1 // Tests for the process descriptor API for Linux. 2 #include <sys/types.h> 3 #include <sys/resource.h> 4 #include <sys/select.h> 5 #include <sys/socket.h> 6 #include <sys/stat.h> 7 #include <sys/time.h> 8 #include <sys/wait.h> 9 #include <fcntl.h> 10 #include <poll.h> 11 #include <pthread.h> 12 #include <signal.h> 13 #include <stdlib.h> 14 #include <unistd.h> 15 16 #include <iomanip> 17 #include <map> 18 19 #include "capsicum.h" 20 #include "syscalls.h" 21 #include "capsicum-test.h" 22 23 #ifndef __WALL 24 // Linux requires __WALL in order for waitpid(specific_pid,...) to 25 // see and reap any specific pid. Define this to nothing for platforms 26 // (FreeBSD) where it doesn't exist, to reduce macroing. 27 #define __WALL 0 28 #endif 29 30 //------------------------------------------------ 31 // Utilities for the tests. 32 33 static pid_t pdwait4_(int pd, int *status, int options, struct rusage *ru) { 34 #ifdef HAVE_PDWAIT4 35 return pdwait4(pd, status, options, ru); 36 #else 37 // Simulate pdwait4() with wait4(pdgetpid()); this won't work in capability mode. 38 pid_t pid = -1; 39 int rc = pdgetpid(pd, &pid); 40 if (rc < 0) { 41 return rc; 42 } 43 options |= __WALL; 44 return wait4(pid, status, options, ru); 45 #endif 46 } 47 48 static void print_rusage(FILE *f, struct rusage *ru) { 49 fprintf(f, " User CPU time=%ld.%06ld\n", (long)ru->ru_utime.tv_sec, (long)ru->ru_utime.tv_usec); 50 fprintf(f, " System CPU time=%ld.%06ld\n", (long)ru->ru_stime.tv_sec, (long)ru->ru_stime.tv_usec); 51 fprintf(f, " Max RSS=%ld\n", ru->ru_maxrss); 52 } 53 54 static void print_stat(FILE *f, const struct stat *stat) { 55 fprintf(f, 56 "{ .st_dev=%ld, st_ino=%ld, st_mode=%04o, st_nlink=%ld, st_uid=%d, st_gid=%d,\n" 57 " .st_rdev=%ld, .st_size=%ld, st_blksize=%ld, .st_block=%ld,\n " 58 #ifdef HAVE_STAT_BIRTHTIME 59 ".st_birthtime=%ld, " 60 #endif 61 ".st_atime=%ld, .st_mtime=%ld, .st_ctime=%ld}\n", 62 (long)stat->st_dev, (long)stat->st_ino, stat->st_mode, 63 (long)stat->st_nlink, stat->st_uid, stat->st_gid, 64 (long)stat->st_rdev, (long)stat->st_size, (long)stat->st_blksize, 65 (long)stat->st_blocks, 66 #ifdef HAVE_STAT_BIRTHTIME 67 (long)stat->st_birthtime, 68 #endif 69 (long)stat->st_atime, (long)stat->st_mtime, (long)stat->st_ctime); 70 } 71 72 static volatile sig_atomic_t had_signal[NSIG]; 73 void clear_had_signals() { 74 memset(const_cast<sig_atomic_t *>(had_signal), 0, sizeof(had_signal)); 75 } 76 static void handle_signal(int x) { 77 had_signal[x] = true; 78 } 79 80 // Check that the given child process terminates as expected. 81 void CheckChildFinished(pid_t pid, bool signaled=false) { 82 // Wait for the child to finish. 83 int rc; 84 int status = 0; 85 do { 86 rc = waitpid(pid, &status, __WALL); 87 if (rc < 0) { 88 fprintf(stderr, "Warning: waitpid error %s (%d)\n", strerror(errno), errno); 89 ADD_FAILURE() << "Failed to wait for child"; 90 break; 91 } else if (rc == pid) { 92 break; 93 } 94 } while (true); 95 EXPECT_EQ(pid, rc); 96 if (rc == pid) { 97 if (signaled) { 98 EXPECT_TRUE(WIFSIGNALED(status)); 99 } else { 100 EXPECT_TRUE(WIFEXITED(status)) << std::hex << status; 101 EXPECT_EQ(0, WEXITSTATUS(status)); 102 } 103 } 104 } 105 106 //------------------------------------------------ 107 // Basic tests of process descriptor functionality 108 109 TEST(Pdfork, Simple) { 110 int pd = -1; 111 int pipefds[2]; 112 pid_t parent = getpid_(); 113 EXPECT_OK(pipe(pipefds)); 114 int pid = pdfork(&pd, 0); 115 EXPECT_OK(pid); 116 if (pid == 0) { 117 // Child: check pid values. 118 EXPECT_EQ(-1, pd); 119 EXPECT_NE(parent, getpid_()); 120 EXPECT_EQ(parent, getppid()); 121 close(pipefds[0]); 122 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 123 if (verbose) fprintf(stderr, "Child waiting for exit message\n"); 124 // Terminate once the parent has completed the checks 125 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 126 exit(testing::Test::HasFailure()); 127 } 128 close(pipefds[1]); 129 // Ensure the child has started. 130 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 131 132 EXPECT_NE(-1, pd); 133 EXPECT_PID_ALIVE(pid); 134 int pid_got; 135 EXPECT_OK(pdgetpid(pd, &pid_got)); 136 EXPECT_EQ(pid, pid_got); 137 138 // Tell the child to exit and wait until it is a zombie. 139 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 140 // EXPECT_PID_ZOMBIE waits for up to ~500ms, that should be enough time for 141 // the child to exit successfully. 142 EXPECT_PID_ZOMBIE(pid); 143 close(pipefds[0]); 144 145 // Wait for the the child. 