mirror of https://github.com/tailscale/tailscale/
Revert "wgengine/router,util/kmod: load & log xt_mark"
This reverts commit 8d6793fd70.
Reason: breaks Android build (cgo/pthreads addition)
We can try again next cycle.
Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/4456/head
Brad Fitzpatrick
3 years ago
committed by
Brad Fitzpatrick
parent
df26c63793
commit
53588f632d
@ -1,31 +0,0 @@
|
|||||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
//go:build linux
|
|
||||||
// +build linux
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
|
|
||||||
"tailscale.com/util/kmod"
|
|
||||||
)
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
if len(os.Args) != 2 {
|
|
||||||
fmt.Fprintln(os.Stderr, "error: a module name must be supplied")
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
|
|
||||||
done, err := kmod.EnsureModule(os.Args[1])
|
|
||||||
if done {
|
|
||||||
os.Exit(0)
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(os.Stderr, "%s\n", err)
|
|
||||||
}
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
@ -1,161 +0,0 @@
|
|||||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
//go:build linux
|
|
||||||
// +build linux
|
|
||||||
|
|
||||||
// Package kmod provides a simple API to attempt to ensure that a kernel
|
|
||||||
// module is loaded in a wide variety of environments, and otherwise
|
|
||||||
// report descriptive loggable error strings.
|
|
||||||
// This package does not have extensive unit testing, as the broader set
|
|
||||||
// of challenges associated with the package come from a wide variety of
|
|
||||||
// distribution and linux version differences that are problematic to
|
|
||||||
// mock/stub/emulate, including syscall boundary behaviors. The program
|
|
||||||
// `ensuremod` is kept nearby the source that provides a method for
|
|
||||||
// integration testing.
|
|
||||||
package kmod
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"os/exec"
|
|
||||||
"path/filepath"
|
|
||||||
|
|
||||||
"go4.org/mem"
|
|
||||||
"golang.org/x/sys/unix"
|
|
||||||
"kernel.org/pub/linux/libs/security/libcap/cap"
|
|
||||||
"pault.ag/go/modprobe"
|
|
||||||
"tailscale.com/util/lineread"
|
|
||||||
"tailscale.com/util/multierr"
|
|
||||||
)
|
|
||||||
|
|
||||||
// hasKernelModule attempts to find a kernel module by name using procfs and
|
|
||||||
// sysfs. If the module is found to be loaded, true is returned, in all other
|
|
||||||
// cases false is returned, regardless of errors or a missing module.
|
|
||||||
func hasKernelModule(name string) (bool, error) {
|
|
||||||
if _, err := os.Stat(filepath.Join("/sys/module", name)); err == nil {
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
prefix := mem.S(name + " ")
|
|
||||||
stopFound := errors.New("")
|
|
||||||
|
|
||||||
err := lineread.File("/proc/modules", func(line []byte) error {
|
|
||||||
if mem.HasPrefix(mem.B(line), prefix) {
|
|
||||||
return stopFound
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
if err == stopFound {
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
err = fmt.Errorf("module %s not found in /sys/module or /proc/modules: %w", name, err)
|
|
||||||
}
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// canInstallModule attempts to determine if the current process has sufficient
|
|
||||||
// privilege to install modules. If the capabilities API can be queried without
|
|
||||||
// error, then the result depends on the SYS_MODULE effective capability,
|
|
||||||
// otherwise returns true only if the current process is running as root. A
|
|
||||||
// result of true implies that it may be worth trying to install a module, not
|
|
||||||
// that doing so will work.
|
|
||||||
func canInstallModule() (bool, error) {
|
|
||||||
caps, err := cap.GetPID(0) // 0 = current process
|
|
||||||
if err == nil {
|
|
||||||
// errors from GetFlag are either due to the receiver being
|
|
||||||
// uninitialized, or the kernel gave junk results, both of which aren't
|
|
||||||
// very meaningful out of context to a user, so this error is mostly
|
|
||||||
// ignored.
|
|
||||||
b, err := caps.GetFlag(cap.Effective, cap.SYS_MODULE)
|
|
||||||
if err == nil {
|
|
||||||
return b, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// could not determine a well known result from capabilities, make an
|
|
||||||
// assumption based on uid.
|
|
||||||
if os.Getuid() == 0 {
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
return false, fmt.Errorf("not running as root, and unable to check kernel module capabilities")
|
|
||||||
}
|
|
||||||
|
|
||||||
// firstExecutable checks paths for a path that exists and is executable by the current user.
|
|
||||||
func firstExecutable(paths ...string) string {
|
|
||||||
for _, path := range paths {
|
|
||||||
if unix.Access(path, unix.X_OK) == nil {
|
|
||||||
return path
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
// runModprobe runs `modprobePath name` and reports summary error output on error.
|
|
||||||
func runModprobe(name, modprobePath string) error {
|
|
||||||
cmd := exec.Command(modprobePath, name)
|
|
||||||
out, err := cmd.CombinedOutput()
|
|
||||||
if err != nil {
|
|
||||||
err = fmt.Errorf("%q failed: %w; %s", fmt.Sprintf("%s %s", modprobePath, name), err, bytes.TrimSpace(out))
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// tryInstallModule attempts to find a modprobe binary to run either in
|
|
||||||
// well-known paths, or in $PATH, and runs it. If it can not find a modprobe to
|
|
||||||
// run, it instead falls back to a syscall interface to attempt to install a
|
|
||||||
// module.
|
|
||||||
func tryInstallModule(name string) error {
|
|
||||||
path := firstExecutable("/usr/sbin/modprobe", "/sbin/modprobe")
|
|
||||||
if path != "" {
|
|
||||||
return runModprobe(name, path)
|
|
||||||
}
|
|
||||||
path, err := exec.LookPath("modprobe")
|
|
||||||
if err == nil {
|
|
||||||
return runModprobe(name, path)
|
|
||||||
}
|
|
||||||
|
|
||||||
err = modprobe.Load(name, "")
|
|
||||||
if err != nil {
|
|
||||||
err = fmt.Errorf("unable to find modprobe(1), and load of module %s failed with: %w", name, err)
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// EnsureModule attempts to ensure that the given module is installed, returning
|
|
||||||
// true only if it has been found or successfully installed, otherwise false is
|
|
||||||
// returned along with a list of informational errors about probe attempts.
|
|
||||||
func EnsureModule(name string) (bool, error) {
|
|
||||||
has, hasErr := hasKernelModule(name)
|
|
||||||
if has {
|
|
||||||
return has, nil
|
|
||||||
}
|
|
||||||
var errors []error
|
|
||||||
if hasErr != nil {
|
|
||||||
errors = append(errors, hasErr)
|
|
||||||
}
|
|
||||||
|
|
||||||
can, canErr := canInstallModule()
|
|
||||||
if can && canErr != nil {
|
|
||||||
errors = append(errors, canErr)
|
|
||||||
}
|
|
||||||
if !can {
|
|
||||||
if canErr == nil {
|
|
||||||
errors = append(errors, fmt.Errorf("module %q not found, and current user can not install modules", name))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if can {
|
|
||||||
if err := tryInstallModule(name); err == nil {
|
|
||||||
return true, nil
|
|
||||||
} else {
|
|
||||||
errors = append(errors, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, multierr.New(errors...)
|
|
||||||
}
|
|
||||||
Loading…
Reference in New Issue