xref: /freebsd/contrib/capsicum-test/procdesc.cc (revision 52c2bb75163559a6e2866ad374a7de67a4ea1273)
1 // Tests for the process descriptor API for Linux.
2 #include <sys/types.h>
3 #include <sys/resource.h>
4 #include <sys/select.h>
5 #include <sys/socket.h>
6 #include <sys/stat.h>
7 #include <sys/time.h>
8 #include <sys/wait.h>
9 #include <fcntl.h>
10 #include <poll.h>
11 #include <pthread.h>
12 #include <signal.h>
13 #include <stdlib.h>
14 #include <unistd.h>
15 
16 #include <iomanip>
17 #include <map>
18 
19 #include "capsicum.h"
20 #include "syscalls.h"
21 #include "capsicum-test.h"
22 
23 #ifndef __WALL
24 // Linux requires __WALL in order for waitpid(specific_pid,...) to
25 // see and reap any specific pid.  Define this to nothing for platforms
26 // (FreeBSD) where it doesn't exist, to reduce macroing.
27 #define __WALL 0
28 #endif
29 
30 // TODO(drysdale): it would be nice to use proper synchronization between
31 // processes, rather than synchronization-via-sleep; faster too.
32 
33 
34 //------------------------------------------------
35 // Utilities for the tests.
36 
37 static pid_t pdwait4_(int pd, int *status, int options, struct rusage *ru) {
38 #ifdef HAVE_PDWAIT4
39   return pdwait4(pd, status, options, ru);
40 #else
41   // Simulate pdwait4() with wait4(pdgetpid()); this won't work in capability mode.
42   pid_t pid = -1;
43   int rc = pdgetpid(pd, &pid);
44   if (rc < 0) {
45     return rc;
46   }
47   options |= __WALL;
48   return wait4(pid, status, options, ru);
49 #endif
50 }
51 
52 static void print_rusage(FILE *f, struct rusage *ru) {
53   fprintf(f, "  User CPU time=%ld.%06ld\n", (long)ru->ru_utime.tv_sec, (long)ru->ru_utime.tv_usec);
54   fprintf(f, "  System CPU time=%ld.%06ld\n", (long)ru->ru_stime.tv_sec, (long)ru->ru_stime.tv_usec);
55   fprintf(f, "  Max RSS=%ld\n", ru->ru_maxrss);
56 }
57 
58 static void print_stat(FILE *f, const struct stat *stat) {
59   fprintf(f,
60           "{ .st_dev=%ld, st_ino=%ld, st_mode=%04o, st_nlink=%ld, st_uid=%d, st_gid=%d,\n"
61           "  .st_rdev=%ld, .st_size=%ld, st_blksize=%ld, .st_block=%ld,\n  "
62 #ifdef HAVE_STAT_BIRTHTIME
63           ".st_birthtime=%ld, "
64 #endif
65           ".st_atime=%ld, .st_mtime=%ld, .st_ctime=%ld}\n",
66           (long)stat->st_dev, (long)stat->st_ino, stat->st_mode,
67           (long)stat->st_nlink, stat->st_uid, stat->st_gid,
68           (long)stat->st_rdev, (long)stat->st_size, (long)stat->st_blksize,
69           (long)stat->st_blocks,
70 #ifdef HAVE_STAT_BIRTHTIME
71           (long)stat->st_birthtime,
72 #endif
73           (long)stat->st_atime, (long)stat->st_mtime, (long)stat->st_ctime);
74 }
75 
76 static std::map<int,bool> had_signal;
77 static void handle_signal(int x) {
78   had_signal[x] = true;
79 }
80 
81 // Check that the given child process terminates as expected.
82 void CheckChildFinished(pid_t pid, bool signaled=false) {
83   // Wait for the child to finish.
84   int rc;
85   int status = 0;
86   do {
87     rc = waitpid(pid, &status, __WALL);
88     if (rc < 0) {
89       fprintf(stderr, "Warning: waitpid error %s (%d)\n", strerror(errno), errno);
90       ADD_FAILURE() << "Failed to wait for child";
91       break;
92     } else if (rc == pid) {
93       break;
94     }
95   } while (true);
96   EXPECT_EQ(pid, rc);
97   if (rc == pid) {
98     if (signaled) {
99       EXPECT_TRUE(WIFSIGNALED(status));
100     } else {
101       EXPECT_TRUE(WIFEXITED(status)) << std::hex << status;
102       EXPECT_EQ(0, WEXITSTATUS(status));
103     }
104   }
105 }
106 
107 //------------------------------------------------
108 // Basic tests of process descriptor functionality
109 
110 TEST(Pdfork, Simple) {
111   int pd = -1;
112   pid_t parent = getpid_();
113   int pid = pdfork(&pd, 0);
114   EXPECT_OK(pid);
115   if (pid == 0) {
116     // Child: check pid values.