146 int status; 147 struct rusage ru; 148 memset(&ru, 0, sizeof(ru)); 149 int waitrc = pdwait4_(pd, &status, 0, &ru); 150 EXPECT_EQ(pid, waitrc); 151 if (verbose) { 152 fprintf(stderr, "For pd %d pid %d:\n", pd, pid); 153 print_rusage(stderr, &ru); 154 } 155 EXPECT_PID_GONE(pid); 156 157 // Can only pdwait4(pd) once (as initial call reaps zombie). 158 memset(&ru, 0, sizeof(ru)); 159 EXPECT_EQ(-1, pdwait4_(pd, &status, 0, &ru)); 160 EXPECT_EQ(ECHILD, errno); 161 162 EXPECT_OK(close(pd)); 163 } 164 165 TEST(Pdfork, InvalidFlag) { 166 int pd = -1; 167 int pid = pdfork(&pd, PD_DAEMON<<5); 168 if (pid == 0) { 169 exit(1); 170 } 171 EXPECT_EQ(-1, pid); 172 EXPECT_EQ(EINVAL, errno); 173 if (pid > 0) waitpid(pid, NULL, __WALL); 174 } 175 176 TEST(Pdfork, TimeCheck) { 177 time_t now = time(NULL); // seconds since epoch 178 EXPECT_NE(-1, now); 179 if (verbose) fprintf(stderr, "Calling pdfork around %ld\n", (long)(long)now); 180 181 int pd = -1; 182 pid_t pid = pdfork(&pd, 0); 183 EXPECT_OK(pid); 184 if (pid == 0) { 185 // Child: check we didn't get a valid process descriptor then exit. 186 EXPECT_EQ(-1, pdgetpid(pd, &pid)); 187 EXPECT_EQ(EBADF, errno); 188 exit(HasFailure()); 189 } 190 191 #ifdef HAVE_PROCDESC_FSTAT 192 // Parent process. Ensure that [acm]times have been set correctly. 193 struct stat stat; 194 memset(&stat, 0, sizeof(stat)); 195 EXPECT_OK(fstat(pd, &stat)); 196 if (verbose) print_stat(stderr, &stat); 197 198 #ifdef HAVE_STAT_BIRTHTIME 199 EXPECT_GE(now, stat.st_birthtime); 200 EXPECT_EQ(stat.st_birthtime, stat.st_atime); 201 #endif 202 EXPECT_LT((now - stat.st_atime), 2); 203 EXPECT_EQ(stat.st_atime, stat.st_ctime); 204 EXPECT_EQ(stat.st_ctime, stat.st_mtime); 205 #endif 206 207 // Wait for the child to finish. 208 pid_t pd_pid = -1; 209 EXPECT_OK(pdgetpid(pd, &pd_pid)); 210 EXPECT_EQ(pid, pd_pid); 211 CheckChildFinished(pid); 212 } 213 214 TEST(Pdfork, UseDescriptor) { 215 int pd = -1; 216 pid_t pid = pdfork(&pd, 0); 217 EXPECT_OK(pid); 218 if (pid == 0) { 219 // Child: immediately exit 220 exit(0); 221 } 222 CheckChildFinished(pid); 223 } 224 225 TEST(Pdfork, NonProcessDescriptor) { 226 int fd = open("/etc/passwd", O_RDONLY); 227 EXPECT_OK(fd); 228 // pd*() operations should fail on a non-process descriptor. 229 EXPECT_EQ(-1, pdkill(fd, SIGUSR1)); 230 int status; 231 EXPECT_EQ(-1, pdwait4_(fd, &status, 0, NULL)); 232 pid_t pid; 233 EXPECT_EQ(-1, pdgetpid(fd, &pid)); 234 close(fd); 235 } 236 237 static void *SubThreadMain(void *arg) { 238 // Notify the main thread that we have started 239 if (verbose) fprintf(stderr, " subthread started: pipe=%p\n", arg); 240 SEND_INT_MESSAGE((int)(intptr_t)arg, MSG_CHILD_STARTED); 241 while (true) { 242 if (verbose) fprintf(stderr, " subthread: \"I aten't dead\"\n"); 243 usleep(100000); 244 } 245 return NULL; 246 } 247 248 static void *ThreadMain(void *) { 249 int pd; 250 int pipefds[2]; 251 EXPECT_EQ(0, pipe(pipefds)); 252 pid_t child = pdfork(&pd, 0); 253 if (child == 0) { 254 close(pipefds[0]); 255 // Child: start a subthread then loop. 256 pthread_t child_subthread; 257 // Wait for the subthread startup using another pipe. 258 int thread_pipefds[2]; 259 EXPECT_EQ(0, pipe(thread_pipefds)); 260 EXPECT_OK(pthread_create(&child_subthread, NULL, SubThreadMain, 261 (void *)(intptr_t)thread_pipefds[0])); 262 if (verbose) { 263 fprintf(stderr, " pdforked process %d: waiting for subthread.\n", 264 getpid()); 265 } 266 AWAIT_INT_MESSAGE(thread_pipefds[1], MSG_CHILD_STARTED); 267 close(thread_pipefds[0]); 268 close(thread_pipefds[1]); 269 // Child: Notify parent that all threads have started 270 if (verbose) fprintf(stderr, " pdforked process %d: subthread started\n", getpid()); 271 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 272 while (true) { 273 if (verbose) fprintf(stderr, " pdforked process %d: \"I aten't dead\"\n", getpid()); 274 usleep(100000); 275 } 276 exit(0); 277 } 278 if (verbose) fprintf(stderr, " thread generated pd %d\n", pd); 279 close(pipefds[1]); 280 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 281 if (verbose) fprintf(stderr, "[%d] got child startup message\n", getpid_()); 282 283 // Pass the process descriptor back to the main thread. 