1 // Tests for the process descriptor API for Linux. 2 #include <sys/types.h> 3 #include <sys/resource.h> 4 #include <sys/select.h> 5 #include <sys/socket.h> 6 #include <sys/stat.h> 7 #include <sys/time.h> 8 #include <sys/wait.h> 9 #include <fcntl.h> 10 #include <poll.h> 11 #include <pthread.h> 12 #include <signal.h> 13 #include <stdlib.h> 14 #include <unistd.h> 15 16 #include <iomanip> 17 #include <map> 18 19 #include "capsicum.h" 20 #include "syscalls.h" 21 #include "capsicum-test.h" 22 23 //------------------------------------------------ 24 // Utilities for the tests. 25 26 static pid_t pdwait4_(int pd, int *status, int options, struct rusage *ru) { 27 #ifdef HAVE_PDWAIT4 28 return pdwait4(pd, status, options, ru); 29 #else 30 // Simulate pdwait4() with wait4(pdgetpid()); this won't work in capability mode. 31 pid_t pid = -1; 32 int rc = pdgetpid(pd, &pid); 33 if (rc < 0) { 34 return rc; 35 } 36 return wait4(pid, status, options, ru); 37 #endif 38 } 39 40 static void print_rusage(FILE *f, struct rusage *ru) { 41 fprintf(f, " User CPU time=%ld.%06ld\n", (long)ru->ru_utime.tv_sec, (long)ru->ru_utime.tv_usec); 42 fprintf(f, " System CPU time=%ld.%06ld\n", (long)ru->ru_stime.tv_sec, (long)ru->ru_stime.tv_usec); 43 fprintf(f, " Max RSS=%ld\n", ru->ru_maxrss); 44 } 45 46 static void print_stat(FILE *f, const struct stat *stat) { 47 fprintf(f, 48 "{ .st_dev=%ld, st_ino=%ld, st_mode=%04o, st_nlink=%ld, st_uid=%d, st_gid=%d,\n" 49 " .st_rdev=%ld, .st_size=%ld, st_blksize=%ld, .st_block=%ld,\n " 50 ".st_birthtime=%ld, " 51 ".st_atime=%ld, .st_mtime=%ld, .st_ctime=%ld}\n", 52 (long)stat->st_dev, (long)stat->st_ino, stat->st_mode, 53 (long)stat->st_nlink, stat->st_uid, stat->st_gid, 54 (long)stat->st_rdev, (long)stat->st_size, (long)stat->st_blksize, 55 (long)stat->st_blocks, 56 (long)stat->st_birthtime, 57 (long)stat->st_atime, (long)stat->st_mtime, (long)stat->st_ctime); 58 } 59 60 static volatile sig_atomic_t had_signal[NSIG]; 61 void clear_had_signals() { 62 memset(const_cast<sig_atomic_t *>(had_signal), 0, sizeof(had_signal)); 63 } 64 static void handle_signal(int x) { 65 had_signal[x] = true; 66 } 67 68 // Check that the given child process terminates as expected. 69 void CheckChildFinished(pid_t pid, bool signaled=false) { 70 // Wait for the child to finish. 71 int rc; 72 int status = 0; 73 do { 74 rc = waitpid(pid, &status, 0); 75 if (rc < 0) { 76 fprintf(stderr, "Warning: waitpid error %s (%d)\n", strerror(errno), errno); 77 ADD_FAILURE() << "Failed to wait for child"; 78 break; 79 } else if (rc == pid) { 80 break; 81 } 82 } while (true); 83 EXPECT_EQ(pid, rc); 84 if (rc == pid) { 85 if (signaled) { 86 EXPECT_TRUE(WIFSIGNALED(status)); 87 } else { 88 EXPECT_TRUE(WIFEXITED(status)) << std::hex << status; 89 EXPECT_EQ(0, WEXITSTATUS(status)); 90 } 91 } 92 } 93 94 //------------------------------------------------ 95 // Basic tests of process descriptor functionality 96 97 TEST(Pdfork, Simple) { 98 int pd = -1; 99 int pipefds[2]; 100 pid_t parent = getpid_(); 101 EXPECT_OK(pipe(pipefds)); 102 int pid = pdfork(&pd, 0); 103 EXPECT_OK(pid); 104 if (pid == 0) { 105 // Child: check pid values. 106 EXPECT_EQ(-1, pd); 107 EXPECT_NE(parent, getpid_()); 108 EXPECT_EQ(parent, getppid()); 109 close(pipefds[0]); 110 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 111 if (verbose) fprintf(stderr, "Child waiting for exit message\n"); 112 // Terminate once the parent has completed the checks 113 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 114 exit(testing::Test::HasFailure()); 115 } 116 close(pipefds[1]); 117 // Ensure the child has started. 118 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 119 120 EXPECT_NE(-1, pd); 121 EXPECT_PID_ALIVE(pid); 122 int pid_got; 123 EXPECT_OK(pdgetpid(pd, &pid_got)); 124 EXPECT_EQ(pid, pid_got); 125 126 // Tell the child to exit and wait until it is a zombie. 127 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 128 // EXPECT_PID_ZOMBIE waits for up to ~500ms, that should be enough time for 129 // the child to exit successfully. 130 EXPECT_PID_ZOMBIE(pid); 131 close(pipefds[0]); 132 133 // Wait for the the child. 134 int status; 135 struct rusage ru; 136 memset(&ru, 0, sizeof(ru)); 137 int waitrc = pdwait4_(pd, &status, 0, &ru); 138 EXPECT_EQ(pid, waitrc); 139 if (verbose) { 140 fprintf(stderr, "For pd %d pid %d:\n", pd, pid); 141 print_rusage(stderr, &ru); 142 } 143 EXPECT_PID_GONE(pid); 144 145 // Can only pdwait4(pd) once (as initial call reaps zombie). 