arti/
process.rs

1//! Code to adjust process-related parameters.
2
3use tracing::error;
4
5use crate::ArtiConfig;
6
7/// Set our current maximum-file limit to a large value, if we can.
8///
9/// Since we're going to be used as a proxy, we're likely to need a
10/// _lot_ of simultaneous sockets.
11///
12/// # Limitations
13///
14/// This doesn't actually do anything on windows.
15#[cfg_attr(feature = "experimental-api", visibility::make(pub))]
16pub(crate) fn use_max_file_limit(config: &ArtiConfig) {
17    match rlimit::increase_nofile_limit(config.system.max_files) {
18        Ok(n) => tracing::debug!("Increased process file limit to {}", n),
19        Err(e) => tor_error::warn_report!(e, "Error while increasing file limit"),
20    }
21}
22
23/// Enable process hardening, to make it harder for low-privilege users to
24/// extract information from Arti.
25///
26/// This function only has effect the first time it is called.  If it returns an
27/// error, the caller should probably exit the process.
28///
29/// # Limitations
30///
31/// See notes from the [`secmem_proc`] crate: this is a best-effort defense, and
32/// only makes these attacks _harder_.  It can interfere with debugging.
33#[cfg_attr(feature = "experimental-api", visibility::make(pub))]
34#[cfg(feature = "harden")]
35pub(crate) fn enable_process_hardening() -> anyhow::Result<()> {
36    use anyhow::Context as _;
37    use std::sync::atomic::{AtomicBool, Ordering};
38    /// Have we called this method before?
39    static ENABLED: AtomicBool = AtomicBool::new(false);
40
41    if ENABLED.swap(true, Ordering::SeqCst) {
42        // Already enabled, or tried to enable.
43        return Ok(());
44    }
45
46    secmem_proc::harden_process().context("Problem while hardening process")?;
47
48    Ok(())
49}
50
51/// Check that we are not running as "root".
52///
53/// If we are, give an error message, and exit.
54pub(crate) fn exit_if_root() {
55    if running_as_root() {
56        error!(
57            "You are running Arti as root. You don't need to, and \
58             you probably shouldn't. \
59             To run as root anyway, set application.allow_running_as_root."
60        );
61        std::process::exit(1);
62    }
63}
64
65/// Return true if we seem to be running as root.
66fn running_as_root() -> bool {
67    #[cfg(target_family = "unix")]
68    unsafe {
69        libc::geteuid() == 0
70    }
71    #[cfg(not(target_family = "unix"))]
72    false
73}
74
75/// Return an async stream that reports an event whenever we get a `SIGHUP`
76/// signal.
77///
78/// Note that the signal-handling backend can coalesce signals; this is normal.
79#[cfg(target_family = "unix")]
80pub(crate) fn sighup_stream() -> crate::Result<impl futures::Stream<Item = ()>> {
81    cfg_if::cfg_if! {
82        if #[cfg(feature="tokio")] {
83            use tokio_crate::signal::unix as s;
84            let mut signal = s::signal(s::SignalKind::hangup())?;
85            Ok(futures::stream::poll_fn(move |ctx| signal.poll_recv(ctx)))
86        } else if #[cfg(feature="async-std")] {
87            use async_signal::{Signal, Signals};
88            use futures::stream::StreamExt as _;
89            let signals = Signals::new(&[Signal::Hup])?;
90            Ok(signals.map(|_| ()))
91        } else {
92            // Not backend, so we won't ever get a SIGHUP.
93            Ok(futures::stream::pending())
94        }
95    }
96}