284 return reinterpret_cast<void *>(pd); 285 } 286 287 TEST(Pdfork, FromThread) { 288 // Fire off a new thread to do all of the creation work. 289 pthread_t child_thread; 290 EXPECT_OK(pthread_create(&child_thread, NULL, ThreadMain, NULL)); 291 void *data; 292 EXPECT_OK(pthread_join(child_thread, &data)); 293 int pd = reinterpret_cast<intptr_t>(data); 294 if (verbose) fprintf(stderr, "retrieved pd %d from terminated thread\n", pd); 295 296 // Kill and reap. 297 pid_t pid; 298 EXPECT_OK(pdgetpid(pd, &pid)); 299 EXPECT_OK(pdkill(pd, SIGKILL)); 300 int status; 301 EXPECT_EQ(pid, pdwait4_(pd, &status, 0, NULL)); 302 EXPECT_TRUE(WIFSIGNALED(status)); 303 } 304 305 //------------------------------------------------ 306 // More complicated tests. 307 308 309 // Test fixture that pdfork()s off a child process, which terminates 310 // when it receives anything on a pipe. 311 class PipePdforkBase : public ::testing::Test { 312 public: 313 PipePdforkBase(int pdfork_flags) : pd_(-1), pid_(-1) { 314 clear_had_signals(); 315 int pipes[2]; 316 EXPECT_OK(pipe(pipes)); 317 pipe_ = pipes[1]; 318 int parent = getpid_(); 319 if (verbose) fprintf(stderr, "[%d] about to pdfork()\n", getpid_()); 320 int rc = pdfork(&pd_, pdfork_flags); 321 EXPECT_OK(rc); 322 if (rc == 0) { 323 // Child process: blocking-read an int from the pipe then exit with that value. 324 EXPECT_NE(parent, getpid_()); 325 EXPECT_EQ(parent, getppid()); 326 if (verbose) fprintf(stderr, " [%d] child of %d waiting for value on pipe\n", getpid_(), getppid()); 327 read(pipes[0], &rc, sizeof(rc)); 328 if (verbose) fprintf(stderr, " [%d] got value %d on pipe, exiting\n", getpid_(), rc); 329 exit(rc); 330 } 331 pid_ = rc; 332 usleep(100); // ensure the child has a chance to run 333 } 334 ~PipePdforkBase() { 335 // Terminate by any means necessary. 336 if (pd_ > 0) { 337 pdkill(pd_, SIGKILL); 338 close(pd_); 339 } 340 if (pid_ > 0) { 341 kill(pid_, SIGKILL); 342 waitpid(pid_, NULL, __WALL|WNOHANG); 343 } 344 // Check signal expectations. 345 EXPECT_FALSE(had_signal[SIGCHLD]); 346 } 347 int TerminateChild() { 348 // Tell the child to exit. 349 int zero = 0; 350 if (verbose) fprintf(stderr, "[%d] write 0 to pipe\n", getpid_()); 351 return write(pipe_, &zero, sizeof(zero)); 352 } 353 protected: 354 int pd_; 355 int pipe_; 356 pid_t pid_; 357 }; 358 359 class PipePdfork : public PipePdforkBase { 360 public: 361 PipePdfork() : PipePdforkBase(0) {} 362 }; 363 364 class PipePdforkDaemon : public PipePdforkBase { 365 public: 366 PipePdforkDaemon() : PipePdforkBase(PD_DAEMON) {} 367 }; 368 369 // Can we poll a process descriptor? 370 TEST_F(PipePdfork, Poll) { 371 // Poll the process descriptor, nothing happening. 372 struct pollfd fdp; 373 fdp.fd = pd_; 374 fdp.events = POLLIN | POLLERR | POLLHUP; 375 fdp.revents = 0; 376 EXPECT_EQ(0, poll(&fdp, 1, 0)); 377 378 TerminateChild(); 379 380 // Poll again, should have activity on the process descriptor. 381 EXPECT_EQ(1, poll(&fdp, 1, 2000)); 382 EXPECT_TRUE(fdp.revents & POLLHUP); 383 384 // Poll a third time, still have POLLHUP. 385 fdp.revents = 0; 386 EXPECT_EQ(1, poll(&fdp, 1, 0)); 387 EXPECT_TRUE(fdp.revents & POLLHUP); 388 } 389 390 // Can multiple processes poll on the same descriptor? 391 TEST_F(PipePdfork, PollMultiple) { 392 int pipefds[2]; 393 EXPECT_EQ(0, pipe(pipefds)); 394 int child = fork(); 395 EXPECT_OK(child); 396 if (child == 0) { 397 close(pipefds[0]); 398 // Child: wait for parent to acknowledge startup 399 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 400 // Child: wait for two messages from the parent and the forked process 401 // before telling the other process to terminate. 402 if (verbose) fprintf(stderr, "[%d] waiting for read 1\n", getpid_()); 403 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 404 if (verbose) fprintf(stderr, "[%d] waiting for read 2\n", getpid_()); 405 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 406 TerminateChild(); 407 if (verbose) fprintf(stderr, "[%d] about to exit\n", getpid_()); 408 exit(testing::Test::HasFailure()); 409 } 410 close(pipefds[1]); 411 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 412 if (verbose) fprintf(stderr, "[%d] got child startup message\n", getpid_()); 413 // Fork again 414 int doppel = fork(); 415 EXPECT_OK(doppel); 416 // We now have: 417 // pid A: main process, here 418 // |--pid B: pdfork()ed process, blocked on read() 419 // |--pid C: fork()ed process, in read() above 420 // +--pid D: doppel process, here 421 422 // Both A and D execute the following code. 423 // First, check no activity on the process descriptor yet. 424 struct pollfd fdp; 425 fdp.fd = pd_; 426 fdp.events = POLLIN | POLLERR | POLLHUP; 427 fdp.revents = 0; 428 EXPECT_EQ(0, poll(&fdp, 1, 0)); 429 430 // Both A and D ask C to exit, allowing it to do so. 431 if (verbose) fprintf(stderr, "[%d] telling child to exit\n", getpid_()); 432 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 433 close(pipefds[0]); 434 435 // Now, wait (indefinitely) for activity on the process descriptor. 