146 memset(&ru, 0, sizeof(ru)); 147 EXPECT_EQ(-1, pdwait4_(pd, &status, 0, &ru)); 148 EXPECT_EQ(ECHILD, errno); 149 150 EXPECT_OK(close(pd)); 151 } 152 153 TEST(Pdfork, InvalidFlag) { 154 int pd = -1; 155 int pid = pdfork(&pd, PD_DAEMON<<5); 156 if (pid == 0) { 157 exit(1); 158 } 159 EXPECT_EQ(-1, pid); 160 EXPECT_EQ(EINVAL, errno); 161 if (pid > 0) waitpid(pid, NULL, 0); 162 } 163 164 TEST(Pdfork, TimeCheck) { 165 time_t now = time(NULL); // seconds since epoch 166 EXPECT_NE(-1, now); 167 if (verbose) fprintf(stderr, "Calling pdfork around %ld\n", (long)(long)now); 168 169 int pd = -1; 170 pid_t pid = pdfork(&pd, 0); 171 EXPECT_OK(pid); 172 if (pid == 0) { 173 // Child: check we didn't get a valid process descriptor then exit. 174 EXPECT_EQ(-1, pdgetpid(pd, &pid)); 175 EXPECT_EQ(EBADF, errno); 176 exit(HasFailure()); 177 } 178 179 // Parent process. Ensure that [acm]times have been set correctly. 180 struct stat stat; 181 memset(&stat, 0, sizeof(stat)); 182 EXPECT_OK(fstat(pd, &stat)); 183 if (verbose) print_stat(stderr, &stat); 184 185 EXPECT_GE(now, stat.st_birthtime); 186 EXPECT_EQ(stat.st_birthtime, stat.st_atime); 187 EXPECT_LT((now - stat.st_atime), 2); 188 EXPECT_EQ(stat.st_atime, stat.st_ctime); 189 EXPECT_EQ(stat.st_ctime, stat.st_mtime); 190 191 // Wait for the child to finish. 192 pid_t pd_pid = -1; 193 EXPECT_OK(pdgetpid(pd, &pd_pid)); 194 EXPECT_EQ(pid, pd_pid); 195 CheckChildFinished(pid); 196 } 197 198 TEST(Pdfork, UseDescriptor) { 199 int pd = -1; 200 pid_t pid = pdfork(&pd, 0); 201 EXPECT_OK(pid); 202 if (pid == 0) { 203 // Child: immediately exit 204 exit(0); 205 } 206 CheckChildFinished(pid); 207 } 208 209 TEST(Pdfork, NonProcessDescriptor) { 210 int fd = open("/etc/passwd", O_RDONLY); 211 EXPECT_OK(fd); 212 // pd*() operations should fail on a non-process descriptor. 213 EXPECT_EQ(-1, pdkill(fd, SIGUSR1)); 214 int status; 215 EXPECT_EQ(-1, pdwait4_(fd, &status, 0, NULL)); 216 pid_t pid; 217 EXPECT_EQ(-1, pdgetpid(fd, &pid)); 218 close(fd); 219 } 220 221 static void *SubThreadMain(void *arg) { 222 // Notify the main thread that we have started 223 if (verbose) fprintf(stderr, " subthread started: pipe=%p\n", arg); 224 SEND_INT_MESSAGE((int)(intptr_t)arg, MSG_CHILD_STARTED); 225 while (true) { 226 if (verbose) fprintf(stderr, " subthread: \"I aten't dead\"\n"); 227 usleep(100000); 228 } 229 return NULL; 230 } 231 232 static void *ThreadMain(void *) { 233 int pd; 234 int pipefds[2]; 235 EXPECT_EQ(0, pipe(pipefds)); 236 pid_t child = pdfork(&pd, 0); 237 if (child == 0) { 238 close(pipefds[0]); 239 // Child: start a subthread then loop. 240 pthread_t child_subthread; 241 // Wait for the subthread startup using another pipe. 242 int thread_pipefds[2]; 243 EXPECT_EQ(0, pipe(thread_pipefds)); 244 EXPECT_OK(pthread_create(&child_subthread, NULL, SubThreadMain, 245 (void *)(intptr_t)thread_pipefds[0])); 246 if (verbose) { 247 fprintf(stderr, " pdforked process %d: waiting for subthread.\n", 248 getpid()); 249 } 250 AWAIT_INT_MESSAGE(thread_pipefds[1], MSG_CHILD_STARTED); 251 close(thread_pipefds[0]); 252 close(thread_pipefds[1]); 253 // Child: Notify parent that all threads have started 254 if (verbose) fprintf(stderr, " pdforked process %d: subthread started\n", getpid()); 255 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 256 while (true) { 257 if (verbose) fprintf(stderr, " pdforked process %d: \"I aten't dead\"\n", getpid()); 258 usleep(100000); 259 } 260 exit(0); 261 } 262 if (verbose) fprintf(stderr, " thread generated pd %d\n", pd); 263 close(pipefds[1]); 264 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 265 if (verbose) fprintf(stderr, "[%d] got child startup message\n", getpid_()); 266 267 // Pass the process descriptor back to the main thread. 268 return reinterpret_cast<void *>(pd); 269 } 270 271 TEST(Pdfork, FromThread) { 272 // Fire off a new thread to do all of the creation work. 273 pthread_t child_thread; 274 EXPECT_OK(pthread_create(&child_thread, NULL, ThreadMain, NULL)); 275 void *data; 276 EXPECT_OK(pthread_join(child_thread, &data)); 277 int pd = reinterpret_cast<intptr_t>(data); 278 if (verbose) fprintf(stderr, "retrieved pd %d from terminated thread\n", pd); 279 280 // Kill and reap. 281 pid_t pid; 282 EXPECT_OK(pdgetpid(pd, &pid)); 283 EXPECT_OK(pdkill(pd, SIGKILL)); 284 int status; 285 EXPECT_EQ(pid, pdwait4_(pd, &status, 0, NULL)); 286 EXPECT_TRUE(WIFSIGNALED(status)); 287 } 288 289 //------------------------------------------------ 290 // More complicated tests. 