TheArchive/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-08-26 16:07:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,500 Commits 9 Branches 48 Tags
develop
Commit Graph

2500 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Neil Alexander
89a3718d59 Add Go 1.25 to CI pipeline 2025-08-16 11:49:37 +01:00
Klemens Nanni
6d195c6de3 OpenBSD: Pledge full filesystem read for Go's resolv.conf polling (#1275) 
sys/kern/kern_pledge.c r1.329[0] removed the unveil bypass for "dns",
so "rpath" is needed for Go's DNS to stat(2) it.

Since current "/ rwc" and "cpath" with the new "rpath" amount to full
read access, there is no point in unveiling anymore.

0:
8d49ad01ac
 2025-08-11 23:39:52 +01:00
Neil Alexander
429403aea5 Update CI workers for packaging pipeline 2025-06-22 23:00:44 +01:00
Neil Alexander
ffc0dc92e0 Reduce minimum maxbackoff to 5 seconds 2025-06-22 16:37:34 +01:00
Neil Alexander
81543e9cc0 Remove Go 1.22 from CI 2025-06-21 20:09:12 +01:00
Neil Alexander
9e5c25d4af Update to Go 1.23, update dependencies 2025-06-21 20:08:08 +01:00
Neil
390dba0471 Update readme 2025-06-02 22:02:02 +01:00
Sergey Alirzaev
47818a1a7c apparmor: add yggdrasilctl policy (#1235) 2025-04-15 17:17:52 +01:00
Sergey Alirzaev
6377d7f071 contrib/openrc: remove SIGHUP logic (#1236) 
as it is long gone from the daemon code
and unexpectedly kills the daemon
 2025-04-15 17:15:09 +01:00
Neil Alexander
5b8dbc8b1e Add summary helpers to mobile wrapper 2025-03-31 10:18:57 +01:00
patrini32
73705ff09d Typo fix (#1232) 2025-02-20 09:45:49 +00:00
Neil Alexander
3b18909f70 Update dependencies 2025-02-18 12:57:58 +00:00
Neil Alexander
58b727d1f0 Add Go 1.24 to CI 2025-02-18 12:52:21 +00:00
Klemens Nanni
782c0250d7 Use pledge(2) on OpenBSD (#1215) 
Straight forward thanks to all privileged operations being done early
enough during startup.
 2024-12-22 11:04:26 +00:00
Neil Alexander
213f72b840 Yggdrasil 0.5.12 v0.5.12 2024-12-18 22:34:30 +00:00
Neil Alexander
1fbcf3b3c2 Rename latency_ms to latency in getPeers response since it isn't even milliseconds anymore 2024-12-18 22:21:23 +00:00
Peter Gervai
22bc9c44e2 genkeys print the number of generated keys (#1217) 
It is good to know how many resources have we carelessly wasted. :-)
 2024-12-18 19:56:46 +00:00
Neil
9c73bacab9 Update to Go 1.22, quic-go/quic-go@v0.48.2 (#1218) 
Our dependencies are now moving beyond Go 1.21 so need to update.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
 2024-12-13 23:33:26 +00:00
Neil Alexander
04be129878 Update to Arceliar/ironwood@743fe2f 2024-12-13 23:12:36 +00:00
Neil Alexander
657f7e0db3 Fix empty user/group detection on chuser 
This should fix #1216.
 2024-12-13 16:55:25 +00:00
Neil
7adf5f18b7 Yggdrasil 0.5.11 (#1214) 
Changelog updates.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.11 		2024-12-12 19:26:54 +00:00
Neil Alexander
69451fe969 Specify TLS 1.2-TLS 1.3 supported range for client connections 
Should fix #1208.
 2024-12-12 19:07:55 +00:00
Klemens Nanni
2d587740c1 genkeys, yggdrasilctl: Use pledge(2) on OpenBSD (#1193) 
Restrict system operations of CLI tools with
https://man.openbsd.org/pledge.2.

https://pkg.go.dev/suah.dev/protect abstracts the OS specific code, i.e.
is a NOOP on non-OpenBSD systems.

This PR is to gauge upstream interest in this direction; my OpenBSD port
of yggdrasil already pledges the daemon,
resulting in minimal runtime privileges, but there are still a few rough
edges:

https://github.com/jasperla/openbsd-wip/blob/master/net/yggdrasil/patches/patch-cmd_yggdrasil_main_go#L80

---------

Co-authored-by: Neil <git@neilalexander.dev>
 2024-12-12 18:48:24 +00:00
Neil Alexander
b2b0396d48 Update dependencies 2024-12-12 18:42:53 +00:00
Klemens Nanni
83ec58afc7 Use unveil(2) on OpenBSD (#1194) 
After #1175 removed ioctl(2) fallback code shelling out to ifconfig(8),
there is no code left (compiled on OpenBSD) that would fork(2) or
execve(2).

Drop the ability to run any executable file to double down on this, thus
reducing the attack surface of this this experimental, internet facing
daemon running as root.

pledge(2) is doable, but needs more polish.
unveil(2), however, is as simple as it gets.