117     EXPECT_EQ(-1, pd);
118     EXPECT_NE(parent, getpid_());
119     EXPECT_EQ(parent, getppid());
120     sleep(1);
121     exit(0);
122   }
123   usleep(100);  // ensure the child has a chance to run
124   EXPECT_NE(-1, pd);
125   EXPECT_PID_ALIVE(pid);
126   int pid_got;
127   EXPECT_OK(pdgetpid(pd, &pid_got));
128   EXPECT_EQ(pid, pid_got);
129 
130   // Wait long enough for the child to exit().
131   sleep(2);
132   EXPECT_PID_ZOMBIE(pid);
133 
134   // Wait for the the child.
135   int status;
136   struct rusage ru;
137   memset(&ru, 0, sizeof(ru));
138   int waitrc = pdwait4_(pd, &status, 0, &ru);
139   EXPECT_EQ(pid, waitrc);
140   if (verbose) {
141     fprintf(stderr, "For pd %d pid %d:\n", pd, pid);
142     print_rusage(stderr, &ru);
143   }
144   EXPECT_PID_GONE(pid);
145 
146   // Can only pdwait4(pd) once (as initial call reaps zombie).
147   memset(&ru, 0, sizeof(ru));
148   EXPECT_EQ(-1, pdwait4_(pd, &status, 0, &ru));
149   EXPECT_EQ(ECHILD, errno);
150 
151   EXPECT_OK(close(pd));
152 }
153 
154 TEST(Pdfork, InvalidFlag) {
155   int pd = -1;
156   int pid = pdfork(&pd, PD_DAEMON<<5);
157   if (pid == 0) {
158     exit(1);
159   }
160   EXPECT_EQ(-1, pid);
161   EXPECT_EQ(EINVAL, errno);
162   if (pid > 0) waitpid(pid, NULL, __WALL);
163 }
164 
165 TEST(Pdfork, TimeCheck) {
166   time_t now = time(NULL);  // seconds since epoch
167   EXPECT_NE(-1, now);
168   if (verbose) fprintf(stderr, "Calling pdfork around %ld\n", (long)(long)now);
169 
170   int pd = -1;
171   pid_t pid = pdfork(&pd, 0);
172   EXPECT_OK(pid);
173   if (pid == 0) {
174     // Child: check we didn't get a valid process descriptor then exit.
175     EXPECT_EQ(-1, pdgetpid(pd, &pid));
176     EXPECT_EQ(EBADF, errno);
177     exit(HasFailure());
178   }
179 
180 #ifdef HAVE_PROCDESC_FSTAT
181   // Parent process. Ensure that [acm]times have been set correctly.
182   struct stat stat;
183   memset(&stat, 0, sizeof(stat));
184   EXPECT_OK(fstat(pd, &stat));
185   if (verbose) print_stat(stderr, &stat);
186 
187 #ifdef HAVE_STAT_BIRTHTIME
188   EXPECT_GE(now, stat.st_birthtime);
189   EXPECT_EQ(stat.st_birthtime, stat.st_atime);
190 #endif
191   EXPECT_LT((now - stat.st_atime), 2);
192   EXPECT_EQ(stat.st_atime, stat.st_ctime);
193   EXPECT_EQ(stat.st_ctime, stat.st_mtime);
194 #endif
195 
196   // Wait for the child to finish.
197   pid_t pd_pid = -1;
198   EXPECT_OK(pdgetpid(pd, &pd_pid));
199   EXPECT_EQ(pid, pd_pid);
200   CheckChildFinished(pid);
201 }
202 
203 TEST(Pdfork, UseDescriptor) {
204   int pd = -1;
205   pid_t pid = pdfork(&pd, 0);
206   EXPECT_OK(pid);
207   if (pid == 0) {
208     // Child: immediately exit
209     exit(0);
210   }
211   CheckChildFinished(pid);
212 }
213 
214 TEST(Pdfork, NonProcessDescriptor) {
215   int fd = open("/etc/passwd", O_RDONLY);
216   EXPECT_OK(fd);
217   // pd*() operations should fail on a non-process descriptor.
218   EXPECT_EQ(-1, pdkill(fd, SIGUSR1));
219   int status;
220   EXPECT_EQ(-1, pdwait4_(fd, &status, 0, NULL));
221   pid_t pid;
222   EXPECT_EQ(-1, pdgetpid(fd, &pid));
223   close(fd);
224 }
225 
226 static void *SubThreadMain(void *) {
227   while (true) {
228     if (verbose) fprintf(stderr, "      subthread: \"I aten't dead\"\n");
229     usleep(100000);
230   }
231   return NULL;
232 }
233 
234 static void *ThreadMain(void *) {
235   int pd;
236   pid_t child = pdfork(&pd, 0);
237   if (child == 0) {
238     // Child: start a subthread then loop
239     pthread_t child_subthread;
240     EXPECT_OK(pthread_create(&child_subthread, NULL, SubThreadMain, NULL));
241     while (true) {
242       if (verbose) fprintf(stderr, "    pdforked process %d: \"I aten't dead\"\n", getpid());
243       usleep(100000);
244     }
245     exit(0);
246   }
247   if (verbose) fprintf(stderr, "  thread generated pd %d\n", pd);
248   sleep(2);
249 
250   // Pass the process descriptor back to the main thread.