291 292 293 // Test fixture that pdfork()s off a child process, which terminates 294 // when it receives anything on a pipe. 295 class PipePdforkBase : public ::testing::Test { 296 public: 297 PipePdforkBase(int pdfork_flags) : pd_(-1), pid_(-1) { 298 clear_had_signals(); 299 int pipes[2]; 300 EXPECT_OK(pipe(pipes)); 301 pipe_ = pipes[1]; 302 int parent = getpid_(); 303 if (verbose) fprintf(stderr, "[%d] about to pdfork()\n", getpid_()); 304 int rc = pdfork(&pd_, pdfork_flags); 305 EXPECT_OK(rc); 306 if (rc == 0) { 307 // Child process: blocking-read an int from the pipe then exit with that value. 308 EXPECT_NE(parent, getpid_()); 309 EXPECT_EQ(parent, getppid()); 310 if (verbose) fprintf(stderr, " [%d] child of %d waiting for value on pipe\n", getpid_(), getppid()); 311 read(pipes[0], &rc, sizeof(rc)); 312 if (verbose) fprintf(stderr, " [%d] got value %d on pipe, exiting\n", getpid_(), rc); 313 exit(rc); 314 } 315 pid_ = rc; 316 usleep(100); // ensure the child has a chance to run 317 } 318 ~PipePdforkBase() { 319 // Terminate by any means necessary. 320 if (pd_ > 0) { 321 pdkill(pd_, SIGKILL); 322 close(pd_); 323 } 324 if (pid_ > 0) { 325 kill(pid_, SIGKILL); 326 waitpid(pid_, NULL, WNOHANG); 327 } 328 // Check signal expectations. 329 EXPECT_FALSE(had_signal[SIGCHLD]); 330 } 331 int TerminateChild() { 332 // Tell the child to exit. 333 int zero = 0; 334 if (verbose) fprintf(stderr, "[%d] write 0 to pipe\n", getpid_()); 335 return write(pipe_, &zero, sizeof(zero)); 336 } 337 protected: 338 int pd_; 339 int pipe_; 340 pid_t pid_; 341 }; 342 343 class PipePdfork : public PipePdforkBase { 344 public: 345 PipePdfork() : PipePdforkBase(0) {} 346 }; 347 348 class PipePdforkDaemon : public PipePdforkBase { 349 public: 350 PipePdforkDaemon() : PipePdforkBase(PD_DAEMON) {} 351 }; 352 353 // Can we poll a process descriptor? 354 TEST_F(PipePdfork, Poll) { 355 // Poll the process descriptor, nothing happening. 356 struct pollfd fdp; 357 fdp.fd = pd_; 358 fdp.events = POLLIN | POLLERR | POLLHUP; 359 fdp.revents = 0; 360 EXPECT_EQ(0, poll(&fdp, 1, 0)); 361 362 TerminateChild(); 363 364 // Poll again, should have activity on the process descriptor. 365 EXPECT_EQ(1, poll(&fdp, 1, 2000)); 366 EXPECT_TRUE(fdp.revents & POLLHUP); 367 368 // Poll a third time, still have POLLHUP. 369 fdp.revents = 0; 370 EXPECT_EQ(1, poll(&fdp, 1, 0)); 371 EXPECT_TRUE(fdp.revents & POLLHUP); 372 } 373 374 // Can multiple processes poll on the same descriptor? 375 TEST_F(PipePdfork, PollMultiple) { 376 int pipefds[2]; 377 EXPECT_EQ(0, pipe(pipefds)); 378 int child = fork(); 379 EXPECT_OK(child); 380 if (child == 0) { 381 close(pipefds[0]); 382 // Child: wait for parent to acknowledge startup 383 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 384 // Child: wait for two messages from the parent and the forked process 385 // before telling the other process to terminate. 386 if (verbose) fprintf(stderr, "[%d] waiting for read 1\n", getpid_()); 387 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 388 if (verbose) fprintf(stderr, "[%d] waiting for read 2\n", getpid_()); 389 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 390 TerminateChild(); 391 if (verbose) fprintf(stderr, "[%d] about to exit\n", getpid_()); 392 exit(testing::Test::HasFailure()); 393 } 394 close(pipefds[1]); 395 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 396 if (verbose) fprintf(stderr, "[%d] got child startup message\n", getpid_()); 397 // Fork again 398 int doppel = fork(); 399 EXPECT_OK(doppel); 400 // We now have: 401 // pid A: main process, here 402 // |--pid B: pdfork()ed process, blocked on read() 403 // |--pid C: fork()ed process, in read() above 404 // +--pid D: doppel process, here 405 406 // Both A and D execute the following code. 407 // First, check no activity on the process descriptor yet. 408 struct pollfd fdp; 409 fdp.fd = pd_; 410 fdp.events = POLLIN | POLLERR | POLLHUP; 411 fdp.revents = 0; 412 EXPECT_EQ(0, poll(&fdp, 1, 0)); 413 414 // Both A and D ask C to exit, allowing it to do so. 415 if (verbose) fprintf(stderr, "[%d] telling child to exit\n", getpid_()); 416 SEND_INT_MESSAGE(pipefds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 417 close(pipefds[0]); 418 419 // Now, wait (indefinitely) for activity on the process descriptor. 