1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2012 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Edward Tomasz Napierala under sponsorship 8 * from the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <sys/types.h> 37 #include <sys/time.h> 38 #include <sys/ioctl.h> 39 #include <sys/param.h> 40 #include <sys/linker.h> 41 #include <sys/socket.h> 42 #include <sys/capsicum.h> 43 #include <sys/wait.h> 44 #include <netinet/in.h> 45 #include <assert.h> 46 #include <capsicum_helpers.h> 47 #include <errno.h> 48 #include <fcntl.h> 49 #include <libutil.h> 50 #include <netdb.h> 51 #include <signal.h> 52 #include <stdbool.h> 53 #include <stdint.h> 54 #include <stdio.h> 55 #include <stdlib.h> 56 #include <string.h> 57 #include <unistd.h> 58 59 #include "iscsid.h" 60 61 static volatile bool sigalrm_received = false; 62 63 static int nchildren = 0; 64 65 static void 66 usage(void) 67 { 68 69 fprintf(stderr, "usage: iscsid [-P pidfile][-d][-m maxproc][-t timeout]\n"); 70 exit(1); 71 } 72 73 char * 74 checked_strdup(const char *s) 75 { 76 char *c; 77 78 c = strdup(s); 79 if (c == NULL) 80 log_err(1, "strdup"); 81 return (c); 82 } 83 84 static void 85 resolve_addr(const struct connection *conn, const char *address, 86 struct addrinfo **ai, bool initiator_side) 87 { 88 struct addrinfo hints; 89 char *arg, *addr, *ch; 90 const char *port; 91 int error, colons = 0; 92 93 arg = checked_strdup(address); 94 95 if (arg[0] == '\0') { 96 fail(conn, "empty address"); 97 log_errx(1, "empty address"); 98 } 99 if (arg[0] == '[') { 100 /* 101 * IPv6 address in square brackets, perhaps with port. 102 */ 103 arg++; 104 addr = strsep(&arg, "]"); 105 if (arg == NULL) { 106 fail(conn, "malformed address"); 107 log_errx(1, "malformed address %s", address); 108 } 109 if (arg[0] == '\0') { 110 port = NULL; 111 } else if (arg[0] == ':') { 112 port = arg + 1; 113 } else { 114 fail(conn, "malformed address"); 115 log_errx(1, "malformed address %s", address); 116 } 117 } else { 118 /* 119 * Either IPv6 address without brackets - and without 120 * a port - or IPv4 address. Just count the colons. 121 */ 122 for (ch = arg; *ch != '\0'; ch++) { 123 if (*ch == ':') 124 colons++; 125 } 126 if (colons > 1) { 127 addr = arg; 128 port = NULL; 129 } else { 130 addr = strsep(&arg, ":"); 131 if (arg == NULL) 132 port = NULL; 133 else 134 port = arg; 135 } 136 } 137 138 if (port == NULL && !initiator_side) 139 port = "3260"; 140 141 memset(&hints, 0, sizeof(hints)); 142 hints.ai_family = PF_UNSPEC; 143 hints.ai_socktype = SOCK_STREAM; 144 hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICSERV; 145 if (initiator_side) 146 hints.ai_flags |= AI_PASSIVE; 147 148 error = getaddrinfo(addr, port, &hints, ai); 149 if (error != 0) { 150 fail(conn, gai_strerror(error)); 151 log_errx(1, "getaddrinfo for %s failed: %s", 152 address, gai_strerror(error)); 153 } 154 } 155 156 static struct connection * 157 connection_new(int iscsi_fd, const struct iscsi_daemon_request *request) 158 { 159 struct connection *conn; 160 struct iscsi_session_limits *isl; 161 struct addrinfo *from_ai, *to_ai; 162 const char *from_addr, *to_addr; 163 #ifdef ICL_KERNEL_PROXY 164 struct iscsi_daemon_connect idc; 165 #endif 166 int error, sockbuf; 167 168 conn = calloc(1, sizeof(*conn)); 169 if (conn == NULL) 170 log_err(1, "calloc"); 171 172 /* 173 * Default values, from RFC 3720, section 12. 174 */ 175 conn->conn_header_digest = CONN_DIGEST_NONE; 176 conn->conn_data_digest = CONN_DIGEST_NONE; 177 conn->conn_initial_r2t = true; 178 conn->conn_immediate_data = true; 179 conn->conn_max_recv_data_segment_length = 8192; 180 conn->conn_max_send_data_segment_length = 8192; 181 conn->conn_max_burst_length = 262144; 182 conn->conn_first_burst_length = 65536; 183 conn->conn_iscsi_fd = iscsi_fd; 184 185 conn->conn_session_id = request->idr_session_id; 186 memcpy(&conn->conn_conf, &request->idr_conf, sizeof(conn->conn_conf)); 187 memcpy(&conn->conn_isid, &request->idr_isid, sizeof(conn->conn_isid)); 188 conn->conn_tsih = request->idr_tsih; 189 190 /* 191 * Read the driver limits and provide reasonable defaults for the ones 192 * the driver doesn't care about. If a max_snd_dsl is not explicitly 193 * provided by the driver then we'll make sure both conn->max_snd_dsl 194 * and isl->max_snd_dsl are set to the rcv_dsl. This preserves historic 195 * behavior. 196 */ 197 isl = &conn->conn_limits; 198 memcpy(isl, &request->idr_limits, sizeof(*isl)); 199 if (isl->isl_max_recv_data_segment_length == 0) 200 isl->isl_max_recv_data_segment_length = (1 << 24) - 1; 201 if (isl->isl_max_send_data_segment_length == 0) 202 isl->isl_max_send_data_segment_length = 203 isl->isl_max_recv_data_segment_length; 204 if (isl->isl_max_burst_length == 0) 205 isl->isl_max_burst_length = (1 << 24) - 1; 206 if (isl->isl_first_burst_length == 0) 207 isl->isl_first_burst_length = (1 << 24) - 1; 208 if (isl->isl_first_burst_length > isl->isl_max_burst_length) 209 isl->isl_first_burst_length = isl->isl_max_burst_length; 210 211 /* 212 * Limit default send length in case it won't be negotiated. 213 * We can't do it for other limits, since they may affect both 214 * sender and receiver operation, and we must obey defaults. 215 */ 216 if (conn->conn_max_send_data_segment_length > 217 isl->isl_max_send_data_segment_length) { 218 conn->conn_max_send_data_segment_length = 219 isl->isl_max_send_data_segment_length; 220 } 221 222 from_addr = conn->conn_conf.isc_initiator_addr; 223 to_addr = conn->conn_conf.isc_target_addr; 224 225 if (from_addr[0] != '\0') 226 resolve_addr(conn, from_addr, &from_ai, true); 227 else 228 from_ai = NULL; 229 230 resolve_addr(conn, to_addr, &to_ai, false); 231 232 #ifdef ICL_KERNEL_PROXY 233 if (conn->conn_conf.isc_iser) { 234 memset(&idc, 0, sizeof(idc)); 235 idc.idc_session_id = conn->conn_session_id; 236 if (conn->conn_conf.isc_iser) 237 idc.idc_iser = 1; 238 idc.idc_domain = to_ai->ai_family; 239 idc.idc_socktype = to_ai->ai_socktype; 240 idc.idc_protocol = to_ai->ai_protocol; 241 if (from_ai != NULL) { 242 idc.idc_from_addr = from_ai->ai_addr; 243 idc.idc_from_addrlen = from_ai->ai_addrlen; 244 } 245 idc.idc_to_addr = to_ai->ai_addr; 246 idc.idc_to_addrlen = to_ai->ai_addrlen; 247 248 log_debugx("connecting to %s using ICL kernel proxy", to_addr); 249 error = ioctl(iscsi_fd, ISCSIDCONNECT, &idc); 250 if (error != 0) { 251 fail(conn, strerror(errno)); 252 log_err(1, "failed to connect to %s " 253 "using ICL kernel proxy: ISCSIDCONNECT", to_addr); 254 } 255 256 return (conn); 257 } 258 #endif /* ICL_KERNEL_PROXY */ 259 260 if (conn->conn_conf.isc_iser) { 261 fail(conn, "iSER not supported"); 262 log_errx(1, "iscsid(8) compiled without ICL_KERNEL_PROXY " 263 "does not support iSER"); 264 } 265 266 conn->conn_socket = socket(to_ai->ai_family, to_ai->ai_socktype, 267 to_ai->ai_protocol); 268 if (conn->conn_socket < 0) { 269 fail(conn, strerror(errno)); 270 log_err(1, "failed to create socket for %s", from_addr); 271 } 272 sockbuf = SOCKBUF_SIZE; 273 if (setsockopt(conn->conn_socket, SOL_SOCKET, SO_RCVBUF, 274 &sockbuf, sizeof(sockbuf)) == -1) 275 log_warn("setsockopt(SO_RCVBUF) failed"); 276 sockbuf = SOCKBUF_SIZE; 277 if (setsockopt(conn->conn_socket, SOL_SOCKET, SO_SNDBUF, 278 &sockbuf, sizeof(sockbuf)) == -1) 279 log_warn("setsockopt(SO_SNDBUF) failed"); 280 if (conn->conn_conf.isc_dscp != -1) { 281 int tos = conn->conn_conf.isc_dscp << 2; 282 if (to_ai->ai_family == AF_INET) { 283 if (setsockopt(conn->conn_socket, 284 IPPROTO_IP, IP_TOS, 285 &tos, sizeof(tos)) == -1) 286 log_warn("setsockopt(IP_TOS) " 287 "failed for %s", 288 from_addr); 289 } else 290 if (to_ai->ai_family == AF_INET6) { 291 if (setsockopt(conn->conn_socket, 292 IPPROTO_IPV6, IPV6_TCLASS, 293 &tos, sizeof(tos)) == -1) 294 log_warn("setsockopt(IPV6_TCLASS) " 295 "failed for %s", 296 from_addr); 297 } 298 } 299 if (from_ai != NULL) { 300 error = bind(conn->conn_socket, from_ai->ai_addr, 301 from_ai->ai_addrlen); 302 if (error != 0) { 303 fail(conn, strerror(errno)); 304 log_err(1, "failed to bind to %s", from_addr); 305 } 306 } 307 log_debugx("connecting to %s", to_addr); 308 error = connect(conn->conn_socket, to_ai->ai_addr, to_ai->ai_addrlen); 309 if (error != 0) { 310 fail(conn, strerror(errno)); 311 log_err(1, "failed to connect to %s", to_addr); 312 } 313 314 return (conn); 315 } 316 317 static void 318 handoff(struct connection *conn) 319 { 320 struct iscsi_daemon_handoff idh; 321 int error; 322 323 log_debugx("handing off connection to the kernel"); 324 325 memset(&idh, 0, sizeof(idh)); 326 idh.idh_session_id = conn->conn_session_id; 327 idh.idh_socket = conn->conn_socket; 328 strlcpy(idh.idh_target_alias, conn->conn_target_alias, 329 sizeof(idh.idh_target_alias)); 330 idh.idh_tsih = conn->conn_tsih; 331 idh.idh_statsn = conn->conn_statsn; 332 idh.idh_header_digest = conn->conn_header_digest; 333 idh.idh_data_digest = conn->conn_data_digest; 334 idh.idh_initial_r2t = conn->conn_initial_r2t; 335 idh.idh_immediate_data = conn->conn_immediate_data; 336 idh.idh_max_recv_data_segment_length = 337 conn->conn_max_recv_data_segment_length; 338 idh.idh_max_send_data_segment_length = 339 conn->conn_max_send_data_segment_length; 340 idh.idh_max_burst_length = conn->conn_max_burst_length; 341 idh.idh_first_burst_length = conn->conn_first_burst_length; 342 343 error = ioctl(conn->conn_iscsi_fd, ISCSIDHANDOFF, &idh); 344 if (error != 0) 345 log_err(1, "ISCSIDHANDOFF"); 346 } 347 348 void 349 fail(const struct connection *conn, const char *reason) 350 { 351 struct iscsi_daemon_fail idf; 352 int error, saved_errno; 353 354 saved_errno = errno; 355 356 memset(&idf, 0, sizeof(idf)); 357 idf.idf_session_id = conn->conn_session_id; 358 strlcpy(idf.idf_reason, reason, sizeof(idf.idf_reason)); 359 360 error = ioctl(conn->conn_iscsi_fd, ISCSIDFAIL, &idf); 361 if (error != 0) 362 log_err(1, "ISCSIDFAIL"); 363 364 errno = saved_errno; 365 } 366 367 /* 368 * XXX: I CANT INTO LATIN 369 */ 370 static void 371 capsicate(struct connection *conn) 372 { 373 cap_rights_t rights; 374 #ifdef ICL_KERNEL_PROXY 375 const unsigned long cmds[] = { ISCSIDCONNECT, ISCSIDSEND, ISCSIDRECEIVE, 376 ISCSIDHANDOFF, ISCSIDFAIL, ISCSISADD, ISCSISREMOVE, ISCSISMODIFY }; 377 #else 378 const unsigned long cmds[] = { ISCSIDHANDOFF, ISCSIDFAIL, ISCSISADD, 379 ISCSISREMOVE, ISCSISMODIFY }; 380 #endif 381 382 cap_rights_init(&rights, CAP_IOCTL); 383 if (caph_rights_limit(conn->conn_iscsi_fd, &rights) < 0) 384 log_err(1, "cap_rights_limit"); 385 386 if (caph_ioctls_limit(conn->conn_iscsi_fd, cmds, nitems(cmds)) < 0) 387 log_err(1, "cap_ioctls_limit"); 388 389 if (caph_enter() != 0) 390 log_err(1, "cap_enter"); 391 392 if (cap_sandboxed()) 393 log_debugx("Capsicum capability mode enabled"); 394 else 395 log_warnx("Capsicum capability mode not supported"); 396 } 397 398 bool 399 timed_out(void) 400 { 401 402 return (sigalrm_received); 403 } 404 405 static void 406 sigalrm_handler(int dummy __unused) 407 { 408 /* 409 * It would be easiest to just log an error and exit. We can't 410 * do this, though, because log_errx() is not signal safe, since 411 * it calls syslog(3). Instead, set a flag checked by pdu_send() 412 * and pdu_receive(), to call log_errx() there. Should they fail 413 * to notice, we'll exit here one second later. 414 */ 415 if (sigalrm_received) { 416 /* 417 * Oh well. Just give up and quit. 418 */ 419 _exit(2); 420 } 421 422 sigalrm_received = true; 423 } 424 425 static void 426 set_timeout(int timeout) 427 { 428 struct sigaction sa; 429 struct itimerval itv; 430 int error; 431 432 if (timeout <= 0) { 433 log_debugx("session timeout disabled"); 434 return; 435 } 436 437 bzero(&sa, sizeof(sa)); 438 sa.sa_handler = sigalrm_handler; 439 sigfillset(&sa.sa_mask); 440 error = sigaction(SIGALRM, &sa, NULL); 441 if (error != 0) 442 log_err(1, "sigaction"); 443 444 /* 445 * First SIGALRM will arive after conf_timeout seconds. 446 * If we do nothing, another one will arrive a second later. 447 */ 448 bzero(&itv, sizeof(itv)); 449 itv.it_interval.tv_sec = 1; 450 itv.it_value.tv_sec = timeout; 451 452 log_debugx("setting session timeout to %d seconds", 453 timeout); 454 error = setitimer(ITIMER_REAL, &itv, NULL); 455 if (error != 0) 456 log_err(1, "setitimer"); 457 } 458 459 static void 460 sigchld_handler(int dummy __unused) 461 { 462 463 /* 464 * The only purpose of this handler is to make SIGCHLD 465 * interrupt the ISCSIDWAIT ioctl(2), so we can call 466 * wait_for_children(). 467 */ 468 } 469 470 static void 471 register_sigchld(void) 472 { 473 struct sigaction sa; 474 int error; 475 476 bzero(&sa, sizeof(sa)); 477 sa.sa_handler = sigchld_handler; 478 sigfillset(&sa.sa_mask); 479 error = sigaction(SIGCHLD, &sa, NULL); 480 if (error != 0) 481 log_err(1, "sigaction"); 482 483 } 484 485 static void 486 handle_request(int iscsi_fd, const struct iscsi_daemon_request *request, int timeout) 487 { 488 struct connection *conn; 489 490 log_set_peer_addr(request->idr_conf.isc_target_addr); 491 if (request->idr_conf.isc_target[0] != '\0') { 492 log_set_peer_name(request->idr_conf.isc_target); 493 setproctitle("%s (%s)", request->idr_conf.isc_target_addr, request->idr_conf.isc_target); 494 } else { 495 setproctitle("%s", request->idr_conf.isc_target_addr); 496 } 497 498 conn = connection_new(iscsi_fd, request); 499 set_timeout(timeout); 500 capsicate(conn); 501 login(conn); 502 if (conn->conn_conf.isc_discovery != 0) 503 discovery(conn); 504 else 505 handoff(conn); 506 507 log_debugx("nothing more to do; exiting"); 508 exit (0); 509 } 510 511 static int 512 wait_for_children(bool block) 513 { 514 pid_t pid; 515 int status; 516 int num = 0; 517 518 for (;;) { 519 /* 520 * If "block" is true, wait for at least one process. 521 */ 522 if (block && num == 0) 523 pid = wait4(-1, &status, 0, NULL); 524 else 525 pid = wait4(-1, &status, WNOHANG, NULL); 526 if (pid <= 0) 527 break; 528 if (WIFSIGNALED(status)) { 529 log_warnx("child process %d terminated with signal %d", 530 pid, WTERMSIG(status)); 531 } else if (WEXITSTATUS(status) != 0) { 532 log_warnx("child process %d terminated with exit status %d", 533 pid, WEXITSTATUS(status)); 534 } else { 535 log_debugx("child process %d terminated gracefully", pid); 536 } 537 num++; 538 } 539 540 return (num); 541 } 542 543 int 544 main(int argc, char **argv) 545 { 546 int ch, debug = 0, error, iscsi_fd, maxproc = 30, retval, saved_errno, 547 timeout = 60; 548 bool dont_daemonize = false; 549 struct pidfh *pidfh; 550 pid_t pid, otherpid; 551 const char *pidfile_path = DEFAULT_PIDFILE; 552 struct iscsi_daemon_request request; 553 554 while ((ch = getopt(argc, argv, "P:dl:m:t:")) != -1) { 555 switch (ch) { 556 case 'P': 557 pidfile_path = optarg; 558 break; 559 case 'd': 560 dont_daemonize = true; 561 debug++; 562 break; 563 case 'l': 564 debug = atoi(optarg); 565 break; 566 case 'm': 567 maxproc = atoi(optarg); 568 break; 569 case 't': 570 timeout = atoi(optarg); 571 break; 572 case '?': 573 default: 574 usage(); 575 } 576 } 577 argc -= optind; 578 if (argc != 0) 579 usage(); 580 581 log_init(debug); 582 583 pidfh = pidfile_open(pidfile_path, 0600, &otherpid); 584 if (pidfh == NULL) { 585 if (errno == EEXIST) 586 log_errx(1, "daemon already running, pid: %jd.", 587 (intmax_t)otherpid); 588 log_err(1, "cannot open or create pidfile \"%s\"", 589 pidfile_path); 590 } 591 592 iscsi_fd = open(ISCSI_PATH, O_RDWR); 593 if (iscsi_fd < 0 && errno == ENOENT) { 594 saved_errno = errno; 595 retval = kldload("iscsi"); 596 if (retval != -1) 597 iscsi_fd = open(ISCSI_PATH, O_RDWR); 598 else 599 errno = saved_errno; 600 } 601 if (iscsi_fd < 0) 602 log_err(1, "failed to open %s", ISCSI_PATH); 603 604 if (dont_daemonize == false) { 605 if (daemon(0, 0) == -1) { 606 log_warn("cannot daemonize"); 607 pidfile_remove(pidfh); 608 exit(1); 609 } 610 } 611 612 pidfile_write(pidfh); 613 614 register_sigchld(); 615 616 for (;;) { 617 log_debugx("waiting for request from the kernel"); 618 619 memset(&request, 0, sizeof(request)); 620 error = ioctl(iscsi_fd, ISCSIDWAIT, &request); 621 if (error != 0) { 622 if (errno == EINTR) { 623 nchildren -= wait_for_children(false); 624 assert(nchildren >= 0); 625 continue; 626 } 627 628 log_err(1, "ISCSIDWAIT"); 629 } 630 631 if (dont_daemonize) { 632 log_debugx("not forking due to -d flag; " 633 "will exit after servicing a single request"); 634 } else { 635 nchildren -= wait_for_children(false); 636 assert(nchildren >= 0); 637 638 while (maxproc > 0 && nchildren >= maxproc) { 639 log_debugx("maxproc limit of %d child processes hit; " 640 "waiting for child process to exit", maxproc); 641 nchildren -= wait_for_children(true); 642 assert(nchildren >= 0); 643 } 644 log_debugx("incoming connection; forking child process #%d", 645 nchildren); 646 nchildren++; 647 648 pid = fork(); 649 if (pid < 0) 650 log_err(1, "fork"); 651 if (pid > 0) 652 continue; 653 } 654 655 pidfile_close(pidfh); 656 handle_request(iscsi_fd, &request, timeout); 657 } 658 659 return (0); 660 } 661