, struct sock *s) { struct addr *laddr, *faddr; bool first = true; int len = 0; laddr = s->laddr; faddr = s->faddr; first = true; len = strlen(s->protoname); if (s->vflag & (INP_IPV4 | INP_IPV6)) len += 1; cw->proto = MAX(cw->proto, len); while (laddr != NULL || faddr != NULL) { if (opt_w && s->family == AF_UNIX) { if ((laddr == NULL) || (faddr == NULL)) errx(1, "laddr = %p or faddr = %p is NULL", (void *)laddr, (void *)faddr); if (laddr->address.ss_len > 0) len = formataddr(&laddr->address, NULL, 0); cw->local_addr = MAX(cw->local_addr, len); len = format_unix_faddr(faddr, NULL, 0); cw->foreign_addr = MAX(cw->foreign_addr, len); } else if (opt_w) { if (laddr != NULL) { len = formataddr(&laddr->address, NULL, 0); cw->local_addr = MAX(cw->local_addr, len); } if (faddr != NULL) { len = formataddr(&faddr->address, NULL, 0); cw->foreign_addr = MAX(cw->foreign_addr, len); } } if (opt_f) { len = snprintf(NULL, 0, "%d", s->fibnum); cw->fib = MAX(cw->fib, len); } if (opt_I) { if (s->splice_socket != 0) { struct sock *sp; sp = RB_FIND(socks_t, &socks, &(struct sock) { .socket = s->splice_socket }); if (sp != NULL) { len = formataddr(&sp->laddr->address, NULL, 0); cw->splice_address = MAX( cw->splice_address, len); } } } if (opt_i) { if (s->proto == IPPROTO_TCP || s->proto == IPPROTO_UDP) { len = snprintf(NULL, 0, "%" PRIu64, s->inp_gencnt); cw->inp_gencnt = MAX(cw->inp_gencnt, len); } } if (opt_U) { if (faddr != NULL && ((s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) || (s->proto == IPPROTO_TCP && s->state != TCPS_CLOSED && s->state != TCPS_LISTEN))) { len = snprintf(NULL, 0, "%u", ntohs(faddr->encaps_port)); cw->encaps = MAX(cw->encaps, len); } } if (opt_s) { if (faddr != NULL && s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) { len = strlen(sctp_path_state(faddr->state)); cw->path_state = MAX(cw->path_state, len); } } if (first) { if (opt_s) { if (s->proto == IPPROTO_SCTP || s->proto == IPPROTO_TCP) { switch (s->proto) { case IPPROTO_SCTP: len = strlen( sctp_conn_state(s->state)); cw->conn_state = MAX( cw->conn_state, len); break; case IPPROTO_TCP: if (s->state >= 0 && s->state < TCP_NSTATES) { len = strlen( tcpstates[s->state]); cw->conn_state = MAX( cw->conn_state, len); } break; } } } if (opt_S && s->proto == IPPROTO_TCP) { len = strlen(s->stack); cw->stack = MAX(cw->stack, len); } if (opt_C && s->proto == IPPROTO_TCP) { len = strlen(s->cc); cw->cc = MAX(cw->cc, len); } } if (laddr != NULL) laddr = laddr->next; if (faddr != NULL) faddr = faddr->next; first = false; } } static void calculate_column_widths(struct col_widths *cw) { int n, len; struct file *xf; struct sock *s; struct passwd *pwd; for (xf = files, n = 0; n < nfiles; ++n, ++xf) { if (xf->xf_data == 0) continue; if (opt_j >= 0 && opt_j != getprocjid(xf->xf_pid)) continue; s = RB_FIND(socks_t, &socks, &(struct sock){ .socket = xf->xf_data}); if (s == NULL || (!check_ports(s))) continue; s->shown = 1; if (opt_n || (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL) len = snprintf(NULL, 0, "%lu", (u_long)xf->xf_uid); else len = snprintf(NULL, 0, "%s", pwd->pw_name); cw->user = MAX(cw->user, len); len = snprintf(NULL, 0, "%lu", (u_long)xf->xf_pid); cw->pid = MAX(cw->pid, len); len = snprintf(NULL, 0, "%d", xf->xf_fd); cw->fd = MAX(cw->fd, len); calculate_sock_column_widths(cw, s); } if (opt_j >= 0) return; SLIST_FOREACH(s, &nosocks, socket_list) { if (!check_ports(s)) continue; calculate_sock_column_widths(cw, s); } RB_FOREACH(s, socks_t, &socks) { if (s->shown) continue; if (!check_ports(s)) continue; calculate_sock_column_widths(cw, s); } } static void display_sock(struct sock *s, struct col_widths *cw, char *buf, size_t bufsize) { struct addr *laddr, *faddr; bool first; laddr = s->laddr; faddr = s->faddr; first = true; snprintf(buf, bufsize, "%s%s%s", s->protoname, s->vflag & INP_IPV4 ? "4" : "", s->vflag & INP_IPV6 ? "6" : ""); printf(" %-*s", cw->proto, buf); while (laddr != NULL || faddr != NULL) { if (s->family == AF_UNIX) { if ((laddr == NULL) || (faddr == NULL)) errx(1, "laddr = %p or faddr = %p is NULL", (void *)laddr, (void *)faddr); if (laddr->address.ss_len > 0) formataddr(&laddr->address, buf, bufsize); else if (laddr->address.ss_len == 0 && faddr->conn == 0) strlcpy(buf, "(not connected)", bufsize); else strlcpy(buf, "??", bufsize); printf(" %-*.*s", cw->local_addr, cw->local_addr, buf); if (format_unix_faddr(faddr, buf, bufsize) == 0) strlcpy(buf, "??", bufsize); printf(" %-*.*s", cw->foreign_addr, cw->foreign_addr, buf); } else { if (laddr != NULL) formataddr(&laddr->address, buf, bufsize); else strlcpy(buf, "??", bufsize); printf(" %-*.*s", cw->local_addr, cw->local_addr, buf); if (faddr != NULL) formataddr(&faddr->address, buf, bufsize); else strlcpy(buf, "??", bufsize); printf(" %-*.*s", cw->foreign_addr, cw->foreign_addr, buf); } if (opt_A) printf(" %#*" PRIx64, cw->pcb_kva, s->pcb); if (opt_f) printf(" %*d", cw->fib, s->fibnum); if (opt_I) { if (s->splice_socket != 0) { struct sock *sp; sp = RB_FIND(socks_t, &socks, &(struct sock) { .socket = s->splice_socket }); if (sp != NULL) formataddr(&sp->laddr->address, buf, bufsize); else strlcpy(buf, "??", bufsize); } else strlcpy(buf, "??", bufsize); printf(" %-*s", cw->splice_address, buf); } if (opt_i) { if (s->proto == IPPROTO_TCP || s->proto == IPPROTO_UDP) printf(" %*" PRIu64, cw->inp_gencnt, s->inp_gencnt); else printf(" %*s", cw->inp_gencnt, "??"); } if (opt_U) { if (faddr != NULL && ((s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) || (s->proto == IPPROTO_TCP && s->state != TCPS_CLOSED && s->state != TCPS_LISTEN))) { printf(" %*u", cw->encaps, ntohs(faddr->encaps_port)); } else printf(" %*s", cw->encaps, "??"); } if (opt_s) { if (faddr != NULL && s->proto == IPPROTO_SCTP && s->state != SCTP_CLOSED && s->state != SCTP_BOUND && s->state != SCTP_LISTEN) { printf(" %-*s", cw->path_state, sctp_path_state(faddr->state)); } else printf(" %-*s", cw->path_state, "??"); } if (first) { if (opt_s) { if (s->proto == IPPROTO_SCTP || s->proto == IPPROTO_TCP) { switch (s->proto) { case IPPROTO_SCTP: printf(" %-*s", cw->conn_state, sctp_conn_state(s->state)); break; case IPPROTO_TCP: if (s->state >= 0 && s->state < TCP_NSTATES) printf(" %-*s", cw->conn_state, tcpstates[s->state]); else printf(" %-*s", cw->conn_state, "??"); break; } } else printf(" %-*s", cw->conn_state, "??"); } if (opt_S) { if (s->proto == IPPROTO_TCP) printf(" %-*s", cw->stack, s->stack); else printf(" %-*s", cw->stack, "??"); } if (opt_C) { if (s->proto == IPPROTO_TCP) printf(" %-*s", cw->cc, s->cc); else printf(" %-*s", cw->cc, "??"); } } if (laddr != NULL) laddr = laddr->next; if (faddr != NULL) faddr = faddr->next; if (laddr != NULL || faddr != NULL) printf("%-*s %-*s %-*s %-*s %-*s", cw->user, "", cw->command, "", cw->pid, "", cw->fd, "", cw->proto, ""); first = false; } printf("\n"); } static void display(void) { struct passwd *pwd; struct file *xf; struct sock *s; int n; struct col_widths cw; const size_t bufsize = 512; void *buf; if ((buf = (char *)malloc(bufsize)) == NULL) { err(1, "malloc()"); return; } cw = (struct col_widths) { .user = strlen("USER"), .command = 10, .pid = strlen("PID"), .fd = strlen("FD"), .proto = strlen("PROTO"), .local_addr = opt_w ? strlen("LOCAL ADDRESS") : 21, .foreign_addr = opt_w ? strlen("FOREIGN ADDRESS") : 21, .pcb_kva = 18, .fib = strlen("FIB"), .splice_address = strlen("SPLICE ADDRESS"), .inp_gencnt = strlen("ID"), .encaps = strlen("ENCAPS"), .path_state = strlen("PATH STATE"), .conn_state = strlen("CONN STATE"), .stack = strlen("STACK"), .cc = strlen("CC"), }; calculate_column_widths(&cw); if (!opt_q) { printf("%-*s %-*s %*s %*s %-*s %-*s %-*s", cw.user, "USER", cw.command, "COMMAND", cw.pid, "PID", cw.fd, "FD", cw.proto, "PROTO", cw.local_addr, "LOCAL ADDRESS", cw.foreign_addr,"FOREIGN ADDRESS"); if (opt_A) printf(" %-*s", cw.pcb_kva, "PCB KVA"); if (opt_f) /* RT_MAXFIBS is 65535. */ printf(" %*s", cw.fib, "FIB"); if (opt_I) printf(" %-*s", cw.splice_address, "SPLICE ADDRESS"); if (opt_i) printf(" %*s", cw.inp_gencnt, "ID"); if (opt_U) printf(" %*s", cw.encaps, "ENCAPS"); if (opt_s) { printf(" %-*s", cw.path_state, "PATH STATE"); printf(" %-*s", cw.conn_state, "CONN STATE"); } if (opt_S) printf(" %-*s", cw.stack, "STACK"); if (opt_C) printf(" %-*s", cw.cc, "CC"); printf("\n"); } cap_setpassent(cappwd, 1); for (xf = files, n = 0; n < nfiles; ++n, ++xf) { if (xf->xf_data == 0) continue; if (opt_j >= 0 && opt_j != getprocjid(xf->xf_pid)) continue; s = RB_FIND(socks_t, &socks, &(struct sock){ .socket = xf->xf_data}); if (s != NULL && check_ports(s)) { s->shown = 1; if (opt_n || (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL) printf("%-*lu", cw.user, (u_long)xf->xf_uid); else printf("%-*s", cw.user, pwd->pw_name); printf(" %-*.*s", cw.command, cw.command, getprocname(xf->xf_pid)); printf(" %*lu", cw.pid, (u_long)xf->xf_pid); printf(" %*d", cw.fd, xf->xf_fd); display_sock(s, &cw, buf, bufsize); } } if (opt_j >= 0) return; SLIST_FOREACH(s, &nosocks, socket_list) { if (!check_ports(s)) continue; printf("%-*s %-*s %*s %*s", cw.user, "??", cw.command, "??", cw.pid, "??", cw.fd, "??"); display_sock(s, &cw, buf, bufsize); } RB_FOREACH(s, socks_t, &socks) { if (s->shown) continue; if (!check_ports(s)) continue; printf("%-*s %-*s %*s %*s", cw.user, "??", cw.command, "??", cw.pid, "??", cw.fd, "??"); display_sock(s, &cw, buf, bufsize); } free(buf); } static int set_default_protos(void) { struct protoent *prot; const char *pname; size_t pindex; init_protos(default_numprotos); for (pindex = 0; pindex < default_numprotos; pindex++) { pname = default_protos[pindex]; prot = cap_getprotobyname(capnetdb, pname); if (prot == NULL) err(1, "cap_getprotobyname: %s", pname); protos[pindex] = prot->p_proto; } numprotos = pindex; return (pindex); } /* * Return the vnet property of the jail, or -1 on error. */ static int jail_getvnet(int jid) { struct iovec jiov[6]; int vnet; size_t len = sizeof(vnet); if (sysctlbyname("kern.features.vimage", &vnet, &len, NULL, 0) != 0) return (0); vnet = -1; jiov[0].iov_base = __DECONST(char *, "jid"); jiov[0].iov_len = sizeof("jid"); jiov[1].iov_base = &jid; jiov[1].iov_len = sizeof(jid); jiov[2].iov_base = __DECONST(char *, "vnet"); jiov[2].iov_len = sizeof("vnet"); jiov[3].iov_base = &vnet; jiov[3].iov_len = sizeof(vnet); jiov[4].iov_base = __DECONST(char *, "errmsg"); jiov[4].iov_len = sizeof("errmsg"); jiov[5].iov_base = jail_errmsg; jiov[5].iov_len = JAIL_ERRMSGLEN; jail_errmsg[0] = '\0'; if (jail_get(jiov, nitems(jiov), 0) < 0) { if (!jail_errmsg[0]) snprintf(jail_errmsg, JAIL_ERRMSGLEN, "jail_get: %s", strerror(errno)); return (-1); } return (vnet); } static void usage(void) { errx(1, "usage: sockstat [-46ACcfIiLlnqSsUuvw] [-j jid] [-p ports] [-P protocols]"); } int main(int argc, char *argv[]) { cap_channel_t *capcas; cap_net_limit_t *limit; const char *pwdcmds[] = { "setpassent", "getpwuid" }; const char *pwdfields[] = { "pw_name" }; int protos_defined = -1; int o, i; opt_j = -1; while ((o = getopt(argc, argv, "46ACcfIij:Llnp:P:qSsUuvw")) != -1) switch (o) { case '4': opt_4 = true; break; case '6': opt_6 = true; break; case 'A': opt_A = true; break; case 'C': opt_C = true; break; case 'c': opt_c = true; break; case 'f': opt_f = true; break; case 'I': opt_I = true; break; case 'i': opt_i = true; break; case 'j': opt_j = jail_getid(optarg); if (opt_j < 0) errx(1, "jail_getid: %s", jail_errmsg); break; case 'L': opt_L = true; break; case 'l': opt_l = true; break; case 'n': opt_n = true; break; case 'p': parse_ports(optarg); break; case 'P': protos_defined = parse_protos(optarg); break; case 'q': opt_q = true; break; case 'S': opt_S = true; break; case 's': opt_s = true; break; case 'U': opt_U = true; break; case 'u': opt_u = true; break; case 'v': ++opt_v; break; case 'w': opt_w = true; break; default: usage(); } argc -= optind; argv += optind; if (argc > 0) usage(); if (opt_j > 0) { switch (jail_getvnet(opt_j)) { case -1: errx(2, "jail_getvnet: %s", jail_errmsg); case JAIL_SYS_NEW: if (jail_attach(opt_j) < 0) err(3, "jail_attach()"); /* Set back to -1 for normal output in vnet jail. */ opt_j = -1; break; default: break; } } capcas = cap_init(); if (capcas == NULL) err(1, "Unable to contact Casper"); if (caph_enter_casper() < 0) err(1, "Unable to enter capability mode"); capnet = cap_service_open(capcas, "system.net"); if (capnet == NULL) err(1, "Unable to open system.net service"); capnetdb = cap_service_open(capcas, "system.netdb"); if (capnetdb == NULL) err(1, "Unable to open system.netdb service"); capsysctl = cap_service_open(capcas, "system.sysctl"); if (capsysctl == NULL) err(1, "Unable to open system.sysctl service"); cappwd = cap_service_open(capcas, "system.pwd"); if (cappwd == NULL) err(1, "Unable to open system.pwd service"); cap_close(capcas); limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME); if (limit == NULL) err(1, "Unable to init cap_net limits"); if (cap_net_limit(limit) < 0) err(1, "Unable to apply limits"); if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0) err(1, "Unable to apply pwd commands limits"); if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0) err(1, "Unable to apply pwd commands limits"); if ((!opt_4 && !opt_6) && protos_defined != -1) opt_4 = opt_6 = true; if (!opt_4 && !opt_6 && !opt_u) opt_4 = opt_6 = opt_u = true; if ((opt_4 || opt_6) && protos_defined == -1) protos_defined = set_default_protos(); if (!opt_c && !opt_l) opt_c = opt_l = true; if (opt_4 || opt_6) { for (i = 0; i < protos_defined; i++) if (protos[i] == IPPROTO_SCTP) gather_sctp(); else gather_inet(protos[i]); } if (opt_u || (protos_defined == -1 && !opt_4 && !opt_6)) { gather_unix(SOCK_STREAM); gather_unix(SOCK_DGRAM); gather_unix(SOCK_SEQPACKET); } getfiles(); display(); exit(0); }