Skip to content

feat: enhance privilege elevation logic #474

feat: enhance privilege elevation logic

feat: enhance privilege elevation logic #474

Workflow file for this run

name: Kernel Test
on:
pull_request:
paths:
- "**/*.go"
- "**/*.c"
- "**/*.h"
- "go.mod"
- "go.sum"
- ".github/workflows/kernel-test.yml"
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
cache-dependency-path: |
go.mod
go.sum
go-version: 1.22.4
- name: Generate and build
run: |
git submodule update --init
make GOFLAGS="-buildvcs=false" CC=clang
- name: Store executable
uses: actions/upload-artifact@v4
with:
name: dae
path: dae
test:
runs-on: ubuntu-22.04
name: Test
needs: build
strategy:
fail-fast: false
matrix:
kernel: [ '6.1-20240305.092417', '6.6-20240305.092417' ]
timeout-minutes: 10
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Retrieve stored executable
uses: actions/[email protected]
with:
name: dae
path: dae
- name: Provision LVH VMs
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
test-name: dae-test
image-version: ${{ matrix.kernel }}
host-mount: ./
dns-resolver: '1.1.1.1'
install-dependencies: 'true'
cmd: |
chmod +x /host/dae/dae
apt update
apt install -y unzip
- name: Setup network
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker network create --ipv6 --subnet 2001:0DB8::/112 dae
docker run -td --name v2ray --privileged --network dae -v /host:/host ubuntu:22.04 bash
docker run -td --name dae --privileged --network dae -v /host:/host -v /sys:/sys ubuntu:22.04 bash
- name: Setup v2ray server
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
cd /host
curl -OL https://github.com/v2fly/v2ray-core/releases/download/v4.31.0/v2ray-linux-64.zip
unzip v2ray-linux-64.zip
docker cp ./v2ray v2ray:/usr/bin
docker cp ./v2ctl v2ray:/usr/bin
cat > ./v2ray.json <<!
{
"log": {
"access": "/host/v2ray.access.log",
"error": "/host/v2ray.error.log",
"loglevel": "warning"
},
"inbound": {
"port": 23333,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "b004539e-0d7b-7996-c378-fb040e42de70",
"level": 0,
"alterId": 0
}
]
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"inboundDetour": [],
"outboundDetour": []
}
!
nohup docker exec v2ray v2ray -c /host/v2ray.json &> v2ray.log &
sleep 5s
cat v2ray.log
echo '{"v":"2","ps":"test","add":"v2ray","port":"23333","id":"b004539e-0d7b-7996-c378-fb040e42de70","aid":"0","net":"tcp","tls":"","type":"none","path":"","host":"v2ray"}' > vmess.json
- name: Setup dae server
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
cd /host
docker exec dae apt update
docker exec dae apt install -y curl dnsutils netcat
vmess_link=$(base64 -w0 vmess.json)
cat > ./conf.dae <<!
global {
tproxy_port: 12345
log_level: trace
lan_interface: auto
wan_interface: auto
allow_insecure: false
auto_config_kernel_parameter: true
}
node {
local: 'vmess://\$vmess_link'
}
group {
proxy {
policy: min_moving_avg
}
}
routing {
pname(dae) -> direct
fallback: proxy
}
!
chmod 600 ./conf.dae
nohup docker exec dae /host/dae/dae run -c /host/conf.dae &> dae.log &
sleep 5s
cat dae.log
- name: Check WAN IPv4 TCP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae curl 1.1.1.1:443
cat /host/dae.log | grep -F -- '-> 1.1.1.1:443'
cat /host/v2ray.access.log | grep -q 'accepted tcp:1.1.1.1:443'
- name: Check WAN IPv4 UDP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae dig @1.1.1.1 one.one.one.one
cat /host/dae.log | grep -F -- '-> 1.1.1.1:53'
cat /host/v2ray.access.log | grep -q 'accepted udp:1.1.1.1:53'
- name: Check WAN IPv6 TCP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae nc -v -w1 2606:4700:4700::1111 443 &> /host/nc.log
cat /host/nc.log | grep -q 'succeeded!'
cat /host/dae.log | grep -F -- '-> [2606:4700:4700::1111]:443'
- name: Check WAN IPv6 UDP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae dig @2606:4700:4700::1111 one.one.one.one
cat /host/dae.log | grep -F -- '-> [2606:4700:4700::1111]:53'
- name: Setup WAN UDP port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker restart -t0 dae v2ray
nohup docker exec v2ray v2ray -c /host/v2ray.json &> v2ray.log &