420 // We expect: 421 // - pid C will finish its two read() calls, write to the pipe and exit. 422 // - pid B will unblock from read(), and exit 423 // - this will generate an event on the process descriptor... 424 // - ...in both process A and process D. 425 if (verbose) fprintf(stderr, "[%d] waiting for child to exit\n", getpid_()); 426 EXPECT_EQ(1, poll(&fdp, 1, 2000)); 427 EXPECT_TRUE(fdp.revents & POLLHUP); 428 429 if (doppel == 0) { 430 // Child: process D exits. 431 exit(0); 432 } else { 433 // Parent: wait on process D. 434 int rc = 0; 435 waitpid(doppel, &rc, 0); 436 EXPECT_TRUE(WIFEXITED(rc)); 437 EXPECT_EQ(0, WEXITSTATUS(rc)); 438 // Also wait on process B. 439 CheckChildFinished(child); 440 } 441 } 442 443 // Check that exit status/rusage for a dead pdfork()ed child can be retrieved 444 // via any process descriptor, multiple times. 445 TEST_F(PipePdfork, MultipleRetrieveExitStatus) { 446 EXPECT_PID_ALIVE(pid_); 447 int pd_copy = dup(pd_); 448 EXPECT_LT(0, TerminateChild()); 449 450 int status; 451 struct rusage ru; 452 memset(&ru, 0, sizeof(ru)); 453 int waitrc = pdwait4_(pd_copy, &status, 0, &ru); 454 EXPECT_EQ(pid_, waitrc); 455 if (verbose) { 456 fprintf(stderr, "For pd %d -> pid %d:\n", pd_, pid_); 457 print_rusage(stderr, &ru); 458 } 459 EXPECT_PID_GONE(pid_); 460 461 #ifdef NOTYET 462 // Child has been reaped, so original process descriptor dangles but 463 // still has access to rusage information. 464 memset(&ru, 0, sizeof(ru)); 465 EXPECT_EQ(0, pdwait4_(pd_, &status, 0, &ru)); 466 #endif 467 close(pd_copy); 468 } 469 470 TEST_F(PipePdfork, ChildExit) { 471 EXPECT_PID_ALIVE(pid_); 472 EXPECT_LT(0, TerminateChild()); 473 EXPECT_PID_DEAD(pid_); 474 475 int status; 476 int rc = pdwait4_(pd_, &status, 0, NULL); 477 EXPECT_OK(rc); 478 EXPECT_EQ(pid_, rc); 479 pid_ = 0; 480 } 481 482 // Closing a normal process descriptor terminates the underlying process. 483 TEST_F(PipePdfork, Close) { 484 sighandler_t original = signal(SIGCHLD, handle_signal); 485 EXPECT_PID_ALIVE(pid_); 486 int status; 487 EXPECT_EQ(0, waitpid(pid_, &status, WNOHANG)); 488 489 EXPECT_OK(close(pd_)); 490 pd_ = -1; 491 EXPECT_FALSE(had_signal[SIGCHLD]); 492 EXPECT_PID_DEAD(pid_); 493 494 #ifdef __FreeBSD__ 495 EXPECT_EQ(-1, waitpid(pid_, NULL, 0)); 496 EXPECT_EQ(errno, ECHILD); 497 #else 498 // Having closed the process descriptor means that pdwait4(pd) now doesn't work. 499 int rc = pdwait4_(pd_, &status, 0, NULL); 500 EXPECT_EQ(-1, rc); 501 EXPECT_EQ(EBADF, errno); 502 503 // Closing all process descriptors means the the child can only be reaped via pid. 504 EXPECT_EQ(pid_, waitpid(pid_, &status, WNOHANG)); 505 #endif 506 signal(SIGCHLD, original); 507 } 508 509 TEST_F(PipePdfork, CloseLast) { 510 sighandler_t original = signal(SIGCHLD, handle_signal); 511 // Child should only die when last process descriptor is closed. 512 EXPECT_PID_ALIVE(pid_); 513 int pd_other = dup(pd_); 514 515 EXPECT_OK(close(pd_)); 516 pd_ = -1; 517 518 EXPECT_PID_ALIVE(pid_); 519 int status; 520 EXPECT_EQ(0, waitpid(pid_, &status, WNOHANG)); 521 522 // Can no longer pdwait4() the closed process descriptor... 523 EXPECT_EQ(-1, pdwait4_(pd_, &status, WNOHANG, NULL)); 524 EXPECT_EQ(EBADF, errno); 525 // ...but can pdwait4() the still-open process descriptor. 526 errno = 0; 527 EXPECT_EQ(0, pdwait4_(pd_other, &status, WNOHANG, NULL)); 528 EXPECT_EQ(0, errno); 529 530 EXPECT_OK(close(pd_other)); 531 EXPECT_PID_DEAD(pid_); 532 533 EXPECT_FALSE(had_signal[SIGCHLD]); 534 signal(SIGCHLD, original); 535 } 536 537 FORK_TEST(Pdfork, OtherUserIfRoot) { 538 GTEST_SKIP_IF_NOT_ROOT(); 539 int pd; 540 int status; 541 pid_t pid = pdfork(&pd, 0); 542 EXPECT_OK(pid); 543 if (pid == 0) { 544 // Child process: loop forever. 545 while (true) usleep(100000); 546 } 547 usleep(100); 548 549 // Now that the second process has been pdfork()ed, change euid. 550 ASSERT_NE(0u, other_uid) << "other_uid not initialized correctly, " 551 "please pass the -u <uid> flag."; 552 EXPECT_EQ(0, setuid(other_uid)); 553 EXPECT_EQ(other_uid, getuid()); 554 if (verbose) fprintf(stderr, "uid=%d euid=%d\n", getuid(), geteuid()); 555 556 // Fail to kill child with normal PID operation. 