tscat: timestamp stdin to stdout/stder

Author: msantos

.gitignore

@@ -0,0 +1,42 @@
+# Object files
+*.o
+*.ko
+*.obj
+*.elf
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Libraries
+*.lib
+*.a
+*.la
+*.lo
+
+# Shared objects (inc. Windows DLLs)
+*.dll
+*.so
+*.so.*
+*.dylib
+
+# Executables
+*.exe
+*.out
+*.app
+*.i*86
+*.x86_64
+*.hex
+
+# Debug files
+*.dSYM/
+
+# vim
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+*~
+
+tscat

LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2020, Michael Santos <michael.santos@gmail.com>
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Makefile

@@ -0,0 +1,55 @@
+.PHONY: all clean test
+
+PROG=   tscat
+SRCS=   tscat.c \
+        getnline.c \
+        strtonum.c \
+        restrict_process_null.c \
+        restrict_process_rlimit.c \
+        restrict_process_seccomp.c \
+        restrict_process_pledge.c \
+        restrict_process_capsicum.c
+
+UNAME_SYS := $(shell uname -s)
+ifeq ($(UNAME_SYS), Linux)
+    CFLAGS ?= -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-strong \
+              -Wformat -Werror=format-security \
+              -fno-strict-aliasing
+    LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack
+    RESTRICT_PROCESS ?= seccomp
+else ifeq ($(UNAME_SYS), OpenBSD)
+    CFLAGS ?= -DHAVE_STRTONUM \
+              -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-strong \
+              -Wformat -Werror=format-security \
+              -fno-strict-aliasing
+    LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack
+    RESTRICT_PROCESS ?= pledge
+else ifeq ($(UNAME_SYS), FreeBSD)
+    CFLAGS ?= -DHAVE_STRTONUM \
+              -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-strong \
+              -Wformat -Werror=format-security \
+              -fno-strict-aliasing
+    LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack
+    RESTRICT_PROCESS ?= capsicum
+endif
+
+RM ?= rm
+
+RESTRICT_PROCESS ?= rlimit
+TSCAT_CFLAGS ?= -g -Wall -fwrapv -pedantic -pie -fPIE
+
+CFLAGS += $(TSCAT_CFLAGS) \
+		  -DRESTRICT_PROCESS=\"$(RESTRICT_PROCESS)\" -DRESTRICT_PROCESS_$(RESTRICT_PROCESS)
+
+LDFLAGS += $(TSCAT_LDFLAGS)
+
+all: $(PROG)
+
+$(PROG):
+	$(CC) $(CFLAGS) -o $(PROG) $(SRCS) $(LDFLAGS)
+
+clean:
+	-@$(RM) $(PROG)
+
+test: $(PROG)
+	@PATH=.:$(PATH) bats test

README.md

@@ -0,0 +1,62 @@
+# SYNOPSIS
+
+tscat *option* [*label*]
+
+# DESCRIPTION
+
+tscat: timestamp stdin to stdout/stderr
+
+tscat timestamps standard input and writes the output to standard output
+and standard error.
+
+# EXAMPLES
+
+    cat /etc/passwd | tscat
+
+    cat /etc/passwd | tscat foo
+
+# Build
+
+    make
+
+    # selecting process restrictions
+    RESTRICT_PROCESS=seccomp make
+
+    #### using musl
+    RESTRICT_PROCESS=rlimit ./musl-make
+
+    ## linux seccomp sandbox: requires kernel headers
+
+    # clone the kernel headers somewhere
+    cd /path/to/dir
+    git clone https://github.com/sabotage-linux/kernel-headers.git
+
+    # then compile
+    MUSL_INCLUDE=/path/to/dir ./musl-make clean all
+
+# OPTIONS
+
+-o, --output *1|2|3*
+: stdout=1, stderr=2, both=3 (default: 1)
+
+-f, --format *fmt*
+: timestamp format (see strftime(3)) (default: `%F%T%z`)
+
+-W, --write-error *exit|drop|block*
+: behaviour if write buffer is full (default: block)
+
+-h, --help
+: usage summary
+
+# ALTERNATIVES
+
+~~~
+#!/bin/sh
+
+LABEL="${1-""}"
+exec awk -v service="$LABEL" '{
+  printf("%s %s %s\n", strftime("%FT%T%z"), service, $0) > "/dev/stderr"
+  printf("%s %s %s\n", strftime("%FT%T%z"), service, $0)
+  fflush()
+}'
+~~~