251   return reinterpret_cast<void *>(pd);
252 }
253 
254 TEST(Pdfork, FromThread) {
255   // Fire off a new thread to do all of the creation work.
256   pthread_t child_thread;
257   EXPECT_OK(pthread_create(&child_thread, NULL, ThreadMain, NULL));
258   void *data;
259   EXPECT_OK(pthread_join(child_thread, &data));
260   int pd = reinterpret_cast<intptr_t>(data);
261   if (verbose) fprintf(stderr, "retrieved pd %d from terminated thread\n", pd);
262 
263   // Kill and reap.
264   pid_t pid;
265   EXPECT_OK(pdgetpid(pd, &pid));
266   EXPECT_OK(pdkill(pd, SIGKILL));
267   int status;
268   EXPECT_EQ(pid, pdwait4_(pd, &status, 0, NULL));
269   EXPECT_TRUE(WIFSIGNALED(status));
270 }
271 
272 //------------------------------------------------
273 // More complicated tests.
274 
275 
276 // Test fixture that pdfork()s off a child process, which terminates
277 // when it receives anything on a pipe.
278 class PipePdforkBase : public ::testing::Test {
279  public:
280   PipePdforkBase(int pdfork_flags) : pd_(-1), pid_(-1) {
281     had_signal.clear();
282     int pipes[2];
283     EXPECT_OK(pipe(pipes));
284     pipe_ = pipes[1];
285     int parent = getpid_();
286     if (verbose) fprintf(stderr, "[%d] about to pdfork()\n", getpid_());
287     int rc = pdfork(&pd_, pdfork_flags);
288     EXPECT_OK(rc);
289     if (rc == 0) {
290       // Child process: blocking-read an int from the pipe then exit with that value.
291       EXPECT_NE(parent, getpid_());
292       EXPECT_EQ(parent, getppid());
293       if (verbose) fprintf(stderr, "  [%d] child of %d waiting for value on pipe\n", getpid_(), getppid());
294       read(pipes[0], &rc, sizeof(rc));
295       if (verbose) fprintf(stderr, "  [%d] got value %d on pipe, exiting\n", getpid_(), rc);
296       exit(rc);
297     }
298     pid_ = rc;
299     usleep(100);  // ensure the child has a chance to run
300   }
301   ~PipePdforkBase() {
302     // Terminate by any means necessary.
303     if (pd_ > 0) {
304       pdkill(pd_, SIGKILL);
305       close(pd_);
306     }
307     if (pid_ > 0) {
308       kill(pid_, SIGKILL);
309       waitpid(pid_, NULL, __WALL|WNOHANG);
310     }
311     // Check signal expectations.
312     EXPECT_FALSE(had_signal[SIGCHLD]);
313   }
314   int TerminateChild() {
315     // Tell the child to exit.
316     int zero = 0;
317     if (verbose) fprintf(stderr, "[%d] write 0 to pipe\n", getpid_());
318     return write(pipe_, &zero, sizeof(zero));
319   }
320  protected:
321   int pd_;
322   int pipe_;
323   pid_t pid_;
324 };
325 
326 class PipePdfork : public PipePdforkBase {
327  public:
328   PipePdfork() : PipePdforkBase(0) {}
329 };
330 
331 class PipePdforkDaemon : public PipePdforkBase {
332  public:
333   PipePdforkDaemon() : PipePdforkBase(PD_DAEMON) {}
334 };
335 
336 // Can we poll a process descriptor?
337 TEST_F(PipePdfork, Poll) {
338   // Poll the process descriptor, nothing happening.
339   struct pollfd fdp;
340   fdp.fd = pd_;
341   fdp.events = POLLIN | POLLERR | POLLHUP;
342   fdp.revents = 0;
343   EXPECT_EQ(0, poll(&fdp, 1, 0));
344 
345   TerminateChild();
346 
347   // Poll again, should have activity on the process descriptor.
348   EXPECT_EQ(1, poll(&fdp, 1, 2000));
349   EXPECT_TRUE(fdp.revents & POLLHUP);
350 
351   // Poll a third time, still have POLLHUP.
352   fdp.revents = 0;
353   EXPECT_EQ(1, poll(&fdp, 1, 0));
354   EXPECT_TRUE(fdp.revents & POLLHUP);
355 }
356 
357 // Can multiple processes poll on the same descriptor?
358 TEST_F(PipePdfork, PollMultiple) {
359   int child = fork();
360   EXPECT_OK(child);
361   if (child == 0) {
362     // Child: wait to give time for setup, then write to the pipe (which will
363     // induce exit of the pdfork()ed process) and exit.
364     sleep(1);
365     TerminateChild();
366     exit(0);
367   }
368   usleep(100);  // ensure the child has a chance to run
369 
370   // Fork again
371   int doppel = fork();
372   EXPECT_OK(doppel);
373   // We now have:
374   //   pid A: main process, here
375   //   |--pid B: pdfork()ed process, blocked on read()
376   //   |--pid C: fork()ed process, in sleep(1) above
377   //   +--pid D: doppel process, here
378 
379   // Both A and D execute the following code.