557 EXPECT_EQ(-1, kill(pid, SIGKILL)); 558 EXPECT_EQ(EPERM, errno); 559 EXPECT_PID_ALIVE(pid); 560 561 // Ideally, we should be able to send signals via a process descriptor even 562 // if it's owned by another user, but this is not implementated on FreeBSD. 563 #ifdef __FreeBSD__ 564 // On FreeBSD, pdkill() still performs all the same checks that kill() does 565 // and therefore cannot be used to send a signal to a process with another 566 // UID unless we are root. 567 EXPECT_SYSCALL_FAIL(EBADF, pdkill(pid, SIGKILL)); 568 EXPECT_PID_ALIVE(pid); 569 // However, the process will be killed when we close the process descriptor. 570 EXPECT_OK(close(pd)); 571 EXPECT_PID_GONE(pid); 572 // Can't pdwait4() after close() since close() reparents the child to a reaper (init) 573 EXPECT_SYSCALL_FAIL(EBADF, pdwait4_(pd, &status, WNOHANG, NULL)); 574 #else 575 // Sending a signal with pdkill() should be permitted though. 576 EXPECT_OK(pdkill(pd, SIGKILL)); 577 EXPECT_PID_ZOMBIE(pid); 578 579 int rc = pdwait4_(pd, &status, WNOHANG, NULL); 580 EXPECT_OK(rc); 581 EXPECT_EQ(pid, rc); 582 EXPECT_TRUE(WIFSIGNALED(status)); 583 #endif 584 } 585 586 TEST_F(PipePdfork, WaitPidThenPd) { 587 TerminateChild(); 588 int status; 589 // If we waitpid(pid) first... 590 int rc = waitpid(pid_, &status, 0); 591 EXPECT_OK(rc); 592 EXPECT_EQ(pid_, rc); 593 594 #ifdef NOTYET 595 // ...the zombie is reaped but we can still subsequently pdwait4(pd). 596 EXPECT_EQ(0, pdwait4_(pd_, &status, 0, NULL)); 597 #endif 598 } 599 600 TEST_F(PipePdfork, WaitPdThenPid) { 601 TerminateChild(); 602 int status; 603 // If we pdwait4(pd) first... 604 int rc = pdwait4_(pd_, &status, 0, NULL); 605 EXPECT_OK(rc); 606 EXPECT_EQ(pid_, rc); 607 608 // ...the zombie is reaped and cannot subsequently waitpid(pid). 609 EXPECT_EQ(-1, waitpid(pid_, &status, 0)); 610 EXPECT_EQ(ECHILD, errno); 611 } 612 613 // Setting PD_DAEMON prevents close() from killing the child. 614 TEST_F(PipePdforkDaemon, Close) { 615 EXPECT_OK(close(pd_)); 616 pd_ = -1; 617 EXPECT_PID_ALIVE(pid_); 618 619 // Can still explicitly kill it via the pid. 620 if (pid_ > 0) { 621 EXPECT_OK(kill(pid_, SIGKILL)); 622 EXPECT_PID_DEAD(pid_); 623 } 624 } 625 626 static void TestPdkill(pid_t pid, int pd) { 627 EXPECT_PID_ALIVE(pid); 628 // SIGCONT is ignored by default. 629 EXPECT_OK(pdkill(pd, SIGCONT)); 630 EXPECT_PID_ALIVE(pid); 631 632 // SIGINT isn't 633 EXPECT_OK(pdkill(pd, SIGINT)); 634 EXPECT_PID_DEAD(pid); 635 636 // pdkill() on zombie is no-op. 637 errno = 0; 638 EXPECT_EQ(0, pdkill(pd, SIGINT)); 639 EXPECT_EQ(0, errno); 640 641 // pdkill() on reaped process gives -ESRCH. 642 CheckChildFinished(pid, true); 643 EXPECT_EQ(-1, pdkill(pd, SIGINT)); 644 EXPECT_EQ(ESRCH, errno); 645 } 646 647 TEST_F(PipePdfork, Pdkill) { 648 TestPdkill(pid_, pd_); 649 } 650 651 TEST_F(PipePdforkDaemon, Pdkill) { 652 TestPdkill(pid_, pd_); 653 } 654 655 TEST(Pdfork, PdkillOtherSignal) { 656 int pd = -1; 657 int pipefds[2]; 658 EXPECT_EQ(0, pipe(pipefds)); 659 int pid = pdfork(&pd, 0); 660 EXPECT_OK(pid); 661 if (pid == 0) { 662 // Child: tell the parent that we have started before entering the loop, 663 // and importantly only do so once we have registered the SIGUSR1 handler. 664 close(pipefds[0]); 665 clear_had_signals(); 666 signal(SIGUSR1, handle_signal); 667 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 668 // Child: watch for SIGUSR1 forever. 669 while (!had_signal[SIGUSR1]) { 670 usleep(100000); 671 } 672 exit(123); 673 } 674 // Wait for child to start 675 close(pipefds[1]); 676 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 677 close(pipefds[0]); 678 679 // Send an invalid signal. 680 EXPECT_EQ(-1, pdkill(pd, 0xFFFF)); 681 EXPECT_EQ(EINVAL, errno); 682 683 // Send an expected SIGUSR1 to the pdfork()ed child. 684 EXPECT_PID_ALIVE(pid); 685 pdkill(pd, SIGUSR1); 686 EXPECT_PID_DEAD(pid); 687 688 // Child's exit status confirms whether it received the signal. 689 int status; 690 int rc = waitpid(pid, &status, 0); 691 EXPECT_OK(rc); 692 EXPECT_EQ(pid, rc); 693 EXPECT_TRUE(WIFEXITED(status)) << "status: 0x" << std::hex << status; 694 EXPECT_EQ(123, WEXITSTATUS(status)); 695 } 696 697 pid_t PdforkParentDeath(int pdfork_flags) { 698 // Set up: 699 // pid A: main process, here 700 // +--pid B: fork()ed process, starts a child process with pdfork() then 701 // waits for parent to send a shutdown message. 