From bfdcccd71f7d6096b96775eb04fb3181ddee3217 Mon Sep 17 00:00:00 2001
From: Jesse Luehrs <doy@tozt.net>
Date: Sat, 27 Feb 2021 21:56:29 -0500
Subject: refactor a bit

---
 src/bin/rbw-agent/debugger.rs | 22 ++++++++++++++++++++++
 src/bin/rbw-agent/main.rs     | 22 +++-------------------
 2 files changed, 25 insertions(+), 19 deletions(-)
 create mode 100644 src/bin/rbw-agent/debugger.rs

diff --git a/src/bin/rbw-agent/debugger.rs b/src/bin/rbw-agent/debugger.rs
new file mode 100644
index 0000000..ebc43bd
--- /dev/null
+++ b/src/bin/rbw-agent/debugger.rs
@@ -0,0 +1,22 @@
+// Prevent other user processes from attaching to the rbw agent and dumping
+// memory This is not perfect protection, but closes a door. Unfortunately,
+// prctl only works on Linux.
+#[cfg(target_os = "linux")]
+pub fn disable_tracing() -> anyhow::Result<()> {
+    // https://github.com/torvalds/linux/blob/v5.11/include/uapi/linux/prctl.h#L14
+    const PR_SET_DUMPABLE: i32 = 4;
+
+    // safe because it's just a raw call to prctl, and the arguments are
+    // correct
+    let ret = unsafe { libc::prctl(PR_SET_DUMPABLE, 0) };
+    if ret == 0 {
+        Ok(())
+    } else {
+        Err(anyhow::anyhow!("rbw-agent: Failed to disable PTRACE_ATTACH. Agent memory may be dumpable by other processes."))
+    }
+}
+
+#[cfg(not(target_os = "linux"))]
+pub fn disable_tracing() -> anyhow::Result<()> {
+    Err(anyhow::anyhow!("rbw-agent: Unable to disable PTRACE_ATTACH on this platform: not implemented. Agent memory may be dumpable by other processes."))
+}
diff --git a/src/bin/rbw-agent/main.rs b/src/bin/rbw-agent/main.rs
index 81090e5..5eedc30 100644
--- a/src/bin/rbw-agent/main.rs
+++ b/src/bin/rbw-agent/main.rs
@@ -5,6 +5,7 @@ use anyhow::Context as _;
 mod actions;
 mod agent;
 mod daemon;
+mod debugger;
 mod sock;
 
 async fn tokio_main(
@@ -28,6 +29,8 @@ fn real_main() -> anyhow::Result<()> {
     )
     .init();
 
+    debugger::disable_tracing()?;
+
     let no_daemonize = if let Some(arg) = std::env::args().nth(1) {
         arg == "--no-daemonize"
     } else {
@@ -59,26 +62,7 @@ fn real_main() -> anyhow::Result<()> {
     Ok(())
 }
 
-const PR_SET_DUMPABLE: i32 = 4;
-
-#[cfg(target_os = "linux")]
-fn disable_tracing() {
-    let ret = unsafe { libc::prctl(PR_SET_DUMPABLE, 0) };
-    if ret != 0 {
-        println!("rbw-agent: Failed to disable PTRACE_ATTACH. Agent memory may be dumpable by other processes.");
-    }
-}
-
-#[cfg(not(target_os = "linux"))]
-fn disable_tracing() {
-    println!("rbw-agent: Unable to disable PTRACE_ATTACH on this platform: not implemented. Agent memory may be dumpable by other processes.");
-}
-
 fn main() {
-    // Prevent other user processes from attaching to the rbw agent and dumping memory
-    // This is not perfect protection, but closes a door. Unfortunately, prctl only works
-    // on Linux.
-    disable_tracing();
     let res = real_main();
 
     if let Err(e) = res {
-- 
cgit v1.2.3