feat(net): add support for ping sockets (#101) - WIP

src/caps.rs

@@ -1,13 +1,17 @@
 // Linux
 
+use trippy::tracing::PrivilegeMode;
+
 #[cfg(target_os = "linux")]
 /// Check if `CAP_NET_RAW` is in the permitted set and if so raise it to the effective set.
-pub fn ensure_caps() -> anyhow::Result<()> {
-    if caps::has_cap(None, caps::CapSet::Permitted, caps::Capability::CAP_NET_RAW)? {
-        caps::raise(None, caps::CapSet::Effective, caps::Capability::CAP_NET_RAW)?;
-    } else {
-        eprintln!("capability CAP_NET_RAW is required, see https://github.com/fujiapple852/trippy#privileges");
-        std::process::exit(-1);
+pub fn ensure_caps(privilege_mode: PrivilegeMode) -> anyhow::Result<()> {
+    if privilege_mode == PrivilegeMode::Privileged {
+        if caps::has_cap(None, caps::CapSet::Permitted, caps::Capability::CAP_NET_RAW)? {
+            caps::raise(None, caps::CapSet::Effective, caps::Capability::CAP_NET_RAW)?;
+        } else {
+            eprintln!("capability CAP_NET_RAW is required, see https://github.com/fujiapple852/trippy#privileges");
+            std::process::exit(-1);
+        }
     }
     Ok(())
 }
@@ -23,10 +27,10 @@ pub fn drop_caps() -> anyhow::Result<()> {
 
 #[cfg(all(unix, not(target_os = "linux")))]
 #[allow(clippy::unnecessary_wraps)]
-/// Ensure the effective user is `root`.
-pub fn ensure_caps() -> anyhow::Result<()> {
-    if !nix::unistd::Uid::effective().is_root() {
-        eprintln!("root user required to use raw sockets, see https://github.com/fujiapple852/trippy#privileges");
+/// Ensure the effective user is privileged, unless we are in unprivileged mode.
+pub fn ensure_caps(privilege_mode: PrivilegeMode) -> anyhow::Result<()> {
+    if privilege_mode == PrivilegeMode::Privileged && !nix::unistd::Uid::effective().is_root() {
+        eprintln!("privileged user required to use raw sockets (hint: try adding --unprivileged (-u) to run in unprivileged mode), see https://github.com/fujiapple852/trippy#privileges");
         std::process::exit(-1);
     }
     Ok(())
@@ -45,8 +49,8 @@ pub fn drop_caps() -> anyhow::Result<()> {
 
 #[cfg(windows)]
 #[allow(clippy::unnecessary_wraps)]
-/// Ensure the effective user is `root`.
-pub fn ensure_caps() -> anyhow::Result<()> {
+/// Ensure the effective user is an `Administrator`.
+pub fn ensure_caps(privilege_mode: PrivilegeMode) -> anyhow::Result<()> {
     macro_rules! syscall {
         ($p: path, $fn: ident ( $($arg: expr),* $(,)* ) ) => {{
             #[allow(unsafe_code)]
@@ -109,8 +113,13 @@ pub fn ensure_caps() -> anyhow::Result<()> {
         }
     }
 
-    if !Privileged::current_process()?.is_elevated()? {
-        eprintln!("administrator capability is required, see https://github.com/fujiapple852/trippy#privileges");
+    if privilege_mode == PrivilegeMode::Privileged {
+        if !Privileged::current_process()?.is_elevated()? {
+            eprintln!("administrator capability is required, see https://github.com/fujiapple852/trippy#privileges");
+            std::process::exit(-1);
+        }
+    } else {
+        eprintln!("unprivileged mode is not supported on Windows");
         std::process::exit(-1);
     }
     Ok(())

src/config.rs

@@ -12,7 +12,9 @@ use std::str::FromStr;
 use std::time::Duration;
 use strum::VariantNames;
 use theme::TuiThemeItem;
-use trippy::tracing::{MultipathStrategy, PortDirection, TracerAddrFamily, TracerProtocol};
+use trippy::tracing::{
+    MultipathStrategy, PortDirection, PrivilegeMode, TracerAddrFamily, TracerProtocol,
+};
 
