summaryrefslogtreecommitdiff
path: root/RemoteDaemon
diff options
context:
space:
mode:
authorGravatar Joey Hess <joeyh@joeyh.name>2016-12-20 16:01:10 -0400
committerGravatar Joey Hess <joeyh@joeyh.name>2016-12-20 16:24:46 -0400
commite493cbaace4651d5e7da26834ab108cfae3df1dc (patch)
treec6c0ae6c9f7f3166a6fd29a28f08055fcb48a840 /RemoteDaemon
parentd4a2f8c92ce3afe9b670938480a12d9c84566bfc (diff)
relocate tor socket out of /etc
weasel explained that apparmor limits on what files tor can read do not apply to sockets (because they're not files). And apparently the problems I was seeing with hidden services not being accessible had to do with onion address propigation and not the location of the socket file. remotedaemon looks up the HiddenServicePort in torrc, so if it was previously configured with the socket in /etc, that will still work. This commit was sponsored by Denis Dzyubenko on Patreon.
Diffstat (limited to 'RemoteDaemon')
-rw-r--r--RemoteDaemon/Transport/Tor.hs61
1 files changed, 33 insertions, 28 deletions
diff --git a/RemoteDaemon/Transport/Tor.hs b/RemoteDaemon/Transport/Tor.hs
index 61e1189a5..3f70fb1fb 100644
--- a/RemoteDaemon/Transport/Tor.hs
+++ b/RemoteDaemon/Transport/Tor.hs
@@ -39,36 +39,41 @@ import qualified Network.Socket as S
server :: TransportHandle -> IO ()
server th@(TransportHandle (LocalRepo r) _) = do
u <- liftAnnex th getUUID
-
- q <- newTBMQueueIO maxConnections
- replicateM_ maxConnections $
- forkIO $ forever $ serveClient th u r q
-
uid <- getRealUserID
let ident = fromUUID u
- let sock = hiddenServiceSocketFile uid ident
- nukeFile sock
- soc <- S.socket S.AF_UNIX S.Stream S.defaultProtocol
- S.bind soc (S.SockAddrUnix sock)
- -- Allow everyone to read and write to the socket; tor is probably
- -- running as a different user. Connections have to authenticate
- -- to do anything, so it's fine that other local users can connect.
- modifyFileMode sock $ addModes
- [groupReadMode, groupWriteMode, otherReadMode, otherWriteMode]
- S.listen soc 2
- debugM "remotedaemon" "Tor hidden service running"
- forever $ do
- (conn, _) <- S.accept soc
- h <- setupHandle conn
- ok <- atomically $ ifM (isFullTBMQueue q)
- ( return False
- , do
- writeTBMQueue q h
- return True
- )
- unless ok $ do
- hClose h
- warningIO "dropped Tor connection, too busy"
+ go u =<< getHiddenServiceSocketFile uid ident
+ where
+ go u (Just sock) = do
+ q <- newTBMQueueIO maxConnections
+ replicateM_ maxConnections $
+ forkIO $ forever $ serveClient th u r q
+
+ nukeFile sock
+ soc <- S.socket S.AF_UNIX S.Stream S.defaultProtocol
+ S.bind soc (S.SockAddrUnix sock)
+ -- Allow everyone to read and write to the socket; tor
+ -- is probably running as a different user.
+ -- Connections have to authenticate to do anything,
+ -- so it's fine that other local users can connect to the
+ -- socket.
+ modifyFileMode sock $ addModes
+ [groupReadMode, groupWriteMode, otherReadMode, otherWriteMode]
+
+ S.listen soc 2
+ debugM "remotedaemon" "Tor hidden service running"
+ forever $ do
+ (conn, _) <- S.accept soc
+ h <- setupHandle conn
+ ok <- atomically $ ifM (isFullTBMQueue q)
+ ( return False
+ , do
+ writeTBMQueue q h
+ return True
+ )
+ unless ok $ do
+ hClose h
+ warningIO "dropped Tor connection, too busy"
+ go _ Nothing = debugM "remotedaemon" "Tor hidden service not enabled"
-- How many clients to serve at a time, maximum. This is to avoid DOS attacks.
maxConnections :: Int