436 // We expect: 437 // - pid C will finish its two read() calls, write to the pipe and exit. 438 // - pid B will unblock from read(), and exit 439 // - this will generate an event on the process descriptor... 440 // - ...in both process A and process D. 441 if (verbose) fprintf(stderr, "[%d] waiting for child to exit\n", getpid_()); 442 EXPECT_EQ(1, poll(&fdp, 1, 2000)); 443 EXPECT_TRUE(fdp.revents & POLLHUP); 444 445 if (doppel == 0) { 446 // Child: process D exits. 447 exit(0); 448 } else { 449 // Parent: wait on process D. 450 int rc = 0; 451 waitpid(doppel, &rc, __WALL); 452 EXPECT_TRUE(WIFEXITED(rc)); 453 EXPECT_EQ(0, WEXITSTATUS(rc)); 454 // Also wait on process B. 455 CheckChildFinished(child); 456 } 457 } 458 459 // Check that exit status/rusage for a dead pdfork()ed child can be retrieved 460 // via any process descriptor, multiple times. 461 TEST_F(PipePdfork, MultipleRetrieveExitStatus) { 462 EXPECT_PID_ALIVE(pid_); 463 int pd_copy = dup(pd_); 464 EXPECT_LT(0, TerminateChild()); 465 466 int status; 467 struct rusage ru; 468 memset(&ru, 0, sizeof(ru)); 469 int waitrc = pdwait4_(pd_copy, &status, 0, &ru); 470 EXPECT_EQ(pid_, waitrc); 471 if (verbose) { 472 fprintf(stderr, "For pd %d -> pid %d:\n", pd_, pid_); 473 print_rusage(stderr, &ru); 474 } 475 EXPECT_PID_GONE(pid_); 476 477 #ifdef NOTYET 478 // Child has been reaped, so original process descriptor dangles but 479 // still has access to rusage information. 480 memset(&ru, 0, sizeof(ru)); 481 EXPECT_EQ(0, pdwait4_(pd_, &status, 0, &ru)); 482 #endif 483 close(pd_copy); 484 } 485 486 TEST_F(PipePdfork, ChildExit) { 487 EXPECT_PID_ALIVE(pid_); 488 EXPECT_LT(0, TerminateChild()); 489 EXPECT_PID_DEAD(pid_); 490 491 int status; 492 int rc = pdwait4_(pd_, &status, 0, NULL); 493 EXPECT_OK(rc); 494 EXPECT_EQ(pid_, rc); 495 pid_ = 0; 496 } 497 498 #ifdef HAVE_PROC_FDINFO 499 TEST_F(PipePdfork, FdInfo) { 500 char buffer[1024]; 501 sprintf(buffer, "/proc/%d/fdinfo/%d", getpid_(), pd_); 502 int procfd = open(buffer, O_RDONLY); 503 EXPECT_OK(procfd); 504 505 EXPECT_OK(read(procfd, buffer, sizeof(buffer))); 506 // The fdinfo should include the file pos of the underlying file 507 EXPECT_NE((char*)NULL, strstr(buffer, "pos:\t0")) << buffer; 508 // ...and the underlying pid 509 char pidline[256]; 510 sprintf(pidline, "pid:\t%d", pid_); 511 EXPECT_NE((char*)NULL, strstr(buffer, pidline)) << buffer; 512 close(procfd); 513 } 514 #endif 515 516 // Closing a normal process descriptor terminates the underlying process. 517 TEST_F(PipePdfork, Close) { 518 sighandler_t original = signal(SIGCHLD, handle_signal); 519 EXPECT_PID_ALIVE(pid_); 520 int status; 521 EXPECT_EQ(0, waitpid(pid_, &status, __WALL|WNOHANG)); 522 523 EXPECT_OK(close(pd_)); 524 pd_ = -1; 525 EXPECT_FALSE(had_signal[SIGCHLD]); 526 EXPECT_PID_DEAD(pid_); 527 528 #ifdef __FreeBSD__ 529 EXPECT_EQ(-1, waitpid(pid_, NULL, __WALL)); 530 EXPECT_EQ(errno, ECHILD); 531 #else 532 // Having closed the process descriptor means that pdwait4(pd) now doesn't work. 533 int rc = pdwait4_(pd_, &status, 0, NULL); 534 EXPECT_EQ(-1, rc); 535 EXPECT_EQ(EBADF, errno); 536 537 // Closing all process descriptors means the the child can only be reaped via pid. 538 EXPECT_EQ(pid_, waitpid(pid_, &status, __WALL|WNOHANG)); 539 #endif 540 signal(SIGCHLD, original); 541 } 542 543 TEST_F(PipePdfork, CloseLast) { 544 sighandler_t original = signal(SIGCHLD, handle_signal); 545 // Child should only die when last process descriptor is closed. 546 EXPECT_PID_ALIVE(pid_); 547 int pd_other = dup(pd_); 548 549 EXPECT_OK(close(pd_)); 550 pd_ = -1; 551 552 EXPECT_PID_ALIVE(pid_); 553 int status; 554 EXPECT_EQ(0, waitpid(pid_, &status, __WALL|WNOHANG)); 555 556 // Can no longer pdwait4() the closed process descriptor... 557 EXPECT_EQ(-1, pdwait4_(pd_, &status, WNOHANG, NULL)); 558 EXPECT_EQ(EBADF, errno); 559 // ...but can pdwait4() the still-open process descriptor. 560 errno = 0; 561 EXPECT_EQ(0, pdwait4_(pd_other, &status, WNOHANG, NULL)); 562 EXPECT_EQ(0, errno); 563 564 EXPECT_OK(close(pd_other)); 565 EXPECT_PID_DEAD(pid_); 566 567 EXPECT_FALSE(had_signal[SIGCHLD]); 568 signal(SIGCHLD, original); 569 } 570 571 FORK_TEST(Pdfork, OtherUserIfRoot) { 572 GTEST_SKIP_IF_NOT_ROOT(); 573 int pd; 574 int status; 575 pid_t pid = pdfork(&pd, 0); 576 EXPECT_OK(pid); 577 if (pid == 0) { 578 // Child process: loop forever. 579 while (true) usleep(100000); 580 } 581 usleep(100); 582 583 // Now that the second process has been pdfork()ed, change euid. 584 ASSERT_NE(0u, other_uid) << "other_uid not initialized correctly, " 585 "please pass the -u <uid> flag."; 586 EXPECT_EQ(0, setuid(other_uid)); 587 EXPECT_EQ(other_uid, getuid()); 588 if (verbose) fprintf(stderr, "uid=%d euid=%d\n", getuid(), geteuid()); 589 590 // Fail to kill child with normal PID operation. 591 EXPECT_EQ(-1, kill(pid, SIGKILL)); 592 EXPECT_EQ(EPERM, errno); 593 EXPECT_PID_ALIVE(pid); 594 595 // Ideally, we should be able to send signals via a process descriptor even 596 // if it's owned by another user, but this is not implementated on FreeBSD. 597 #ifdef __FreeBSD__ 598 // On FreeBSD, pdkill() still performs all the same checks that kill() does 599 // and therefore cannot be used to send a signal to a process with another 600 // UID unless we are root. 601 EXPECT_SYSCALL_FAIL(EBADF, pdkill(pid, SIGKILL)); 602 EXPECT_PID_ALIVE(pid); 603 // However, the process will be killed when we close the process descriptor. 604 EXPECT_OK(close(pd)); 605 EXPECT_PID_GONE(pid); 606 // Can't pdwait4() after close() since close() reparents the child to a reaper (init) 607 EXPECT_SYSCALL_FAIL(EBADF, pdwait4_(pd, &status, WNOHANG, NULL)); 608 #else 609 // Sending a signal with pdkill() should be permitted though. 610 EXPECT_OK(pdkill(pd, SIGKILL)); 611 EXPECT_PID_ZOMBIE(pid); 612 613 int rc = pdwait4_(pd, &status, WNOHANG, NULL); 614 EXPECT_OK(rc); 615 EXPECT_EQ(pid, rc); 616 EXPECT_TRUE(WIFSIGNALED(status)); 617 #endif 618 } 619 620 TEST_F(PipePdfork, WaitPidThenPd) { 621 TerminateChild(); 622 int status; 623 // If we waitpid(pid) first... 624 int rc = waitpid(pid_, &status, __WALL); 625 EXPECT_OK(rc); 626 EXPECT_EQ(pid_, rc); 627 628 #ifdef NOTYET 629 // ...the zombie is reaped but we can still subsequently pdwait4(pd). 630 EXPECT_EQ(0, pdwait4_(pd_, &status, 0, NULL)); 631 #endif 632 } 633 634 TEST_F(PipePdfork, WaitPdThenPid) { 635 TerminateChild(); 636 int status; 637 // If we pdwait4(pd) first... 638 int rc = pdwait4_(pd_, &status, 0, NULL); 639 EXPECT_OK(rc); 640 EXPECT_EQ(pid_, rc); 641 642 // ...the zombie is reaped and cannot subsequently waitpid(pid). 643 EXPECT_EQ(-1, waitpid(pid_, &status, __WALL)); 644 EXPECT_EQ(ECHILD, errno); 645 } 646 647 // Setting PD_DAEMON prevents close() from killing the child. 648 TEST_F(PipePdforkDaemon, Close) { 649 EXPECT_OK(close(pd_)); 650 pd_ = -1; 651 EXPECT_PID_ALIVE(pid_); 652 653 // Can still explicitly kill it via the pid. 654 if (pid_ > 0) { 655 EXPECT_OK(kill(pid_, SIGKILL)); 656 EXPECT_PID_DEAD(pid_); 657 } 658 } 659 660 static void TestPdkill(pid_t pid, int pd) { 661 EXPECT_PID_ALIVE(pid); 662 // SIGCONT is ignored by default. 663 EXPECT_OK(pdkill(pd, SIGCONT)); 664 EXPECT_PID_ALIVE(pid); 665 666 // SIGINT isn't 667 EXPECT_OK(pdkill(pd, SIGINT)); 668 EXPECT_PID_DEAD(pid); 669 670 // pdkill() on zombie is no-op. 671 errno = 0; 672 EXPECT_EQ(0, pdkill(pd, SIGINT)); 673 EXPECT_EQ(0, errno); 674 675 // pdkill() on reaped process gives -ESRCH. 676 CheckChildFinished(pid, true); 677 EXPECT_EQ(-1, pdkill(pd, SIGINT)); 678 EXPECT_EQ(ESRCH, errno); 679 } 680 681 TEST_F(PipePdfork, Pdkill) { 682 TestPdkill(pid_, pd_); 683 } 684 685 TEST_F(PipePdforkDaemon, Pdkill) { 686 TestPdkill(pid_, pd_); 687 } 688 689 TEST(Pdfork, PdkillOtherSignal) { 690 int pd = -1; 691 int pipefds[2]; 692 EXPECT_EQ(0, pipe(pipefds)); 693 int pid = pdfork(&pd, 0); 694 EXPECT_OK(pid); 695 if (pid == 0) { 696 // Child: tell the parent that we have started before entering the loop, 697 // and importantly only do so once we have registered the SIGUSR1 handler. 698 close(pipefds[0]); 699 clear_had_signals(); 700 signal(SIGUSR1, handle_signal); 701 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 702 // Child: watch for SIGUSR1 forever. 703 while (!had_signal[SIGUSR1]) { 704 usleep(100000); 705 } 706 exit(123); 707 } 708 // Wait for child to start 709 close(pipefds[1]); 710 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 711 close(pipefds[0]); 712 713 // Send an invalid signal. 714 EXPECT_EQ(-1, pdkill(pd, 0xFFFF)); 715 EXPECT_EQ(EINVAL, errno); 716 717 // Send an expected SIGUSR1 to the pdfork()ed child. 718 EXPECT_PID_ALIVE(pid); 719 pdkill(pd, SIGUSR1); 720 EXPECT_PID_DEAD(pid); 721 722 // Child's exit status confirms whether it received the signal. 