 mod binding;
 mod cmd;
@@ -211,6 +213,7 @@ pub struct TrippyConfig {
     pub tui_theme: TuiTheme,
     pub tui_bindings: TuiBindings,
     pub mode: Mode,
+    pub privilege_mode: PrivilegeMode,
     pub report_cycles: usize,
     pub geoip_mmdb_file: Option<String>,
     pub max_rounds: Option<usize>,
@@ -260,6 +263,18 @@ impl TryFrom<(Args, u16)> for TrippyConfig {
         let cfg_file_dns = cfg_file.dns.unwrap_or_default();
         let cfg_file_report = cfg_file.report.unwrap_or_default();
         let mode = cfg_layer(args.mode, cfg_file_trace.mode, constants::DEFAULT_MODE);
+        let unprivileged = cfg_layer_bool_flag(
+            args.unprivileged,
+            cfg_file_trace.unprivileged,
+            constants::DEFAULT_UNPRIVILEGED,
+        );
+
+        let privilege_mode = if unprivileged {
+            PrivilegeMode::Unprivileged
+        } else {
+            PrivilegeMode::Privileged
+        };
+
         let verbose = args.verbose;
         let log_format = cfg_layer(
             args.log_format,
@@ -472,6 +487,7 @@ impl TryFrom<(Args, u16)> for TrippyConfig {
             _ => None,
         };
         validate_logging(mode, verbose)?;
+        validate_strategy(multipath_strategy, unprivileged)?;
         validate_multi(mode, protocol, &args.targets)?;
         validate_ttl(first_ttl, max_ttl)?;
         validate_max_inflight(max_inflight)?;
@@ -526,6 +542,7 @@ impl TryFrom<(Args, u16)> for TrippyConfig {
             tui_theme,
             tui_bindings,
             mode,
+            privilege_mode,
             report_cycles,
             geoip_mmdb_file,
             max_rounds,
@@ -571,6 +588,19 @@ fn validate_logging(mode: Mode, verbose: bool) -> anyhow::Result<()> {
     }
 }
 
+/// Validate the tracing strategy against the privilege mode.
+fn validate_strategy(strategy: MultipathStrategy, unprivileged: bool) -> anyhow::Result<()> {
+    match (strategy, unprivileged) {
+        (MultipathStrategy::Dublin, true) => Err(anyhow!(
+            "Dublin tracing strategy cannot be used in unprivileged mode"
+        )),
+        (MultipathStrategy::Paris, true) => Err(anyhow!(
+            "Paris tracing strategy cannot be used in unprivileged mode"
+        )),
+        _ => Ok(()),
+    }
+}
+
 /// We only allow multiple targets to be specified for the Tui and for `Icmp` tracing.
 fn validate_multi(mode: Mode, protocol: TracerProtocol, targets: &[String]) -> anyhow::Result<()> {
     match (mode, protocol) {

src/config/cmd.rs

@@ -25,6 +25,10 @@ pub struct Args {
     #[arg(value_enum, short = 'm', long)]
     pub mode: Option<Mode>,
 
+    /// Trace without requiring elevated privileges (Unix ICMP and UDP only)
+    #[arg(short = 'u', long)]
+    pub unprivileged: bool,
+
     /// Tracing protocol [default: icmp]
     #[arg(value_enum, short = 'p', long)]
     pub protocol: Option<Protocol>,

src/config/constants.rs

@@ -13,6 +13,9 @@ pub const MAX_HOPS: usize = u8::MAX as usize;
 /// The default value for `mode`.
 pub const DEFAULT_MODE: Mode = Mode::Tui;
 
+/// The default value for `unprivileged`.
+pub const DEFAULT_UNPRIVILEGED: bool = false;
+
 /// The default value for `log-format`.
 pub const DEFAULT_LOG_FORMAT: LogFormat = LogFormat::Pretty;
 

src/config/file.rs

@@ -85,6 +85,7 @@ pub struct ConfigFile {
 #[serde(rename_all = "kebab-case", deny_unknown_fields)]
 pub struct ConfigTrippy {
     pub mode: Option<Mode>,
+    pub unprivileged: Option<bool>,
     pub log_format: Option<LogFormat>,
     pub log_filter: Option<String>,
     pub log_span_events: Option<LogSpanEvents>,

src/frontend/render/header.rs

@@ -40,13 +40,22 @@ pub fn render<B: Backend>(f: &mut Frame<'_, B>, app: &TuiApp, rect: Rect) {
         .block(header_block.clone())
         .alignment(Alignment::Right);
     let protocol = match app.tracer_config().protocol {
-        TracerProtocol::Icmp => format!("icmp({})", app.tracer_config().addr_family),
+        TracerProtocol::Icmp => format!(
+            "icmp({}, {})",
+            app.tracer_config().addr_family,
+            app.tracer_config().privilege_mode
+        ),
         TracerProtocol::Udp => format!(
-            "udp({}, {})",
+            "udp({}, {}, {})",
             app.tracer_config().addr_family,
             app.tracer_config().multipath_strategy,
+            app.tracer_config().privilege_mode
+        ),
+        TracerProtocol::Tcp => format!(
+            "tcp({}, {})",
+            app.tracer_config().addr_family,
+            app.tracer_config().privilege_mode
         ),
-        TracerProtocol::Tcp => format!("tcp({})", app.tracer_config().addr_family),
     };
     let details = if app.show_hop_details {
         String::from("on")