On other systems, this code is a NOOP, but can still help to implement
similar safety belts.
 2024-12-12 18:37:02 +00:00
Neil Alexander
b436052b2d Update to Arceliar/ironwood@9deb08d 2024-12-10 19:02:13 +00:00
Neil
3ed4a92288 Yggdrasil 0.5.10 (#1207) 
Changelog updates.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.10 		2024-11-24 12:56:24 +00:00
Neil Alexander
bdb2d399c5 Update dependencies 2024-11-23 14:55:14 +00:00
Neil Alexander
7790a19e4c New detail in getMulticastInterfaces admin endpoint 2024-11-23 14:49:48 +00:00
Neil Alexander
d3b4de46ea Improvements to how link shutdowns are handled 2024-11-23 13:43:34 +00:00
Neil Alexander
2454970e4d Tweaks to configuration 2024-11-22 09:47:33 +00:00
Neil Alexander
b98f98318f Tweaks to link handling 2024-11-22 09:44:30 +00:00
Neil Alexander
ff9e90c5aa Update link cost calculation and next-hop selection (update to Arceliar/ironwood@75a6e82) 2024-11-22 09:31:38 +00:00
Neil
9398cae230 Expose download/upload rate per peer (#1206) 2024-11-19 08:42:27 +00:00
Klemens Nanni
c22a746a1d Rewrite chuser() for simplicity and correctness (#1203) 
- Use unambiguous variable names (w/o package name conflict).
- Fail on invalid input such as the empty string or `:`.
- Do not change group without user, i.e. fail on `:group`.
- Parse input using mnemonic APIs.
- Do not juggle between integer types.
- Unset supplementary groups.
- Use set[ug]id(2) to follow the idiom of OpenBSD base programs.
  (cannot use setres[ug]id(2) as macOS does not have them.)

Includes/Supersedes #1202.
Fixes #927.

I only tested on OpenBSD (so far), but other systems should just work.
 2024-11-17 21:37:07 +00:00
Neil Alexander
67ec5a92b3 Fix some lint issues 2024-11-17 21:29:26 +00:00
Neil Alexander
42873be09b Reusable peer lookup/dial logic 2024-11-17 21:14:54 +00:00
Klemens Nanni
75d2080e53 Set groups when dropping privileges to not leak supplementary group access (#1202) 
Changing the real and effective user/group IDs and the saved
set-user/group-ID is not enough to get rid of intial access permissions.

The list of groups must be cleared also, otherwise a process changing
from, e.g. `root:root` to `nobody:nobody` retains rights to access
`:wheel` files (assuming `root` is a member of the `wheel` group).

For example:
```
# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# ./yggdrasil -autoconf -logto /dev/null -user nobody &
[1] 4337
# ps -o command,user,group,supgrp -U nobody
COMMAND          USER     GROUP    SUPGRP
./yggdrasil -aut nobody   nobody   wheel,kmem,sys,tty,operator,staff,guest
```

Fix that so the process runs as mere
```
COMMAND          USER     GROUP    SUPGRP
./yggdrasil -aut nobody   nobody   nobody
```

Fixes #927.
 2024-11-11 19:28:28 +00:00
Klemens Nanni
834680045a Create admin socket synchronously before privdrop (#1201) 
Creating UNIX sockets the listen() goroutine that races against the main
one dropping to an unprivileged user may cause startup failure when
privdrop happens before privileged filesystem access.

Setup or fail in New() and only do listen(2) in listen() to avoid this.

```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:27 Build name: yggdrasil-go
2024/11/03 21:15:27 Build version: 0.5.9
...
2024/11/03 21:15:27 Admin socket failed to listen: listen unix /var/run/yggdrasil.sock: bind: permission denied
```

Rerun, now the order is flipped:
```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:34 Build name: yggdrasil-go
2024/11/03 21:15:34 Build version: 0.5.9
[...]
2024/11/03 21:15:34 UNIX admin socket listening on /var/run/yggdrasil.sock
[...]
```

Fixes #927.
 2024-11-11 19:27:02 +00:00
Neil Alexander
eef613993f Raise link error when SNI supplied on unsupported link type
Some checks failed
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
Closes #1196
 2024-10-27 21:06:56 +00:00
Neil Alexander
ff0ef7ff56 Update comments in default configuration file 2024-10-27 20:59:05 +00:00
Neil Alexander
ef110b0181 Update Debian package metadata 2024-10-27 20:38:15 +00:00
Neil Alexander
b20ad846a1 When IfName is none, start queue goroutine, otherwise iprwc blocks and some handlers don't run
Some checks failed
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
 2024-10-20 21:28:04 +01:00
Neil
0b9c8bd020 Yggdrasil 0.5.9 (#1191) 
Changelog updates.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.9 		2024-10-19 17:09:46 +01:00
Neil Alexander
0b9469100c Update dependencies 2024-10-17 13:23:11 +01:00
Klemens Nanni
a6429390da Use UNIX socket patch from url struct (#1186) 
No need to extract it again when the url package provides it for us:
```
$ jq -n '{"AdminListen":"unix:///tmp/ygg.sock"}' | ./yggdrasil -useconf | grep 'admin socket'
2024/10/08 22:41:11 UNIX admin socket listening on /tmp/ygg.sock
```

Follow-up on #1176
 2024-10-17 13:22:46 +01:00
Klemens Nanni
1ee61dcefa zap obsolete nonexistent command from usage (#1184) 2024-10-17 13:22:22 +01:00
Neil Alexander
81e345c1ae Update to Arceliar/ironwood@f6fb9da97a 2024-10-16 09:46:36 +01:00
Neil Alexander
a038a6a8ef Update to Arceliar/ironwood@4ea1ec6d68 2024-10-13 21:33:47 +01:00
Neil Alexander
01e73792fe Update to Arceliar/ironwood@0ac2ff3eef 2024-10-13 20:06:07 +01:00