CHROMIUM: Initial work eventizing tlsdated

tlsdated provides the daemonized integration of tlsdate and the host
system -- resumable time, DBus announcements, time-sync events, and so
on.

At present, it provides only netlink based wakeups and limited
time synchronization.  On Chromium OS, proxy support and network
changes are integrated through external shell scripts monitoring
DBus.  These scripts lack the robustness required for a production
grade time synchronization system.

This change is manyfold:
- Convert tlsdated "wakeup" input into events
- Convert tlsdate execution and status collection into a event-friendly technique
- Integrate libevent into the tlsdated design
- Integrate support for platform specific wake up events
- Integrate support for dynamic proxy resolution on each tlsdate call
- Integrate CrOS wakeup events: proxy changes, default network service change, power state/resume, etc
- Integrate time continuity checking using MONOTONIC clocks versus REALTIME for all wake events
- Integrate DBus support directly into the event loop to allow for message sending
  and signal receipt (e.g., dbus_announce)
- Addition of DOT file for laying out event flows
- Split off time setting to a privileged helper by having tlsdate pass back time_t
- Added configure support for --enable-cros and libevent2 checking
- Support dynamic proxy resolution for multiple sources
- Fixed a NULL deref in source traversal
- Added "sync type" and priority
- Added DBus interface for SetTime, CanSetTime, LastSyncInfo methods.
- Added "sync source" to the TimeUpdated signal
- Updated existing unittests
- Add seccomp filter for priv'd time setter
- Added dynamic proxy per source so we can add a final source with no proxy.
- Style consistency: "find ./ -name '*.[ch]' -exec astyle --style=gnu -xd \{\} \;"
  Followed by the same with sed -i -e 's/) )/))/g'
- Added DBus policy and interface files and a new dbus-client-group configure argument.

Design: https://docs.google.com/a/google.com/document/d/1U1y7KBMo-BgWPspzoyeO5gSmU6dMwEJBc2HNNkGMJzY/view

- Outstanding work: new unit and integration tests

BUG=chromium:271644
TEST=manually tested on x86_64, arm, and x86-32.
     end-to-end autotest: https://chromium-review.googlesource.com/#/c/169141/
     fixed up existing autotests: https://chromium-review.googlesource.com/174782

Change-Id: I0d24951182a768532d6d04eea2224ac70cf04052
Reviewed-on: https://chromium-review.googlesource.com/169131
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
Commit-Queue: Will Drewry <wad@chromium.org>

1 files changed, 102 insertions, 20 deletions

diff --git a/configure.ac b/configure.ac
index 8e4074d..1b1cb57 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,7 +27,7 @@ dnl cares.
 COMPILE_DATE=`date +%s`
 AC_SUBST([COMPILE_DATE])
 AC_DEFINE_UNQUOTED([RECENT_COMPILE_DATE],
-                   [(uint32_t) ${COMPILE_DATE}],
+                   [${COMPILE_DATE}L],
                    [Time in seconds since the Disco epoch at build time])
 
 dnl Build up the directory we will use to install certs
@@ -59,8 +59,13 @@ AC_CHECK_HEADERS([sys/wait.h], ,[AC_MSG_ERROR([Required headers missing; compila
 AC_CHECK_HEADERS([time.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
 AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
 
-AC_CHECK_FUNCS([setresuid])
-AC_CHECK_FUNCS([gettimeofday])
+AC_CHECK_FUNCS_ONCE(m4_flatten([
+    gettimeofday
+    prctl
+    preadv
+    pwritev
+    setresuid
+]))
 
 AC_MSG_CHECKING([user/group to drop privs to])
 
@@ -71,6 +76,7 @@ AS_CASE([$with_unpriv_user],
         [""|yes|no], [UNPRIV_USER="nobody"],
         [*], [UNPRIV_USER=$with_unpriv_user])
 AC_DEFINE_UNQUOTED([UNPRIV_USER], ["${UNPRIV_USER}"], [Unprivileged user])
+AC_SUBST([UNPRIV_USER])
 
 AC_ARG_WITH([unpriv-group],
             [AS_HELP_STRING([--with-unpriv-group=<group>],
@@ -82,6 +88,17 @@ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
 
 AC_MSG_RESULT(${UNPRIV_USER}:${UNPRIV_GROUP})
 
+AC_MSG_CHECKING([group to allow DBus calls from])
+AC_ARG_WITH([dbus-client-group],
+            [AS_HELP_STRING([--with-dbus-client-group=<group>],
+                [Allow dbus method calls from group @<:@default: root@:>@])])
+AS_CASE([$with_dbus_client_group],
+        [""|yes|no], [DBUS_CLIENT_GROUP="root"],
+        [*], [DBUS_CLIENT_GROUP=$with_dbus_client_group])
+AC_DEFINE_UNQUOTED([DBUS_CLIENT_GROUP], ["${DBUS_CLIENT_GROUP}"], [DBus client group])
+AC_MSG_RESULT(${DBUS_CLIENT_GROUP})
+AC_SUBST([DBUS_CLIENT_GROUP])
+
 dnl Check for clock_gettime.  Some systems put it into -lc, while
 dnl others use -lrt.  Try the first and fallback to the latter.
 RT_LIB=
@@ -90,36 +107,100 @@ AC_CHECK_FUNC([clock_gettime], [:],
                             [AC_MSG_ERROR([Your system lacks clock_gettime])])])
 AC_SUBST(RT_LIB)
 