723 int status; 724 int rc = waitpid(pid, &status, __WALL); 725 EXPECT_OK(rc); 726 EXPECT_EQ(pid, rc); 727 EXPECT_TRUE(WIFEXITED(status)) << "status: 0x" << std::hex << status; 728 EXPECT_EQ(123, WEXITSTATUS(status)); 729 } 730 731 pid_t PdforkParentDeath(int pdfork_flags) { 732 // Set up: 733 // pid A: main process, here 734 // +--pid B: fork()ed process, starts a child process with pdfork() then 735 // waits for parent to send a shutdown message. 736 // +--pid C: pdfork()ed process, looping forever 737 int sock_fds[2]; 738 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds)); 739 if (verbose) fprintf(stderr, "[%d] parent about to fork()...\n", getpid_()); 740 pid_t child = fork(); 741 EXPECT_OK(child); 742 if (child == 0) { 743 int pd; 744 if (verbose) fprintf(stderr, " [%d] child about to pdfork()...\n", getpid_()); 745 int pipefds[2]; // for startup notification 746 EXPECT_OK(pipe(pipefds)); 747 pid_t grandchild = pdfork(&pd, pdfork_flags); 748 if (grandchild == 0) { 749 close(pipefds[0]); 750 pid_t grandchildPid = getpid_(); 751 EXPECT_EQ(sizeof(grandchildPid), (size_t)write(pipefds[1], &grandchildPid, sizeof(grandchildPid))); 752 while (true) { 753 if (verbose) fprintf(stderr, " [%d] grandchild: \"I aten't dead\"\n", grandchildPid); 754 sleep(1); 755 } 756 } 757 close(pipefds[1]); 758 if (verbose) fprintf(stderr, " [%d] pdfork()ed grandchild %d, sending ID to parent\n", getpid_(), grandchild); 759 // Wait for grandchild to start. 760 pid_t grandchild2; 761 EXPECT_EQ(sizeof(grandchild2), (size_t)read(pipefds[0], &grandchild2, sizeof(grandchild2))); 762 EXPECT_EQ(grandchild, grandchild2) << "received invalid grandchild pid"; 763 if (verbose) fprintf(stderr, " [%d] grandchild %d has started successfully\n", getpid_(), grandchild); 764 close(pipefds[0]); 765 766 // Send grandchild pid to parent. 767 EXPECT_EQ(sizeof(grandchild), (size_t)write(sock_fds[1], &grandchild, sizeof(grandchild))); 768 if (verbose) fprintf(stderr, " [%d] sent grandchild pid %d to parent\n", getpid_(), grandchild); 769 // Wait for parent to acknowledge the message. 770 AWAIT_INT_MESSAGE(sock_fds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 771 if (verbose) fprintf(stderr, " [%d] parent acknowledged grandchild pid %d\n", getpid_(), grandchild); 772 if (verbose) fprintf(stderr, " [%d] child terminating\n", getpid_()); 773 exit(testing::Test::HasFailure()); 774 } 775 if (verbose) fprintf(stderr, "[%d] fork()ed child is %d\n", getpid_(), child); 776 pid_t grandchild; 777 read(sock_fds[0], &grandchild, sizeof(grandchild)); 778 if (verbose) fprintf(stderr, "[%d] received grandchild id %d\n", getpid_(), grandchild); 779 EXPECT_PID_ALIVE(child); 780 EXPECT_PID_ALIVE(grandchild); 781 // Tell child to exit. 782 if (verbose) fprintf(stderr, "[%d] telling child %d to exit\n", getpid_(), child); 783 SEND_INT_MESSAGE(sock_fds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 784 // Child dies, closing its process descriptor for the grandchild. 785 EXPECT_PID_DEAD(child); 786 CheckChildFinished(child); 787 return grandchild; 788 } 789 790 TEST(Pdfork, Bagpuss) { 791 // "And of course when Bagpuss goes to sleep, all his friends go to sleep too" 792 pid_t grandchild = PdforkParentDeath(0); 793 // By default: child death => closed process descriptor => grandchild death. 794 EXPECT_PID_DEAD(grandchild); 795 } 796 797 TEST(Pdfork, BagpussDaemon) { 798 pid_t grandchild = PdforkParentDeath(PD_DAEMON); 799 // With PD_DAEMON: child death => closed process descriptor => no effect on grandchild. 800 EXPECT_PID_ALIVE(grandchild); 801 if (grandchild > 0) { 802 EXPECT_OK(kill(grandchild, SIGKILL)); 803 } 804 } 805 806 // The exit of a pdfork()ed process should not generate SIGCHLD. 807 TEST_F(PipePdfork, NoSigchld) { 808 clear_had_signals(); 809 sighandler_t original = signal(SIGCHLD, handle_signal); 810 TerminateChild(); 811 int rc = 0; 812 // Can waitpid() for the specific pid of the pdfork()ed child. 813 EXPECT_EQ(pid_, waitpid(pid_, &rc, __WALL)); 814 EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc; 815 EXPECT_FALSE(had_signal[SIGCHLD]); 816 signal(SIGCHLD, original); 817 } 818 819 // The exit of a pdfork()ed process whose process descriptors have 820 // all been closed should generate SIGCHLD. The child process needs 821 // PD_DAEMON to survive the closure of the process descriptors. 822 TEST_F(PipePdforkDaemon, NoPDSigchld) { 823 clear_had_signals(); 824 sighandler_t original = signal(SIGCHLD, handle_signal); 825 826 EXPECT_OK(close(pd_)); 827 TerminateChild(); 828 #ifdef __FreeBSD__ 829 EXPECT_EQ(-1, waitpid(pid_, NULL, __WALL)); 830 EXPECT_EQ(errno, ECHILD); 831 #else 832 int rc = 0; 833 // Can waitpid() for the specific pid of the pdfork()ed child. 