380   // First, check no activity on the process descriptor yet.
381   struct pollfd fdp;
382   fdp.fd = pd_;
383   fdp.events = POLLIN | POLLERR | POLLHUP;
384   fdp.revents = 0;
385   EXPECT_EQ(0, poll(&fdp, 1, 0));
386 
387   // Now, wait (indefinitely) for activity on the process descriptor.
388   // We expect:
389   //  - pid C will finish its sleep, write to the pipe and exit
390   //  - pid B will unblock from read(), and exit
391   //  - this will generate an event on the process descriptor...
392   //  - ...in both process A and process D.
393   EXPECT_EQ(1, poll(&fdp, 1, 2000));
394   EXPECT_TRUE(fdp.revents & POLLHUP);
395 
396   if (doppel == 0) {
397     // Child: process D exits.
398     exit(0);
399   } else {
400     // Parent: wait on process D.
401     int rc = 0;
402     waitpid(doppel, &rc, __WALL);
403     EXPECT_TRUE(WIFEXITED(rc));
404     EXPECT_EQ(0, WEXITSTATUS(rc));
405     // Also wait on process B.
406     CheckChildFinished(child);
407   }
408 }
409 
410 // Check that exit status/rusage for a dead pdfork()ed child can be retrieved
411 // via any process descriptor, multiple times.
412 TEST_F(PipePdfork, MultipleRetrieveExitStatus) {
413   EXPECT_PID_ALIVE(pid_);
414   int pd_copy = dup(pd_);
415   EXPECT_LT(0, TerminateChild());
416 
417   int status;
418   struct rusage ru;
419   memset(&ru, 0, sizeof(ru));
420   int waitrc = pdwait4_(pd_copy, &status, 0, &ru);
421   EXPECT_EQ(pid_, waitrc);
422   if (verbose) {
423     fprintf(stderr, "For pd %d -> pid %d:\n", pd_, pid_);
424     print_rusage(stderr, &ru);
425   }
426   EXPECT_PID_GONE(pid_);
427 
428 #ifdef NOTYET
429   // Child has been reaped, so original process descriptor dangles but
430   // still has access to rusage information.
431   memset(&ru, 0, sizeof(ru));
432   EXPECT_EQ(0, pdwait4_(pd_, &status, 0, &ru));
433 #endif
434   close(pd_copy);
435 }
436 
437 TEST_F(PipePdfork, ChildExit) {
438   EXPECT_PID_ALIVE(pid_);
439   EXPECT_LT(0, TerminateChild());
440   EXPECT_PID_DEAD(pid_);
441 
442   int status;
443   int rc = pdwait4_(pd_, &status, 0, NULL);
444   EXPECT_OK(rc);
445   EXPECT_EQ(pid_, rc);
446   pid_ = 0;
447 }
448 
449 #ifdef HAVE_PROC_FDINFO
450 TEST_F(PipePdfork, FdInfo) {
451   char buffer[1024];
452   sprintf(buffer, "/proc/%d/fdinfo/%d", getpid_(), pd_);
453   int procfd = open(buffer, O_RDONLY);
454   EXPECT_OK(procfd);
455 
456   EXPECT_OK(read(procfd, buffer, sizeof(buffer)));
457   // The fdinfo should include the file pos of the underlying file
458   EXPECT_NE((char*)NULL, strstr(buffer, "pos:\t0")) << buffer;
459   // ...and the underlying pid
460   char pidline[256];
461   sprintf(pidline, "pid:\t%d", pid_);
462   EXPECT_NE((char*)NULL, strstr(buffer, pidline)) << buffer;
463   close(procfd);
464 }
465 #endif
466 
467 // Closing a normal process descriptor terminates the underlying process.
468 TEST_F(PipePdfork, Close) {
469   sighandler_t original = signal(SIGCHLD, handle_signal);
470   EXPECT_PID_ALIVE(pid_);
471   int status;
472   EXPECT_EQ(0, waitpid(pid_, &status, __WALL|WNOHANG));
473 
474   EXPECT_OK(close(pd_));
475   pd_ = -1;
476   EXPECT_FALSE(had_signal[SIGCHLD]);
477   EXPECT_PID_DEAD(pid_);
478 
479 #ifdef __FreeBSD__
480   EXPECT_EQ(-1, waitpid(pid_, NULL, __WALL));
481   EXPECT_EQ(errno, ECHILD);
482 #else
483   // Having closed the process descriptor means that pdwait4(pd) now doesn't work.
484   int rc = pdwait4_(pd_, &status, 0, NULL);
485   EXPECT_EQ(-1, rc);
486   EXPECT_EQ(EBADF, errno);
487 
488   // Closing all process descriptors means the the child can only be reaped via pid.
489   EXPECT_EQ(pid_, waitpid(pid_, &status, __WALL|WNOHANG));
490 #endif
491   signal(SIGCHLD, original);
492 }
493 
494 TEST_F(PipePdfork, CloseLast) {
495   sighandler_t original = signal(SIGCHLD, handle_signal);
496   // Child should only die when last process descriptor is closed.