702 // +--pid C: pdfork()ed process, looping forever 703 int sock_fds[2]; 704 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds)); 705 if (verbose) fprintf(stderr, "[%d] parent about to fork()...\n", getpid_()); 706 pid_t child = fork(); 707 EXPECT_OK(child); 708 if (child == 0) { 709 int pd; 710 if (verbose) fprintf(stderr, " [%d] child about to pdfork()...\n", getpid_()); 711 int pipefds[2]; // for startup notification 712 EXPECT_OK(pipe(pipefds)); 713 pid_t grandchild = pdfork(&pd, pdfork_flags); 714 if (grandchild == 0) { 715 close(pipefds[0]); 716 pid_t grandchildPid = getpid_(); 717 EXPECT_EQ(sizeof(grandchildPid), (size_t)write(pipefds[1], &grandchildPid, sizeof(grandchildPid))); 718 while (true) { 719 if (verbose) fprintf(stderr, " [%d] grandchild: \"I aten't dead\"\n", grandchildPid); 720 sleep(1); 721 } 722 } 723 close(pipefds[1]); 724 if (verbose) fprintf(stderr, " [%d] pdfork()ed grandchild %d, sending ID to parent\n", getpid_(), grandchild); 725 // Wait for grandchild to start. 726 pid_t grandchild2; 727 EXPECT_EQ(sizeof(grandchild2), (size_t)read(pipefds[0], &grandchild2, sizeof(grandchild2))); 728 EXPECT_EQ(grandchild, grandchild2) << "received invalid grandchild pid"; 729 if (verbose) fprintf(stderr, " [%d] grandchild %d has started successfully\n", getpid_(), grandchild); 730 close(pipefds[0]); 731 732 // Send grandchild pid to parent. 733 EXPECT_EQ(sizeof(grandchild), (size_t)write(sock_fds[1], &grandchild, sizeof(grandchild))); 734 if (verbose) fprintf(stderr, " [%d] sent grandchild pid %d to parent\n", getpid_(), grandchild); 735 // Wait for parent to acknowledge the message. 736 AWAIT_INT_MESSAGE(sock_fds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 737 if (verbose) fprintf(stderr, " [%d] parent acknowledged grandchild pid %d\n", getpid_(), grandchild); 738 if (verbose) fprintf(stderr, " [%d] child terminating\n", getpid_()); 739 exit(testing::Test::HasFailure()); 740 } 741 if (verbose) fprintf(stderr, "[%d] fork()ed child is %d\n", getpid_(), child); 742 pid_t grandchild; 743 read(sock_fds[0], &grandchild, sizeof(grandchild)); 744 if (verbose) fprintf(stderr, "[%d] received grandchild id %d\n", getpid_(), grandchild); 745 EXPECT_PID_ALIVE(child); 746 EXPECT_PID_ALIVE(grandchild); 747 // Tell child to exit. 748 if (verbose) fprintf(stderr, "[%d] telling child %d to exit\n", getpid_(), child); 749 SEND_INT_MESSAGE(sock_fds[0], MSG_PARENT_REQUEST_CHILD_EXIT); 750 // Child dies, closing its process descriptor for the grandchild. 751 EXPECT_PID_DEAD(child); 752 CheckChildFinished(child); 753 return grandchild; 754 } 755 756 TEST(Pdfork, Bagpuss) { 757 // "And of course when Bagpuss goes to sleep, all his friends go to sleep too" 758 pid_t grandchild = PdforkParentDeath(0); 759 // By default: child death => closed process descriptor => grandchild death. 760 EXPECT_PID_DEAD(grandchild); 761 } 762 763 TEST(Pdfork, BagpussDaemon) { 764 pid_t grandchild = PdforkParentDeath(PD_DAEMON); 765 // With PD_DAEMON: child death => closed process descriptor => no effect on grandchild. 766 EXPECT_PID_ALIVE(grandchild); 767 if (grandchild > 0) { 768 EXPECT_OK(kill(grandchild, SIGKILL)); 769 } 770 } 771 772 // The exit of a pdfork()ed process should not generate SIGCHLD. 773 TEST_F(PipePdfork, NoSigchld) { 774 clear_had_signals(); 775 sighandler_t original = signal(SIGCHLD, handle_signal); 776 TerminateChild(); 777 int rc = 0; 778 // Can waitpid() for the specific pid of the pdfork()ed child. 779 EXPECT_EQ(pid_, waitpid(pid_, &rc, 0)); 780 EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc; 781 EXPECT_FALSE(had_signal[SIGCHLD]); 782 signal(SIGCHLD, original); 783 } 784 785 // The exit of a pdfork()ed process whose process descriptors have 786 // all been closed should generate SIGCHLD. The child process needs 787 // PD_DAEMON to survive the closure of the process descriptors. 788 TEST_F(PipePdforkDaemon, NoPDSigchld) { 789 clear_had_signals(); 790 sighandler_t original = signal(SIGCHLD, handle_signal); 791 792 EXPECT_OK(close(pd_)); 793 TerminateChild(); 794 #ifdef __FreeBSD__ 795 EXPECT_EQ(-1, waitpid(pid_, NULL, 0)); 796 EXPECT_EQ(errno, ECHILD); 797 #else 798 int rc = 0; 799 // Can waitpid() for the specific pid of the pdfork()ed child. 