834 EXPECT_EQ(pid_, waitpid(pid_, &rc, __WALL)); 835 EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc; 836 #endif 837 EXPECT_FALSE(had_signal[SIGCHLD]); 838 signal(SIGCHLD, original); 839 } 840 841 #ifdef HAVE_PROCDESC_FSTAT 842 TEST_F(PipePdfork, ModeBits) { 843 // Owner rwx bits indicate liveness of child 844 struct stat stat; 845 memset(&stat, 0, sizeof(stat)); 846 EXPECT_OK(fstat(pd_, &stat)); 847 if (verbose) print_stat(stderr, &stat); 848 EXPECT_EQ(S_IRWXU, (long)(stat.st_mode & S_IRWXU)); 849 850 TerminateChild(); 851 usleep(100000); 852 853 memset(&stat, 0, sizeof(stat)); 854 EXPECT_OK(fstat(pd_, &stat)); 855 if (verbose) print_stat(stderr, &stat); 856 EXPECT_EQ(0, (int)(stat.st_mode & S_IRWXU)); 857 } 858 #endif 859 860 TEST_F(PipePdfork, WildcardWait) { 861 TerminateChild(); 862 EXPECT_PID_ZOMBIE(pid_); // Ensure child is truly dead. 863 864 // Wildcard waitpid(-1) should not see the pdfork()ed child because 865 // there is still a process descriptor for it. 866 int rc; 867 EXPECT_EQ(-1, waitpid(-1, &rc, WNOHANG)); 868 EXPECT_EQ(ECHILD, errno); 869 870 EXPECT_OK(close(pd_)); 871 pd_ = -1; 872 } 873 874 FORK_TEST(Pdfork, Pdkill) { 875 clear_had_signals(); 876 int pd; 877 int pipefds[2]; 878 EXPECT_OK(pipe(pipefds)); 879 pid_t pid = pdfork(&pd, 0); 880 EXPECT_OK(pid); 881 882 if (pid == 0) { 883 // Child: set a SIGINT handler, notify the parent and sleep. 884 close(pipefds[0]); 885 clear_had_signals(); 886 signal(SIGINT, handle_signal); 887 if (verbose) fprintf(stderr, "[%d] child started\n", getpid_()); 888 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 889 if (verbose) fprintf(stderr, "[%d] child about to sleep(10)\n", getpid_()); 890 // Note: we could receive the SIGINT just before sleep(), so we use a loop 891 // with a short delay instead of one long sleep(). 892 for (int i = 0; i < 50 && !had_signal[SIGINT]; i++) { 893 usleep(100000); 894 } 895 if (verbose) fprintf(stderr, "[%d] child slept, had[SIGINT]=%d\n", 896 getpid_(), (int)had_signal[SIGINT]); 897 // Return non-zero if we didn't see SIGINT. 898 exit(had_signal[SIGINT] ? 0 : 99); 899 } 900 901 // Parent: get child's PID. 902 pid_t pd_pid; 903 EXPECT_OK(pdgetpid(pd, &pd_pid)); 904 EXPECT_EQ(pid, pd_pid); 905 906 // Interrupt the child once it's registered the SIGINT handler. 907 close(pipefds[1]); 908 if (verbose) fprintf(stderr, "[%d] waiting for child\n", getpid_()); 909 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 910 EXPECT_OK(pdkill(pd, SIGINT)); 911 if (verbose) fprintf(stderr, "[%d] sent SIGINT\n", getpid_()); 912 913 // Make sure the child finished properly (caught signal then exited). 914 CheckChildFinished(pid); 915 } 916 917 FORK_TEST(Pdfork, PdkillSignal) { 918 int pd; 919 int pipefds[2]; 920 EXPECT_OK(pipe(pipefds)); 921 pid_t pid = pdfork(&pd, 0); 922 EXPECT_OK(pid); 923 924 if (pid == 0) { 925 close(pipefds[0]); 926 if (verbose) fprintf(stderr, "[%d] child started\n", getpid_()); 927 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 928 // Child: wait for shutdown message. No SIGINT handler. The message should 929 // never be received, since SIGINT should terminate the process. 930 if (verbose) fprintf(stderr, "[%d] child about to read()\n", getpid_()); 931 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 932 fprintf(stderr, "[%d] child read() returned unexpectedly\n", getpid_()); 933 exit(99); 934 } 935 // Wait for child to start before signalling. 936 if (verbose) fprintf(stderr, "[%d] waiting for child\n", getpid_()); 937 close(pipefds[1]); 938 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 939 // Kill the child (as it doesn't handle SIGINT). 940 if (verbose) fprintf(stderr, "[%d] sending SIGINT\n", getpid_()); 941 EXPECT_OK(pdkill(pd, SIGINT)); 942 943 // Make sure the child finished properly (terminated by signal). 944 CheckChildFinished(pid, true); 945 } 946 947 //------------------------------------------------ 948 // Test interactions with other parts of Capsicum: 949 // - capability mode 950 // - capabilities 951 952 FORK_TEST(Pdfork, DaemonUnrestricted) { 953 EXPECT_OK(cap_enter()); 954 int fd; 955 956 // Capability mode leaves pdfork() available, with and without flag. 957 int rc; 958 rc = pdfork(&fd, PD_DAEMON); 959 EXPECT_OK(rc); 960 if (rc == 0) { 961 // Child: immediately terminate. 962 exit(0); 963 } 964 965 rc = pdfork(&fd, 0); 966 EXPECT_OK(rc); 967 if (rc == 0) { 968 // Child: immediately terminate. 