497   EXPECT_PID_ALIVE(pid_);
498   int pd_other = dup(pd_);
499 
500   EXPECT_OK(close(pd_));
501   pd_ = -1;
502 
503   EXPECT_PID_ALIVE(pid_);
504   int status;
505   EXPECT_EQ(0, waitpid(pid_, &status, __WALL|WNOHANG));
506 
507   // Can no longer pdwait4() the closed process descriptor...
508   EXPECT_EQ(-1, pdwait4_(pd_, &status, WNOHANG, NULL));
509   EXPECT_EQ(EBADF, errno);
510   // ...but can pdwait4() the still-open process descriptor.
511   errno = 0;
512   EXPECT_EQ(0, pdwait4_(pd_other, &status, WNOHANG, NULL));
513   EXPECT_EQ(0, errno);
514 
515   EXPECT_OK(close(pd_other));
516   EXPECT_PID_DEAD(pid_);
517 
518   EXPECT_FALSE(had_signal[SIGCHLD]);
519   signal(SIGCHLD, original);
520 }
521 
522 FORK_TEST(Pdfork, OtherUser) {
523   REQUIRE_ROOT();
524   int pd;
525   pid_t pid = pdfork(&pd, 0);
526   EXPECT_OK(pid);
527   if (pid == 0) {
528     // Child process: loop forever.
529     while (true) usleep(100000);
530   }
531   usleep(100);
532 
533   // Now that the second process has been pdfork()ed, change euid.
534   setuid(other_uid);
535   if (verbose) fprintf(stderr, "uid=%d euid=%d\n", getuid(), geteuid());
536 
537   // Fail to kill child with normal PID operation.
538   EXPECT_EQ(-1, kill(pid, SIGKILL));
539   EXPECT_EQ(EPERM, errno);
540   EXPECT_PID_ALIVE(pid);
541 
542   // Succeed with pdkill though.
543   EXPECT_OK(pdkill(pd, SIGKILL));
544   EXPECT_PID_ZOMBIE(pid);
545 
546   int status;
547   int rc = pdwait4_(pd, &status, WNOHANG, NULL);
548   EXPECT_OK(rc);
549   EXPECT_EQ(pid, rc);
550   EXPECT_TRUE(WIFSIGNALED(status));
551 }
552 
553 TEST_F(PipePdfork, WaitPidThenPd) {
554   TerminateChild();
555   int status;
556   // If we waitpid(pid) first...
557   int rc = waitpid(pid_, &status, __WALL);
558   EXPECT_OK(rc);
559   EXPECT_EQ(pid_, rc);
560 
561 #ifdef NOTYET
562   // ...the zombie is reaped but we can still subsequently pdwait4(pd).
563   EXPECT_EQ(0, pdwait4_(pd_, &status, 0, NULL));
564 #endif
565 }
566 
567 TEST_F(PipePdfork, WaitPdThenPid) {
568   TerminateChild();
569   int status;
570   // If we pdwait4(pd) first...
571   int rc = pdwait4_(pd_, &status, 0, NULL);
572   EXPECT_OK(rc);
573   EXPECT_EQ(pid_, rc);
574 
575   // ...the zombie is reaped and cannot subsequently waitpid(pid).
576   EXPECT_EQ(-1, waitpid(pid_, &status, __WALL));
577   EXPECT_EQ(ECHILD, errno);
578 }
579 
580 // Setting PD_DAEMON prevents close() from killing the child.
581 TEST_F(PipePdforkDaemon, Close) {
582   EXPECT_OK(close(pd_));
583   pd_ = -1;
584   EXPECT_PID_ALIVE(pid_);
585 
586   // Can still explicitly kill it via the pid.
587   if (pid_ > 0) {
588     EXPECT_OK(kill(pid_, SIGKILL));
589     EXPECT_PID_DEAD(pid_);
590   }
591 }
592 
593 static void TestPdkill(pid_t pid, int pd) {
594   EXPECT_PID_ALIVE(pid);
595   // SIGCONT is ignored by default.
596   EXPECT_OK(pdkill(pd, SIGCONT));
597   EXPECT_PID_ALIVE(pid);
598 
599   // SIGINT isn't
600   EXPECT_OK(pdkill(pd, SIGINT));
601   EXPECT_PID_DEAD(pid);
602 
603   // pdkill() on zombie is no-op.
604   errno = 0;
605   EXPECT_EQ(0, pdkill(pd, SIGINT));
606   EXPECT_EQ(0, errno);
607 
608   // pdkill() on reaped process gives -ESRCH.
609   CheckChildFinished(pid, true);
610   EXPECT_EQ(-1, pdkill(pd, SIGINT));
611   EXPECT_EQ(ESRCH, errno);
612 }
613 
614 TEST_F(PipePdfork, Pdkill) {
615   TestPdkill(pid_, pd_);
616 }
617 
618 TEST_F(PipePdforkDaemon, Pdkill) {
619   TestPdkill(pid_, pd_);
620 }
621 
622 TEST(Pdfork, PdkillOtherSignal) {
623   int pd = -1;
624   int pid = pdfork(&pd, 0);
625   EXPECT_OK(pid);
626   if (pid == 0) {
627     // Child: watch for SIGUSR1 forever.