800 EXPECT_EQ(pid_, waitpid(pid_, &rc, 0)); 801 EXPECT_TRUE(WIFEXITED(rc)) << "0x" << std::hex << rc; 802 #endif 803 EXPECT_FALSE(had_signal[SIGCHLD]); 804 signal(SIGCHLD, original); 805 } 806 807 TEST_F(PipePdfork, ModeBits) { 808 // Owner rwx bits indicate liveness of child 809 struct stat stat; 810 memset(&stat, 0, sizeof(stat)); 811 EXPECT_OK(fstat(pd_, &stat)); 812 if (verbose) print_stat(stderr, &stat); 813 EXPECT_EQ(S_IRWXU, (long)(stat.st_mode & S_IRWXU)); 814 815 TerminateChild(); 816 usleep(100000); 817 818 memset(&stat, 0, sizeof(stat)); 819 EXPECT_OK(fstat(pd_, &stat)); 820 if (verbose) print_stat(stderr, &stat); 821 EXPECT_EQ(0, (int)(stat.st_mode & S_IRWXU)); 822 } 823 824 TEST_F(PipePdfork, WildcardWait) { 825 TerminateChild(); 826 EXPECT_PID_ZOMBIE(pid_); // Ensure child is truly dead. 827 828 // Wildcard waitpid(-1) should not see the pdfork()ed child because 829 // there is still a process descriptor for it. 830 int rc; 831 EXPECT_EQ(-1, waitpid(-1, &rc, WNOHANG)); 832 EXPECT_EQ(ECHILD, errno); 833 834 EXPECT_OK(close(pd_)); 835 pd_ = -1; 836 } 837 838 FORK_TEST(Pdfork, Pdkill) { 839 clear_had_signals(); 840 int pd; 841 int pipefds[2]; 842 EXPECT_OK(pipe(pipefds)); 843 pid_t pid = pdfork(&pd, 0); 844 EXPECT_OK(pid); 845 846 if (pid == 0) { 847 // Child: set a SIGINT handler, notify the parent and sleep. 848 close(pipefds[0]); 849 clear_had_signals(); 850 signal(SIGINT, handle_signal); 851 if (verbose) fprintf(stderr, "[%d] child started\n", getpid_()); 852 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 853 if (verbose) fprintf(stderr, "[%d] child about to sleep(10)\n", getpid_()); 854 // Note: we could receive the SIGINT just before sleep(), so we use a loop 855 // with a short delay instead of one long sleep(). 856 for (int i = 0; i < 50 && !had_signal[SIGINT]; i++) { 857 usleep(100000); 858 } 859 if (verbose) fprintf(stderr, "[%d] child slept, had[SIGINT]=%d\n", 860 getpid_(), (int)had_signal[SIGINT]); 861 // Return non-zero if we didn't see SIGINT. 862 exit(had_signal[SIGINT] ? 0 : 99); 863 } 864 865 // Parent: get child's PID. 866 pid_t pd_pid; 867 EXPECT_OK(pdgetpid(pd, &pd_pid)); 868 EXPECT_EQ(pid, pd_pid); 869 870 // Interrupt the child once it's registered the SIGINT handler. 871 close(pipefds[1]); 872 if (verbose) fprintf(stderr, "[%d] waiting for child\n", getpid_()); 873 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 874 EXPECT_OK(pdkill(pd, SIGINT)); 875 if (verbose) fprintf(stderr, "[%d] sent SIGINT\n", getpid_()); 876 877 // Make sure the child finished properly (caught signal then exited). 878 CheckChildFinished(pid); 879 } 880 881 FORK_TEST(Pdfork, PdkillSignal) { 882 int pd; 883 int pipefds[2]; 884 EXPECT_OK(pipe(pipefds)); 885 pid_t pid = pdfork(&pd, 0); 886 EXPECT_OK(pid); 887 888 if (pid == 0) { 889 close(pipefds[0]); 890 if (verbose) fprintf(stderr, "[%d] child started\n", getpid_()); 891 SEND_INT_MESSAGE(pipefds[1], MSG_CHILD_STARTED); 892 // Child: wait for shutdown message. No SIGINT handler. The message should 893 // never be received, since SIGINT should terminate the process. 894 if (verbose) fprintf(stderr, "[%d] child about to read()\n", getpid_()); 895 AWAIT_INT_MESSAGE(pipefds[1], MSG_PARENT_REQUEST_CHILD_EXIT); 896 fprintf(stderr, "[%d] child read() returned unexpectedly\n", getpid_()); 897 exit(99); 898 } 899 // Wait for child to start before signalling. 900 if (verbose) fprintf(stderr, "[%d] waiting for child\n", getpid_()); 901 close(pipefds[1]); 902 AWAIT_INT_MESSAGE(pipefds[0], MSG_CHILD_STARTED); 903 // Kill the child (as it doesn't handle SIGINT). 904 if (verbose) fprintf(stderr, "[%d] sending SIGINT\n", getpid_()); 905 EXPECT_OK(pdkill(pd, SIGINT)); 906 907 // Make sure the child finished properly (terminated by signal). 908 CheckChildFinished(pid, true); 909 } 910 911 //------------------------------------------------ 912 // Test interactions with other parts of Capsicum: 913 // - capability mode 914 // - capabilities 915 916 FORK_TEST(Pdfork, DaemonUnrestricted) { 917 EXPECT_OK(cap_enter()); 918 int fd; 919 920 // Capability mode leaves pdfork() available, with and without flag. 921 int rc; 922 rc = pdfork(&fd, PD_DAEMON); 923 EXPECT_OK(rc); 924 if (rc == 0) { 925 // Child: immediately terminate. 926 exit(0); 927 } 928 929 rc = pdfork(&fd, 0); 930 EXPECT_OK(rc); 931 if (rc == 0) { 932 // Child: immediately terminate. 933 exit(0); 934 } 935 } 936 937 TEST(Pdfork, MissingRights) { 938 pid_t parent = getpid_(); 939 int pd = -1; 940 pid_t pid = pdfork(&pd, 0); 941 EXPECT_OK(pid); 942 if (pid == 0) { 943 // Child: loop forever. 