src/main.rs

@@ -30,11 +30,11 @@ use tracing_chrome::{ChromeLayerBuilder, FlushGuard};
 use tracing_subscriber::fmt::format::FmtSpan;
 use tracing_subscriber::layer::SubscriberExt;
 use tracing_subscriber::util::SubscriberInitExt;
-use trippy::tracing::SourceAddr;
 use trippy::tracing::{
     MultipathStrategy, PortDirection, TracerAddrFamily, TracerChannelConfig, TracerConfig,
     TracerProtocol,
 };
+use trippy::tracing::{PrivilegeMode, SourceAddr};
 
 mod backend;
 mod caps;
@@ -50,7 +50,7 @@ fn main() -> anyhow::Result<()> {
     let _guard = configure_logging(&cfg);
     let resolver = start_dns_resolver(&cfg)?;
     let geoip_lookup = create_geoip_lookup(&cfg)?;
-    ensure_caps()?;
+    ensure_caps(cfg.privilege_mode)?;
     let traces: Vec<_> = cfg
         .targets
         .iter()
@@ -227,6 +227,7 @@ fn make_channel_config(
     target_addr: IpAddr,
 ) -> TracerChannelConfig {
     TracerChannelConfig::new(
+        args.privilege_mode,
         args.protocol,
         args.addr_family,
         source_addr,
@@ -253,6 +254,7 @@ fn make_trace_info(
         source_addr,
         target,
         target_addr,
+        args.privilege_mode,
         args.multipath_strategy,
         args.port_direction,
         args.protocol,
@@ -295,6 +297,7 @@ pub struct TraceInfo {
     pub source_addr: IpAddr,
     pub target_hostname: String,
     pub target_addr: IpAddr,
+    pub privilege_mode: PrivilegeMode,
     pub multipath_strategy: MultipathStrategy,
     pub port_direction: PortDirection,
     pub protocol: TracerProtocol,
@@ -321,6 +324,7 @@ impl TraceInfo {
         source_addr: IpAddr,
         target_hostname: String,
         target_addr: IpAddr,
+        privilege_mode: PrivilegeMode,
         multipath_strategy: MultipathStrategy,
         port_direction: PortDirection,
         protocol: TracerProtocol,
@@ -343,6 +347,7 @@ impl TraceInfo {
             source_addr,
             target_hostname,
             target_addr,
+            privilege_mode,
             multipath_strategy,
             port_direction,
             protocol,

src/tracing.rs

@@ -11,8 +11,8 @@ mod util;
 pub mod packet;
 
 pub use config::{
-    MultipathStrategy, PortDirection, TracerAddrFamily, TracerChannelConfig, TracerConfig,
-    TracerProtocol,
+    MultipathStrategy, PortDirection, PrivilegeMode, TracerAddrFamily, TracerChannelConfig,
+    TracerConfig, TracerProtocol,
 };
 pub use net::channel::TracerChannel;
 pub use net::source::SourceAddr;

src/tracing/config.rs

@@ -8,6 +8,24 @@ use std::fmt::{Display, Formatter};
 use std::net::IpAddr;
 use std::time::Duration;
 
+/// The privilege mode.
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
+pub enum PrivilegeMode {
+    /// Privileged mode.
+    Privileged,
+    /// Unprivileged mode.
+    Unprivileged,
+}
+
+impl Display for PrivilegeMode {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Privileged => write!(f, "privileged"),
+            Self::Unprivileged => write!(f, "unprivileged"),
+        }
+    }
+}
+
 /// The address family.
 #[derive(Debug, Copy, Clone)]
 pub enum TracerAddrFamily {
@@ -149,6 +167,7 @@ impl PortDirection {
 /// Tracer network channel configuration.
 #[derive(Debug, Clone)]
 pub struct TracerChannelConfig {
+    pub privilege_mode: PrivilegeMode,
     pub protocol: TracerProtocol,
     pub addr_family: TracerAddrFamily,
     pub source_addr: IpAddr,
@@ -165,6 +184,7 @@ impl TracerChannelConfig {
     #[allow(clippy::too_many_arguments)]
     #[must_use]
     pub fn new(
+        privilege_mode: PrivilegeMode,
         protocol: TracerProtocol,
         addr_family: TracerAddrFamily,
         source_addr: IpAddr,
@@ -177,6 +197,7 @@ impl TracerChannelConfig {
         tcp_connect_timeout: Duration,
     ) -> Self {
         Self {
+            privilege_mode,
             protocol,
             addr_family,
             source_addr,