969 exit(0); 970 } 971 } 972 973 TEST(Pdfork, MissingRights) { 974 pid_t parent = getpid_(); 975 int pd = -1; 976 pid_t pid = pdfork(&pd, 0); 977 EXPECT_OK(pid); 978 if (pid == 0) { 979 // Child: loop forever. 980 EXPECT_NE(parent, getpid_()); 981 while (true) sleep(1); 982 } 983 // Create two capabilities from the process descriptor. 984 cap_rights_t r_ro; 985 cap_rights_init(&r_ro, CAP_READ, CAP_LOOKUP); 986 int cap_incapable = dup(pd); 987 EXPECT_OK(cap_incapable); 988 EXPECT_OK(cap_rights_limit(cap_incapable, &r_ro)); 989 cap_rights_t r_pdall; 990 cap_rights_init(&r_pdall, CAP_PDGETPID, CAP_PDWAIT, CAP_PDKILL); 991 int cap_capable = dup(pd); 992 EXPECT_OK(cap_capable); 993 EXPECT_OK(cap_rights_limit(cap_capable, &r_pdall)); 994 995 pid_t other_pid; 996 EXPECT_NOTCAPABLE(pdgetpid(cap_incapable, &other_pid)); 997 EXPECT_NOTCAPABLE(pdkill(cap_incapable, SIGINT)); 998 int status; 999 EXPECT_NOTCAPABLE(pdwait4_(cap_incapable, &status, 0, NULL)); 1000 1001 EXPECT_OK(pdgetpid(cap_capable, &other_pid)); 1002 EXPECT_EQ(pid, other_pid); 1003 EXPECT_OK(pdkill(cap_capable, SIGINT)); 1004 int rc = pdwait4_(pd, &status, 0, NULL); 1005 EXPECT_OK(rc); 1006 EXPECT_EQ(pid, rc); 1007 } 1008 1009 1010 //------------------------------------------------ 1011 // Passing process descriptors between processes. 1012 1013 TEST_F(PipePdfork, PassProcessDescriptor) { 1014 int sock_fds[2]; 1015 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds)); 1016 1017 struct msghdr mh; 1018 mh.msg_name = NULL; // No address needed 1019 mh.msg_namelen = 0; 1020 char buffer1[1024]; 1021 struct iovec iov[1]; 1022 iov[0].iov_base = buffer1; 1023 iov[0].iov_len = sizeof(buffer1); 1024 mh.msg_iov = iov; 1025 mh.msg_iovlen = 1; 1026 char buffer2[1024]; 1027 mh.msg_control = buffer2; 1028 mh.msg_controllen = sizeof(buffer2); 1029 struct cmsghdr *cmptr; 1030 1031 if (verbose) fprintf(stderr, "[%d] about to fork()\n", getpid_()); 1032 pid_t child2 = fork(); 1033 if (child2 == 0) { 1034 // Child: close our copy of the original process descriptor. 1035 close(pd_); 1036 SEND_INT_MESSAGE(sock_fds[0], MSG_CHILD_STARTED); 1037 // Child: wait to receive process descriptor over socket 1038 if (verbose) fprintf(stderr, " [%d] child of %d waiting for process descriptor on socket\n", getpid_(), getppid()); 1039 int rc = recvmsg(sock_fds[0], &mh, 0); 1040 EXPECT_OK(rc); 1041 EXPECT_LE(CMSG_LEN(sizeof(int)), mh.msg_controllen); 1042 cmptr = CMSG_FIRSTHDR(&mh); 1043 int pd = *(int*)CMSG_DATA(cmptr); 1044 EXPECT_EQ(CMSG_LEN(sizeof(int)), cmptr->cmsg_len); 1045 cmptr = CMSG_NXTHDR(&mh, cmptr); 1046 EXPECT_TRUE(cmptr == NULL); 1047 if (verbose) fprintf(stderr, " [%d] got process descriptor %d on socket\n", getpid_(), pd); 1048 SEND_INT_MESSAGE(sock_fds[0], MSG_CHILD_FD_RECEIVED); 1049 1050 // Child: confirm we can do pd*() operations on the process descriptor 1051 pid_t other; 1052 EXPECT_OK(pdgetpid(pd, &other)); 1053 if (verbose) fprintf(stderr, " [%d] process descriptor %d is pid %d\n", getpid_(), pd, other); 1054 1055 // Wait until the parent has closed the process descriptor. 1056 AWAIT_INT_MESSAGE(sock_fds[0], MSG_PARENT_CLOSED_FD); 1057 1058 if (verbose) fprintf(stderr, " [%d] close process descriptor %d\n", getpid_(), pd); 1059 close(pd); 1060 1061 // Last process descriptor closed, expect death 1062 EXPECT_PID_DEAD(other); 1063 1064 exit(HasFailure()); 1065 } 1066 // Wait until the child has started. 1067 AWAIT_INT_MESSAGE(sock_fds[1], MSG_CHILD_STARTED); 1068 1069 // Send the process descriptor over the pipe to the sub-process 1070 mh.msg_controllen = CMSG_LEN(sizeof(int)); 1071 cmptr = CMSG_FIRSTHDR(&mh); 1072 cmptr->cmsg_level = SOL_SOCKET; 1073 cmptr->cmsg_type = SCM_RIGHTS; 1074 cmptr->cmsg_len = CMSG_LEN(sizeof(int)); 1075 *(int *)CMSG_DATA(cmptr) = pd_; 1076 buffer1[0] = 0; 1077 iov[0].iov_len = 1; 1078 if (verbose) fprintf(stderr, "[%d] send process descriptor %d on socket\n", getpid_(), pd_); 1079 int rc = sendmsg(sock_fds[1], &mh, 0); 1080 EXPECT_OK(rc); 1081 // Wait until the child has received the process descriptor. 1082 AWAIT_INT_MESSAGE(sock_fds[1], MSG_CHILD_FD_RECEIVED); 1083 1084 if (verbose) fprintf(stderr, "[%d] close process descriptor %d\n", getpid_(), pd_); 1085 close(pd_); // Not last open process descriptor 1086 SEND_INT_MESSAGE(sock_fds[1], MSG_PARENT_CLOSED_FD); 1087 1088 // wait for child2 1089 int status; 1090 EXPECT_EQ(child2, waitpid(child2, &status, __WALL)); 1091 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 1092 EXPECT_EQ(0, rc); 1093 1094 // confirm death all round 1095 EXPECT_PID_DEAD(child2); 1096 EXPECT_PID_DEAD(pid_); 1097 } 1098