944 EXPECT_NE(parent, getpid_()); 945 while (true) sleep(1); 946 } 947 // Create two capabilities from the process descriptor. 948 cap_rights_t r_ro; 949 cap_rights_init(&r_ro, CAP_READ, CAP_LOOKUP); 950 int cap_incapable = dup(pd); 951 EXPECT_OK(cap_incapable); 952 EXPECT_OK(cap_rights_limit(cap_incapable, &r_ro)); 953 cap_rights_t r_pdall; 954 cap_rights_init(&r_pdall, CAP_PDGETPID, CAP_PDWAIT, CAP_PDKILL); 955 int cap_capable = dup(pd); 956 EXPECT_OK(cap_capable); 957 EXPECT_OK(cap_rights_limit(cap_capable, &r_pdall)); 958 959 pid_t other_pid; 960 EXPECT_NOTCAPABLE(pdgetpid(cap_incapable, &other_pid)); 961 EXPECT_NOTCAPABLE(pdkill(cap_incapable, SIGINT)); 962 int status; 963 EXPECT_NOTCAPABLE(pdwait4_(cap_incapable, &status, 0, NULL)); 964 965 EXPECT_OK(pdgetpid(cap_capable, &other_pid)); 966 EXPECT_EQ(pid, other_pid); 967 EXPECT_OK(pdkill(cap_capable, SIGINT)); 968 int rc = pdwait4_(pd, &status, 0, NULL); 969 EXPECT_OK(rc); 970 EXPECT_EQ(pid, rc); 971 } 972 973 974 //------------------------------------------------ 975 // Passing process descriptors between processes. 976 977 TEST_F(PipePdfork, PassProcessDescriptor) { 978 int sock_fds[2]; 979 EXPECT_OK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds)); 980 981 struct msghdr mh; 982 mh.msg_name = NULL; // No address needed 983 mh.msg_namelen = 0; 984 char buffer1[1024]; 985 struct iovec iov[1]; 986 iov[0].iov_base = buffer1; 987 iov[0].iov_len = sizeof(buffer1); 988 mh.msg_iov = iov; 989 mh.msg_iovlen = 1; 990 char buffer2[1024]; 991 mh.msg_control = buffer2; 992 mh.msg_controllen = sizeof(buffer2); 993 struct cmsghdr *cmptr; 994 995 if (verbose) fprintf(stderr, "[%d] about to fork()\n", getpid_()); 996 pid_t child2 = fork(); 997 if (child2 == 0) { 998 // Child: close our copy of the original process descriptor. 999 close(pd_); 1000 SEND_INT_MESSAGE(sock_fds[0], MSG_CHILD_STARTED); 1001 // Child: wait to receive process descriptor over socket 1002 if (verbose) fprintf(stderr, " [%d] child of %d waiting for process descriptor on socket\n", getpid_(), getppid()); 1003 int rc = recvmsg(sock_fds[0], &mh, 0); 1004 EXPECT_OK(rc); 1005 EXPECT_LE(CMSG_LEN(sizeof(int)), mh.msg_controllen); 1006 cmptr = CMSG_FIRSTHDR(&mh); 1007 int pd = *(int*)CMSG_DATA(cmptr); 1008 EXPECT_EQ(CMSG_LEN(sizeof(int)), cmptr->cmsg_len); 1009 cmptr = CMSG_NXTHDR(&mh, cmptr); 1010 EXPECT_TRUE(cmptr == NULL); 1011 if (verbose) fprintf(stderr, " [%d] got process descriptor %d on socket\n", getpid_(), pd); 1012 SEND_INT_MESSAGE(sock_fds[0], MSG_CHILD_FD_RECEIVED); 1013 1014 // Child: confirm we can do pd*() operations on the process descriptor 1015 pid_t other; 1016 EXPECT_OK(pdgetpid(pd, &other)); 1017 if (verbose) fprintf(stderr, " [%d] process descriptor %d is pid %d\n", getpid_(), pd, other); 1018 1019 // Wait until the parent has closed the process descriptor. 1020 AWAIT_INT_MESSAGE(sock_fds[0], MSG_PARENT_CLOSED_FD); 1021 1022 if (verbose) fprintf(stderr, " [%d] close process descriptor %d\n", getpid_(), pd); 1023 close(pd); 1024 1025 // Last process descriptor closed, expect death 1026 EXPECT_PID_DEAD(other); 1027 1028 exit(HasFailure()); 1029 } 1030 // Wait until the child has started. 1031 AWAIT_INT_MESSAGE(sock_fds[1], MSG_CHILD_STARTED); 1032 1033 // Send the process descriptor over the pipe to the sub-process 1034 mh.msg_controllen = CMSG_LEN(sizeof(int)); 1035 cmptr = CMSG_FIRSTHDR(&mh); 1036 cmptr->cmsg_level = SOL_SOCKET; 1037 cmptr->cmsg_type = SCM_RIGHTS; 1038 cmptr->cmsg_len = CMSG_LEN(sizeof(int)); 1039 *(int *)CMSG_DATA(cmptr) = pd_; 1040 buffer1[0] = 0; 1041 iov[0].iov_len = 1; 1042 if (verbose) fprintf(stderr, "[%d] send process descriptor %d on socket\n", getpid_(), pd_); 1043 int rc = sendmsg(sock_fds[1], &mh, 0); 1044 EXPECT_OK(rc); 1045 // Wait until the child has received the process descriptor. 1046 AWAIT_INT_MESSAGE(sock_fds[1], MSG_CHILD_FD_RECEIVED); 1047 1048 if (verbose) fprintf(stderr, "[%d] close process descriptor %d\n", getpid_(), pd_); 1049 close(pd_); // Not last open process descriptor 1050 SEND_INT_MESSAGE(sock_fds[1], MSG_PARENT_CLOSED_FD); 1051 1052 // wait for child2 1053 int status; 1054 EXPECT_EQ(child2, waitpid(child2, &status, 0)); 1055 rc = WIFEXITED(status) ? WEXITSTATUS(status) : -1; 1056 EXPECT_EQ(0, rc); 1057 1058 // confirm death all round 1059 EXPECT_PID_DEAD(child2); 1060 EXPECT_PID_DEAD(pid_); 1061 } 1062