nohup docker exec dae /host/dae/dae run -c /host/conf.dae &> dae.log &
sleep 5s
nohup docker exec dae nc -lu 53 &> nc.log &
- name: Check WAN IPv4 UDP with port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae dig @1.1.1.1 one.one.one.one
cat /host/dae.log | grep -F -- '-> 1.1.1.1:53'
cat /host/v2ray.access.log | grep -q 'accepted udp:1.1.1.1:53'
- name: Check WAN IPv6 UDP with port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae dig @2606:4700:4700::1111 one.one.one.one
cat /host/dae.log | grep -F -- '-> [2606:4700:4700::1111]:53'
- name: Setup LAN
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
cd /host
docker restart -t0 dae
docker exec dae apt install -y iproute2 iptables iputils-ping
cat >lan.bash <<!
set -ex
ip net a dae
ip l a dae-veth type veth peer name dae-veth-peer
ip l s dae-veth-peer up
ip l s dae-veth netns dae
ip net e dae ip l s dae-veth up
ip r a 10.0.0.1 dev dae-veth-peer
ip net e dae ip a a 10.0.0.1 dev dae-veth
ip net e dae ip r a 169.254.0.1 dev dae-veth
ip net e dae ip r a default via 169.254.0.1 dev dae-veth
sysctl net.ipv6.conf.dae-veth-peer.disable_ipv6=0
ip -6 r a fd00:ffff::1 dev dae-veth-peer
ip -6 a a fe80::ecee:eeff:feee:eeee dev dae-veth-peer
ip net e dae ip -6 a a fd00:ffff::1 dev dae-veth
ip net e dae ip -6 r r default via fe80::ecee:eeff:feee:eeee dev dae-veth
sysctl net.ipv4.conf.dae-veth-peer.proxy_arp=1
sysctl net.ipv4.conf.dae-veth-peer.rp_filter=2
iptables-legacy -t nat -A POSTROUTING -s 10.0.0.1/32 -j MASQUERADE
!
docker exec dae bash /host/lan.bash
docker exec dae ping -c1 10.0.0.1
docker exec dae ip net e dae curl 1.0.0.1
docker exec dae ping -c1 fd00:ffff::1
docker exec dae sysctl net.ipv4.conf.dae-veth-peer.send_redirects=0
docker exec dae sysctl net.ipv6.conf.dae-veth-peer.forwarding=1
vmess_link=$(base64 -w0 vmess.json)
cat > ./conf.dae <<!
global {
tproxy_port: 12345
log_level: trace
lan_interface: dae-veth-peer
wan_interface: dae-veth-peer,eth0
allow_insecure: false
auto_config_kernel_parameter: true
}
node {
local: 'vmess://\$vmess_link'
}
group {
proxy {
policy: min_moving_avg
}
}
routing {
pname(dae) -> direct
fallback: proxy
}
!
chmod 600 ./conf.dae
nohup docker exec dae /host/dae/dae run -c /host/conf.dae &> dae.log &
sleep 5s
cat dae.log
- name: Check LAN IPv4 TCP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae curl 1.0.0.1
cat /host/dae.log | grep -F -- '-> 1.0.0.1:80'
cat /host/v2ray.access.log | grep -q 'accepted tcp:1.0.0.1:80'
- name: Check LAN IPv4 UDP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae dig @8.8.4.4 one.one.one.one
cat /host/dae.log | grep -F -- '-> 8.8.4.4:53'
cat /host/v2ray.access.log | grep -q 'accepted udp:8.8.4.4:53'
- name: Check LAN IPv6 TCP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae nc -v -w1 2606:4700:4700::1001 80 &> /host/nc.log
cat /host/nc.log | grep -q 'succeeded!'
cat /host/dae.log | grep -F -- '-> [2606:4700:4700::1001]:80'
- name: Check LAN IPv6 UDP
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae dig @2001:4860:4860::8844 one.one.one.one
cat /host/dae.log | grep -F -- '-> [2001:4860:4860::8844]:53'
- name: Setup LAN UDP port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker restart -t0 dae v2ray
docker exec dae rm -f /var/run/netns/dae
docker exec dae bash /host/lan.bash
docker exec dae sysctl net.ipv4.conf.dae-veth-peer.send_redirects=0
docker exec dae sysctl net.ipv6.conf.dae-veth-peer.forwarding=1
nohup docker exec v2ray v2ray -c /host/v2ray.json &> v2ray.log &
nohup docker exec dae /host/dae/dae run -c /host/conf.dae &> dae.log &
sleep 5s
nohup docker exec dae nc -lu 53 &> nc.log &
- name: Check LAN IPv4 UDP with port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae dig @8.8.4.4 one.one.one.one
cat /host/dae.log | grep -F -- '-> 8.8.4.4:53'
cat /host/v2ray.access.log | grep -q 'accepted udp:8.8.4.4:53'
- name: Check LAN IPv6 UDP with port conflict
uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
with:
provision: 'false'
cmd: |
set -ex
docker exec dae ip net e dae dig @2001:4860:4860::8844 one.one.one.one
cat /host/dae.log | grep -F -- '-> [2001:4860:4860::8844]:53'