628     had_signal.clear();
629     signal(SIGUSR1, handle_signal);
630     while (!had_signal[SIGUSR1]) {
631       usleep(100000);
632     }
633     exit(123);
634   }
635   sleep(1);
636 
637   // Send an invalid signal.
638   EXPECT_EQ(-1, pdkill(pd, 0xFFFF));
639   EXPECT_EQ(EINVAL, errno);
640 
641   // Send an expected SIGUSR1 to the pdfork()ed child.
642   EXPECT_PID_ALIVE(pid);
643   pdkill(pd, SIGUSR1);
644   EXPECT_PID_DEAD(pid);
645 
646   // Child's exit status confirms whether it received the signal.
647   int status;
648   int rc = waitpid(pid, &status, __WALL);
649   EXPECT_OK(rc);
650   EXPECT_EQ(pid, rc);
651   EXPECT_TRUE(WIFEXITED(status)) << "0x" << std::hex << rc;
652   EXPECT_EQ(123, WEXITSTATUS(status));
653 }
654 
655 pid_t PdforkParentDeath(int pdfork_flags) {
656   // Set up:
657   //   pid A: main process, here
658   //   +--pid B: fork()ed process, sleep(4)s then exits
659   //      +--pid C: pdfork()ed process, looping forever
660   int sock_fds[2];
661   EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds));
662   if (verbose) fprintf(stderr, "[%d] parent about to fork()...\n", getpid_());
663   pid_t child = fork();
664   EXPECT_OK(child);
665   if (child == 0) {
666     int pd;
667     if (verbose) fprintf(stderr, "  [%d] child about to pdfork()...\n", getpid_());
668     pid_t grandchild = pdfork(&pd, pdfork_flags);
669     if (grandchild == 0) {
670       while (true) {
671         if (verbose) fprintf(stderr, "    [%d] grandchild: \"I aten't dead\"\n", getpid_());
672         sleep(1);
673       }
674     }
675     if (verbose) fprintf(stderr, "  [%d] pdfork()ed grandchild %d, sending ID to parent\n", getpid_(), grandchild);
676     // send grandchild pid to parent
677     write(sock_fds[1], &grandchild, sizeof(grandchild));
678     sleep(4);
679     if (verbose) fprintf(stderr, "  [%d] child terminating\n", getpid_());
680     exit(0);
681   }
682   if (verbose) fprintf(stderr, "[%d] fork()ed child is %d\n", getpid_(), child);
683   pid_t grandchild;
684   read(sock_fds[0], &grandchild, sizeof(grandchild));
685   if (verbose) fprintf(stderr, "[%d] receive grandchild id %d\n", getpid_(), grandchild);
686   EXPECT_PID_ALIVE(child);
687   EXPECT_PID_ALIVE(grandchild);
688   sleep(6);
689   // Child dies, closing its process descriptor for the grandchild.
690   EXPECT_PID_DEAD(child);
691   CheckChildFinished(child);
692   return grandchild;
693 }
694 
695 TEST(Pdfork, Bagpuss) {
696   // "And of course when Bagpuss goes to sleep, all his friends go to sleep too"
697   pid_t grandchild = PdforkParentDeath(0);
698   // By default: child death => closed process descriptor => grandchild death.
699   EXPECT_PID_DEAD(grandchild);
700 }
701 
702 TEST(Pdfork, BagpussDaemon) {
703   pid_t grandchild = PdforkParentDeath(PD_DAEMON);
704   // With PD_DAEMON: child death => closed process descriptor => no effect on grandchild.
705   EXPECT_PID_ALIVE(grandchild);
706   if (grandchild > 0) {
707     EXPECT_OK(kill(grandchild, SIGKILL));
708   }
709 }
710 
711 // The exit of a pdfork()ed process should not generate SIGCHLD.
712 TEST_F(PipePdfork, NoSigchld) {
713   had_signal.clear();
714   sighandler_t original = signal(SIGCHLD, handle_signal);
715   TerminateChild();
716   int rc = 0;
717   // Can waitpid() for the specific pid of the pdfork()ed child.
718   EXPECT_EQ(pid_, waitpid(pid_, &rc, __WALL));
719   EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc;
720   EXPECT_FALSE(had_signal[SIGCHLD]);
721   signal(SIGCHLD, original);
722 }
723 
724 // The exit of a pdfork()ed process whose process descriptors have
725 // all been closed should generate SIGCHLD.  The child process needs
726 // PD_DAEMON to survive the closure of the process descriptors.
727 TEST_F(PipePdforkDaemon, NoPDSigchld) {
728   had_signal.clear();
729   sighandler_t original = signal(SIGCHLD, handle_signal);
730 
731   EXPECT_OK(close(pd_));
732   TerminateChild();
733 #ifdef __FreeBSD__
734   EXPECT_EQ(-1, waitpid(pid_, NULL, __WALL));
735   EXPECT_EQ(errno, ECHILD);
736 #else
737   int rc = 0;
738   // Can waitpid() for the specific pid of the pdfork()ed child.