getnline.c

@@ -0,0 +1,88 @@
+/*	$NetBSD: getline.c,v 1.1.1.6 2015/01/02 20:34:27 christos Exp $	*/
+
+/*	NetBSD: getline.c,v 1.2 2014/09/16 17:23:50 christos Exp 	*/
+
+/*-
+ * Copyright (c) 2011 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* openssh-portable:
+ * https://raw.githubusercontent.com/openssh/openssh-portable/872517ddbb72deaff31d4760f28f2b0a1c16358f/openbsd-compat/bsd-getline.c
+ */
+/* NETBSD ORIGINAL: external/bsd/file/dist/src/getline.c */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+ssize_t getndelim(char **buf, size_t *bufsiz, size_t nmax, int delimiter,
+                  FILE *fp) {
+  char *ptr, *eptr;
+
+  if (*buf == NULL || *bufsiz == 0) {
+    if ((*buf = malloc(BUFSIZ)) == NULL)
+      return -1;
+    *bufsiz = BUFSIZ;
+  }
+
+  for (ptr = *buf, eptr = *buf + *bufsiz;;) {
+    int c = fgetc(fp);
+    if (c == -1) {
+      if (feof(fp)) {
+        ssize_t diff = (ssize_t)(ptr - *buf);
+        if (diff != 0) {
+          *ptr = '\0';
+          return diff;
+        }
+      }
+      return -1;
+    }
+    *ptr++ = c;
+    if (c == delimiter || ptr - *buf >= nmax) {
+      *ptr = '\0';
+      return ptr - *buf;
+    }
+    if (ptr + 2 >= eptr) {
+      char *nbuf;
+      size_t nbufsiz = *bufsiz * 2;
+      ssize_t d = ptr - *buf;
+      if ((nbuf = realloc(*buf, nbufsiz)) == NULL)
+        return -1;
+      *buf = nbuf;
+      *bufsiz = nbufsiz;
+      eptr = nbuf + nbufsiz;
+      ptr = nbuf + d;
+    }
+  }
+}
+
+ssize_t getnline(char **buf, size_t *bufsiz, size_t nmax, FILE *fp) {
+  return getndelim(buf, bufsiz, nmax, '\n', fp);
+}

getnline.h

@@ -0,0 +1,3 @@
+ssize_t getndelim(char **buf, size_t *bufsiz, size_t nmax, int delimiter,
+                  FILE *fp);
+ssize_t getnline(char **buf, size_t *bufsiz, size_t nmax, FILE *fp);

musl-make

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+export MUSL_INCLUDE="${MUSL_INCLUDE-/usr/local/lib}"
+
+MACHTYPE="$(uname -m)"
+case "${MACHTYPE}" in
+  armv6l) ;&
+  armv7l) MACHTYPE=arm ;;
+  *) ;;
+esac
+
+export TSCAT_CFLAGS="-g -Wall -fwrapv -pedantic"
+export TSCAT_LDFLAGS="-I$MUSL_INCLUDE/kernel-headers/generic/include -I$MUSL_INCLUDE/kernel-headers/${MACHTYPE}/include"
+export CC="musl-gcc -static -Os"
+make $@

restrict_process.h

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2020, Michael Santos <michael.santos@gmail.com>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+
+int restrict_process_init(void);
+int restrict_process_stdin(void);

restrict_process_capsicum.c

@@ -0,0 +1,64 @@
+/* Copyright (c) 2020, Michael Santos <michael.santos@gmail.com>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "restrict_process.h"
+#ifdef RESTRICT_PROCESS_capsicum
+#include <sys/capsicum.h>
+#include <sys/param.h>
+#include <sys/resource.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <errno.h>
+
+int restrict_process_init() {
+  struct rlimit rl = {0};
+
+  return setrlimit(RLIMIT_NPROC, &rl);
+}
+
+int restrict_process_stdin() {
+  struct rlimit rl = {0};
+  cap_rights_t policy_read;
+  cap_rights_t policy_write;
+
+  int fd = -1;
+
+  (void)cap_rights_init(&policy_read, CAP_READ, CAP_EVENT, CAP_FCNTL);
+  (void)cap_rights_init(&policy_write, CAP_WRITE, CAP_READ);
+
+  if (cap_rights_limit(STDIN_FILENO, &policy_read) < 0)
+    return -1;
+
+  if (cap_rights_limit(STDOUT_FILENO, &policy_write) < 0)
+    return -1;
+
+  if (cap_rights_limit(STDERR_FILENO, &policy_write) < 0)
+    return -1;
+
+  if (getrlimit(RLIMIT_NOFILE, &rl) < 0)
+    return -1;
+
+  for (fd = STDERR_FILENO + 1; fd < rl.rlim_cur; fd++) {
+    if (fcntl(fd, F_GETFD, 0) < 0)
+      continue;
+
+    if (cap_rights_limit(fd, &policy_read) < 0)
+      return -1;
+  }
+
+  return cap_enter();
+}
+#endif

restrict_process_null.c

@@ -0,0 +1,20 @@
+/* Copyright (c) 2020, Michael Santos <michael.santos@gmail.com>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "restrict_process.h"
+#ifdef RESTRICT_PROCESS_null
+int restrict_process_init() { return 0; }
+
+int restrict_process_stdin() { return 0; }
+#endif