src/tracing/net/channel.rs

@@ -3,7 +3,9 @@ use crate::tracing::net::socket::Socket;
 use crate::tracing::net::{ipv4, ipv6, platform, Network};
 use crate::tracing::probe::ProbeResponse;
 use crate::tracing::types::{PacketSize, PayloadPattern, Sequence, TypeOfService};
-use crate::tracing::{MultipathStrategy, Probe, TracerChannelConfig, TracerProtocol};
+use crate::tracing::{
+    MultipathStrategy, PrivilegeMode, Probe, TracerChannelConfig, TracerProtocol,
+};
 use arrayvec::ArrayVec;
 use itertools::Itertools;
 use std::net::IpAddr;
@@ -18,6 +20,7 @@ const MAX_TCP_PROBES: usize = 256;
 
 /// A channel for sending and receiving `Probe` packets.
 pub struct TracerChannel<S: Socket> {
+    privilege_mode: PrivilegeMode,
     protocol: TracerProtocol,
     src_addr: IpAddr,
     ipv4_length_order: platform::PlatformIpv4FieldByteOrder,
@@ -45,16 +48,18 @@ impl<S: Socket> TracerChannel<S> {
                 config.packet_size.0,
             )));
         }
+        let raw = config.privilege_mode == PrivilegeMode::Privileged;
         platform::startup()?;
         let ipv4_length_order =
             platform::PlatformIpv4FieldByteOrder::for_address(config.source_addr)?;
         let send_socket = match config.protocol {
-            TracerProtocol::Icmp => Some(make_icmp_send_socket(config.source_addr)?),
-            TracerProtocol::Udp => Some(make_udp_send_socket(config.source_addr)?),
+            TracerProtocol::Icmp => Some(make_icmp_send_socket(config.source_addr, raw)?),
+            TracerProtocol::Udp => Some(make_udp_send_socket(config.source_addr, raw)?),
             TracerProtocol::Tcp => None,
         };
-        let recv_socket = make_recv_socket(config.source_addr)?;
+        let recv_socket = make_recv_socket(config.source_addr, raw)?;
         Ok(Self {
+            privilege_mode: config.privilege_mode,
             protocol: config.protocol,
             src_addr: config.source_addr,
             ipv4_length_order,
@@ -137,6 +142,7 @@ impl<S: Socket> TracerChannel<S> {
                     probe,
                     src_addr,
                     dest_addr,
+                    self.privilege_mode,
                     self.packet_size,
                     self.payload_pattern,
                     self.multipath_strategy,
@@ -235,27 +241,27 @@ impl<S: Socket> TcpProbe<S> {
 
 /// Make a socket for sending raw `ICMP` packets.
 #[instrument]
-fn make_icmp_send_socket<S: Socket>(addr: IpAddr) -> TraceResult<S> {
+fn make_icmp_send_socket<S: Socket>(addr: IpAddr, raw: bool) -> TraceResult<S> {
     Ok(match addr {
-        IpAddr::V4(_) => S::new_icmp_send_socket_ipv4(),
+        IpAddr::V4(_) => S::new_icmp_send_socket_ipv4(raw),
         IpAddr::V6(_) => S::new_icmp_send_socket_ipv6(),
     }?)
 }
 
 /// Make a socket for sending `UDP` packets.
 #[instrument]
-fn make_udp_send_socket<S: Socket>(addr: IpAddr) -> TraceResult<S> {
+fn make_udp_send_socket<S: Socket>(addr: IpAddr, raw: bool) -> TraceResult<S> {
     Ok(match addr {
-        IpAddr::V4(_) => S::new_udp_send_socket_ipv4(),
+        IpAddr::V4(_) => S::new_udp_send_socket_ipv4(raw),
         IpAddr::V6(_) => S::new_udp_send_socket_ipv6(),
     }?)
 }
 
 /// Make a socket for receiving raw `ICMP` packets.
 #[instrument]
-fn make_recv_socket<S: Socket>(addr: IpAddr) -> TraceResult<S> {
+fn make_recv_socket<S: Socket>(addr: IpAddr, raw: bool) -> TraceResult<S> {
     Ok(match addr {
-        IpAddr::V4(ipv4addr) => S::new_recv_socket_ipv4(ipv4addr),
+        IpAddr::V4(ipv4addr) => S::new_recv_socket_ipv4(ipv4addr, raw),
         IpAddr::V6(ipv6addr) => S::new_recv_socket_ipv6(ipv6addr),
     }?)
 }