739   EXPECT_EQ(pid_, waitpid(pid_, &rc, __WALL));
740   EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc;
741 #endif
742   EXPECT_FALSE(had_signal[SIGCHLD]);
743   signal(SIGCHLD, original);
744 }
745 
746 #ifdef HAVE_PROCDESC_FSTAT
747 TEST_F(PipePdfork, ModeBits) {
748   // Owner rwx bits indicate liveness of child
749   struct stat stat;
750   memset(&stat, 0, sizeof(stat));
751   EXPECT_OK(fstat(pd_, &stat));
752   if (verbose) print_stat(stderr, &stat);
753   EXPECT_EQ(S_IRWXU, (long)(stat.st_mode & S_IRWXU));
754 
755   TerminateChild();
756   usleep(100000);
757 
758   memset(&stat, 0, sizeof(stat));
759   EXPECT_OK(fstat(pd_, &stat));
760   if (verbose) print_stat(stderr, &stat);
761   EXPECT_EQ(0, (int)(stat.st_mode & S_IRWXU));
762 }
763 #endif
764 
765 TEST_F(PipePdfork, WildcardWait) {
766   // TODO(FreeBSD): make wildcard wait ignore pdfork()ed children
767   // https://bugs.freebsd.org/201054
768   TerminateChild();
769   sleep(1);  // Ensure child is truly dead.
770 
771   // Wildcard waitpid(-1) should not see the pdfork()ed child because
772   // there is still a process descriptor for it.
773   int rc;
774   EXPECT_EQ(-1, waitpid(-1, &rc, WNOHANG));
775   EXPECT_EQ(ECHILD, errno);
776 
777   EXPECT_OK(close(pd_));
778   pd_ = -1;
779 }
780 
781 FORK_TEST(Pdfork, Pdkill) {
782   had_signal.clear();
783   int pd;
784   pid_t pid = pdfork(&pd, 0);
785   EXPECT_OK(pid);
786 
787   if (pid == 0) {
788     // Child: set a SIGINT handler and sleep.
789     had_signal.clear();
790     signal(SIGINT, handle_signal);
791     if (verbose) fprintf(stderr, "[%d] child about to sleep(10)\n", getpid_());
792     int left = sleep(10);
793     if (verbose) fprintf(stderr, "[%d] child slept, %d sec left, had[SIGINT]=%d\n",
794                          getpid_(), left, had_signal[SIGINT]);
795     // Expect this sleep to be interrupted by the signal (and so left > 0).
796     exit(left == 0);
797   }
798 
799   // Parent: get child's PID.
800   pid_t pd_pid;
801   EXPECT_OK(pdgetpid(pd, &pd_pid));
802   EXPECT_EQ(pid, pd_pid);
803 
804   // Interrupt the child after a second.
805   sleep(1);
806   EXPECT_OK(pdkill(pd, SIGINT));
807 
808   // Make sure the child finished properly (caught signal then exited).
809   CheckChildFinished(pid);
810 }
811 
812 FORK_TEST(Pdfork, PdkillSignal) {
813   int pd;
814   pid_t pid = pdfork(&pd, 0);
815   EXPECT_OK(pid);
816 
817   if (pid == 0) {
818     // Child: sleep.  No SIGINT handler.
819     if (verbose) fprintf(stderr, "[%d] child about to sleep(10)\n", getpid_());
820     int left = sleep(10);
821     if (verbose) fprintf(stderr, "[%d] child slept, %d sec left\n", getpid_(), left);
822     exit(99);
823   }
824 
825   // Kill the child (as it doesn't handle SIGINT).
826   sleep(1);
827   EXPECT_OK(pdkill(pd, SIGINT));
828 
829   // Make sure the child finished properly (terminated by signal).
830   CheckChildFinished(pid, true);
831 }
832 
833 //------------------------------------------------
834 // Test interactions with other parts of Capsicum:
835 //  - capability mode
836 //  - capabilities
837 
838 FORK_TEST(Pdfork, DaemonUnrestricted) {
839   EXPECT_OK(cap_enter());
840   int fd;
841 
842   // Capability mode leaves pdfork() available, with and without flag.
843   int rc;
844   rc = pdfork(&fd, PD_DAEMON);
845   EXPECT_OK(rc);
846   if (rc == 0) {
847     // Child: immediately terminate.
848     exit(0);
849   }
850 
851   rc = pdfork(&fd, 0);
852   EXPECT_OK(rc);
853   if (rc == 0) {
854     // Child: immediately terminate.
855     exit(0);
856   }
857 }
858 
859 TEST(Pdfork, MissingRights) {
860   pid_t parent = getpid_();
861   int pd = -1;
862   pid_t pid = pdfork(&pd, 0);
863   EXPECT_OK(pid);
864   if (pid == 0) {
865     // Child: loop forever.
866     EXPECT_NE(parent, getpid_());
867     while (true) sleep(1);
868   }
869   // Create two capabilities from the process descriptor.
870   cap_rights_t r_ro;
871   cap_rights_init(&r_ro, CAP_READ, CAP_LOOKUP);
872   int cap_incapable = dup(pd);
873   EXPECT_OK(cap_incapable);
874   EXPECT_OK(cap_rights_limit(cap_incapable, &r_ro));
875   cap_rights_t r_pdall;
876   cap_rights_init(&r_pdall, CAP_PDGETPID, CAP_PDWAIT, CAP_PDKILL);
877   int cap_capable = dup(pd);
878   EXPECT_OK(cap_capable);
879   EXPECT_OK(cap_rights_limit(cap_capable, &r_pdall));
880 
881   pid_t other_pid;
882   EXPECT_NOTCAPABLE(pdgetpid(cap_incapable, &other_pid));
883   EXPECT_NOTCAPABLE(pdkill(cap_incapable, SIGINT));
884   int status;
885   EXPECT_NOTCAPABLE(pdwait4_(cap_incapable, &status, 0, NULL));
886 
887   EXPECT_OK(pdgetpid(cap_capable, &other_pid));
888   EXPECT_EQ(pid, other_pid);
889   EXPECT_OK(pdkill(cap_capable, SIGINT));
890   int rc = pdwait4_(pd, &status, 0, NULL);
891   EXPECT_OK(rc);
892   EXPECT_EQ(pid, rc);
893 }
894 
895 
896 //------------------------------------------------
897 // Passing process descriptors between processes.
898 
899 TEST_F(PipePdfork, PassProcessDescriptor) {
900   int sock_fds[2];
901   EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds));
902 
903   struct msghdr mh;
904   mh.msg_name = NULL;  // No address needed
905   mh.msg_namelen = 0;
906   char buffer1[1024];
907   struct iovec iov[1];
908   iov[0].iov_base = buffer1;
909   iov[0].iov_len = sizeof(buffer1);
910   mh.msg_iov = iov;
911   mh.msg_iovlen = 1;
912   char buffer2[1024];
913   mh.msg_control = buffer2;
914   mh.msg_controllen = sizeof(buffer2);
915   struct cmsghdr *cmptr;
916 
917   if (verbose) fprintf(stderr, "[%d] about to fork()\n", getpid_());
918   pid_t child2 = fork();
919   if (child2 == 0) {
920     // Child: close our copy of the original process descriptor.
921     close(pd_);
922 
923     // Child: wait to receive process descriptor over socket
924     if (verbose) fprintf(stderr, "  [%d] child of %d waiting for process descriptor on socket\n", getpid_(), getppid());
925     int rc = recvmsg(sock_fds[0], &mh, 0);
926     EXPECT_OK(rc);
927     EXPECT_LE(CMSG_LEN(sizeof(int)), mh.msg_controllen);
928     cmptr = CMSG_FIRSTHDR(&mh);
929     int pd = *(int*)CMSG_DATA(cmptr);
930     EXPECT_EQ(CMSG_LEN(sizeof(int)), cmptr->cmsg_len);
931     cmptr = CMSG_NXTHDR(&mh, cmptr);
932     EXPECT_TRUE(cmptr == NULL);
933     if (verbose) fprintf(stderr, "  [%d] got process descriptor %d on socket\n", getpid_(), pd);
934 
935     // Child: confirm we can do pd*() operations on the process descriptor
936     pid_t other;
937     EXPECT_OK(pdgetpid(pd, &other));
938     if (verbose) fprintf(stderr, "  [%d] process descriptor %d is pid %d\n", getpid_(), pd, other);
939 
940     sleep(2);
941     if (verbose) fprintf(stderr, "  [%d] close process descriptor %d\n", getpid_(), pd);
942     close(pd);
943 
944     // Last process descriptor closed, expect death
945     EXPECT_PID_DEAD(other);
946 
947     exit(HasFailure());
948   }
949   usleep(1000);  // Ensure subprocess runs
950 
951   // Send the process descriptor over the pipe to the sub-process
952   mh.msg_controllen = CMSG_LEN(sizeof(int));
953   cmptr = CMSG_FIRSTHDR(&mh);
954   cmptr->cmsg_level = SOL_SOCKET;
955   cmptr->cmsg_type = SCM_RIGHTS;
956   cmptr->cmsg_len = CMSG_LEN(sizeof(int));
957   *(int *)CMSG_DATA(cmptr) = pd_;
958   buffer1[0] = 0;
959   iov[0].iov_len = 1;
960   sleep(1);
961   if (verbose) fprintf(stderr, "[%d] send process descriptor %d on socket\n", getpid_(), pd_);
962   int rc = sendmsg(sock_fds[1], &mh, 0);
963   EXPECT_OK(rc);
964 
965   if (verbose) fprintf(stderr, "[%d] close process descriptor %d\n", getpid_(), pd_);
966   close(pd_);  // Not last open process descriptor
967 
968   // wait for child2
969   int status;
970   EXPECT_EQ(child2, waitpid(child2, &status, __WALL));
971   rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
972   EXPECT_EQ(0, rc);
973 
974   // confirm death all round
975   EXPECT_PID_DEAD(child2);
976   EXPECT_PID_DEAD(pid_);
977 }
978