+PKG_CHECK_MODULES([LIBEVENT], [libevent >= 2.0])
+
+have_dbus=false
 AC_ARG_ENABLE([dbus],
               [AS_HELP_STRING([--disable-dbus],
                               [Disable automatically dbus support])])
 AS_IF([test "x$enable_dbus" = xyes], [
     PKG_CHECK_MODULES([DBUS], [dbus-1], [
-            AC_DEFINE([HAVE_DBUS], [1], [Enable dbus support])
-            AC_MSG_CHECKING([user/group to use for dbus])
-            AC_ARG_WITH([dbus-user],
-                        [AS_HELP_STRING([--with-dbus-user=<user>],
-                                        [User to send dbus signals from @<:@default: nobody@:>@])])
-            AS_CASE([$with_dbus_user],
-                    [""|yes|no], [DBUS_USER="nobody"],
-                    [*], [DBUS_USER=$with_dbus_user])
-            AC_ARG_WITH([dbus-group],
-                        [AS_HELP_STRING([--with-dbus-group=<group>],
-                                        [Group to send dbus signals from @<:@default: nogroup@:>@])])
-            AS_CASE([$with_dbus_group],
-                    [""|yes|no], [DBUS_GROUP="nogroup"],
-                    [*], [DBUS_GROUP=$with_dbus_group])
-            AC_MSG_RESULT(${DBUS_USER}:${DBUS_GROUP})
-            AC_DEFINE_UNQUOTED([DBUS_USER], ["${DBUS_USER}"], [DBus user])
-            AC_DEFINE_UNQUOTED([DBUS_GROUP], ["${DBUS_GROUP}"], [DBus group])
+            have_dbus=true
+            AC_DEFINE([HAVE_DBUS], [1], [dbus enabled])
         ], [
             AS_IF([test "x$enable_dbus" = xyes],
                   [AC_MSG_ERROR([dbus requested but not found])])
         ])
     ])
+AM_CONDITIONAL([HAVE_DBUS], ${have_dbus})
 
 AC_SUBST(DBUS_CFLAGS)
 AC_SUBST(DBUS_LIBS)
+AC_SUBST(LIBEVENT_CFLAGS)
+AC_SUBST(LIBEVENT_LIBS)
+
+have_seccomp_filter=false
+AC_ARG_ENABLE([seccomp_filter],
+              [AS_HELP_STRING([--enable-seccomp-filter],
+                              [Require seccomp filter])])
+
+AC_MSG_CHECKING([kernel for seccomp_filter support])
+AS_IF([test "x$enable_seccomp_filter" = xyes], [
+    dnl Force seccomp filter use
+    have_seccomp_filter=true
+    AC_MSG_RESULT([forced])
+  ], [
+  dnl Detect seccomp filter support.
+  AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+      #include <errno.h>
+      #include <linux/audit.h>
+      #include <linux/filter.h>
+      #include <stdlib.h>
+      #include <sys/prctl.h>
+      #include "src/seccomp-compat.h"
+    ]],
+    [[ errno = 0;
+       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+         exit(1);
+       prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+       exit(errno == EFAULT ? 0 : 1); ]])],
+    [ AC_MSG_RESULT([yes])
+      have_seccomp_filter=true
+    ], [
+      AC_MSG_RESULT([no])
+    ],
+    [ AC_MSG_RESULT([cross-compiling, assuming yes])
+      have_seccomp_filter=true
+    ]
+  )
+])
+
+AS_IF([${have_seccomp_filter}], [
+    AC_DEFINE([HAVE_SECCOMP_FILTER], [1], [Enable seccomp filter])
+  ])
+AM_CONDITIONAL([HAVE_SECCOMP_FILTER], ${have_seccomp_filter})
+
+
+
+have_seccomp_debug=false
+AC_ARG_ENABLE([seccomp_debugging],
+              [AS_HELP_STRING([--enable-seccomp-debugging],
+                [Enable seccomp filter debugging])])
+AS_IF([test "x$enable_seccomp_debugging" = xyes], [
+    AC_DEFINE([SECCOMP_FILTER_DEBUG], [1], [Enable seccomp filter debugging])
+    have_seccomp_debug=true
+  ])
+AM_CONDITIONAL([SECCOMP_FILTER_DEBUG], ${have_seccomp_debug})
+
+
+AC_MSG_CHECKING([for CrOS-specific platform wake event support])
+AC_ARG_ENABLE([cros],
+              [AS_HELP_STRING([--disable-cros],
+                              [Disable CrOS platform support])])
+
+AS_IF([test "x$enable_cros" = xyes -a "x$enable_dbus" != xyes ], [
+    AC_MSG_ERROR([--enable-dbus is required for --enable-cros])
+  ])
+
+have_cros=false
+AS_IF([test "x$enable_cros" = xyes], [
+    have_cros=true
+    AC_DEFINE([HAVE_CROS], [1], [Enable CrOS support])
+    AC_MSG_RESULT([yes])
+  ], [
+    AC_MSG_RESULT([no])
+  ])
+AM_CONDITIONAL([HAVE_CROS], ${have_cros})
 
 dnl Debug and hardening flags all in one shot
 dnl Always do this at the end, otherwise you end up filtering system/other libraries
@@ -154,5 +235,6 @@ AC_ARG_ENABLE([code-coverage-checks],
                               [Enable gcov/lcov compile time options])],
               [AX_APPEND_COMPILE_FLAGS([-ftest-coverage -fprofile-arcs])])
 
+AC_CONFIG_FILES([dbus/org.torproject.tlsdate.conf])
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT