Fix: relayd vs consumerd compatibility
[lttng-tools.git] / src / common / runas.c
1 /*
2 * Copyright (C) 2011 - David Goulet <david.goulet@polymtl.ca>
3 * Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License, version 2 only,
7 * as published by the Free Software Foundation.
8 *
9 * This program is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
12 * more details.
13 *
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
17 */
18
19 #define _LGPL_SOURCE
20 #include <errno.h>
21 #include <limits.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/wait.h>
26 #include <sys/types.h>
27 #include <sys/stat.h>
28 #include <unistd.h>
29 #include <fcntl.h>
30 #include <sched.h>
31 #include <signal.h>
32 #include <assert.h>
33 #include <signal.h>
34
35 #include <common/common.h>
36 #include <common/utils.h>
37 #include <common/compat/getenv.h>
38 #include <common/compat/prctl.h>
39 #include <common/unix.h>
40 #include <common/defaults.h>
41
42 #include "runas.h"
43
44 struct run_as_data;
45 typedef int (*run_as_fct)(struct run_as_data *data);
46
47 struct run_as_mkdir_data {
48 char path[PATH_MAX];
49 mode_t mode;
50 };
51
52 struct run_as_open_data {
53 char path[PATH_MAX];
54 int flags;
55 mode_t mode;
56 };
57
58 struct run_as_unlink_data {
59 char path[PATH_MAX];
60 };
61
62 struct run_as_rmdir_recursive_data {
63 char path[PATH_MAX];
64 };
65
66 enum run_as_cmd {
67 RUN_AS_MKDIR,
68 RUN_AS_OPEN,
69 RUN_AS_UNLINK,
70 RUN_AS_RMDIR_RECURSIVE,
71 RUN_AS_MKDIR_RECURSIVE,
72 };
73
74 struct run_as_data {
75 enum run_as_cmd cmd;
76 union {
77 struct run_as_mkdir_data mkdir;
78 struct run_as_open_data open;
79 struct run_as_unlink_data unlink;
80 struct run_as_rmdir_recursive_data rmdir_recursive;
81 } u;
82 uid_t uid;
83 gid_t gid;
84 };
85
86 struct run_as_ret {
87 int ret;
88 int _errno;
89 };
90
91 struct run_as_worker {
92 pid_t pid; /* Worker PID. */
93 int sockpair[2];
94 char *procname;
95 };
96
97 /* Single global worker per process (for now). */
98 static struct run_as_worker *global_worker;
99 /* Lock protecting the worker. */
100 static pthread_mutex_t worker_lock = PTHREAD_MUTEX_INITIALIZER;
101
102 #ifdef VALGRIND
103 static
104 int use_clone(void)
105 {
106 return 0;
107 }
108 #else
109 static
110 int use_clone(void)
111 {
112 return !lttng_secure_getenv("LTTNG_DEBUG_NOCLONE");
113 }
114 #endif
115
116 LTTNG_HIDDEN
117 int _utils_mkdir_recursive_unsafe(const char *path, mode_t mode);
118
119 /*
120 * Create recursively directory using the FULL path.
121 */
122 static
123 int _mkdir_recursive(struct run_as_data *data)
124 {
125 const char *path;
126 mode_t mode;
127
128 path = data->u.mkdir.path;
129 mode = data->u.mkdir.mode;
130
131 /* Safe to call as we have transitioned to the requested uid/gid. */
132 return _utils_mkdir_recursive_unsafe(path, mode);
133 }
134
135 static
136 int _mkdir(struct run_as_data *data)
137 {
138 return mkdir(data->u.mkdir.path, data->u.mkdir.mode);
139 }
140
141 static
142 int _open(struct run_as_data *data)
143 {
144 return open(data->u.open.path, data->u.open.flags, data->u.open.mode);
145 }
146
147 static
148 int _unlink(struct run_as_data *data)
149 {
150 return unlink(data->u.unlink.path);
151 }
152
153 static
154 int _rmdir_recursive(struct run_as_data *data)
155 {
156 return utils_recursive_rmdir(data->u.rmdir_recursive.path);
157 }
158
159 static
160 run_as_fct run_as_enum_to_fct(enum run_as_cmd cmd)
161 {
162 switch (cmd) {
163 case RUN_AS_MKDIR:
164 return _mkdir;
165 case RUN_AS_OPEN:
166 return _open;
167 case RUN_AS_UNLINK:
168 return _unlink;
169 case RUN_AS_RMDIR_RECURSIVE:
170 return _rmdir_recursive;
171 case RUN_AS_MKDIR_RECURSIVE:
172 return _mkdir_recursive;
173 default:
174 ERR("Unknown command %d", (int) cmd);
175 return NULL;
176 }
177 }
178
179 static
180 int do_send_fd(struct run_as_worker *worker,
181 enum run_as_cmd cmd, int fd)
182 {
183 ssize_t len;
184
185 switch (cmd) {
186 case RUN_AS_OPEN:
187 break;
188 default:
189 return 0;
190 }
191 if (fd < 0) {
192 return 0;
193 }
194 len = lttcomm_send_fds_unix_sock(worker->sockpair[1], &fd, 1);
195 if (len < 0) {
196 PERROR("lttcomm_send_fds_unix_sock");
197 return -1;
198 }
199 if (close(fd) < 0) {
200 PERROR("close");
201 return -1;
202 }
203 return 0;
204 }
205
206 static
207 int do_recv_fd(struct run_as_worker *worker,
208 enum run_as_cmd cmd, int *fd)
209 {
210 ssize_t len;
211
212 switch (cmd) {
213 case RUN_AS_OPEN:
214 break;
215 default:
216 return 0;
217 }
218 if (*fd < 0) {
219 return 0;
220 }
221 len = lttcomm_recv_fds_unix_sock(worker->sockpair[0], fd, 1);
222 if (!len) {
223 return -1;
224 } else if (len < 0) {
225 PERROR("lttcomm_recv_fds_unix_sock");
226 return -1;
227 }
228 return 0;
229 }
230
231 /*
232 * Return < 0 on error, 0 if OK, 1 on hangup.
233 */
234 static
235 int handle_one_cmd(struct run_as_worker *worker)
236 {
237 int ret = 0;
238 struct run_as_data data;
239 ssize_t readlen, writelen;
240 struct run_as_ret sendret;
241 run_as_fct cmd;
242 uid_t prev_euid;
243
244 /* Read data */
245 readlen = lttcomm_recv_unix_sock(worker->sockpair[1], &data,
246 sizeof(data));
247 if (readlen == 0) {
248 /* hang up */
249 ret = 1;
250 goto end;
251 }
252 if (readlen < sizeof(data)) {
253 PERROR("lttcomm_recv_unix_sock error");
254 ret = -1;
255 goto end;
256 }
257
258 cmd = run_as_enum_to_fct(data.cmd);
259 if (!cmd) {
260 ret = -1;
261 goto end;
262 }
263
264 prev_euid = getuid();
265 if (data.gid != getegid()) {
266 ret = setegid(data.gid);
267 if (ret < 0) {
268 PERROR("setegid");
269 goto write_return;
270 }
271 }
272 if (data.uid != prev_euid) {
273 ret = seteuid(data.uid);
274 if (ret < 0) {
275 PERROR("seteuid");
276 goto write_return;
277 }
278 }
279 /*
280 * Also set umask to 0 for mkdir executable bit.
281 */
282 umask(0);
283 ret = (*cmd)(&data);
284
285 write_return:
286 sendret.ret = ret;
287 sendret._errno = errno;
288 /* send back return value */
289 writelen = lttcomm_send_unix_sock(worker->sockpair[1], &sendret,
290 sizeof(sendret));
291 if (writelen < sizeof(sendret)) {
292 PERROR("lttcomm_send_unix_sock error");
293 ret = -1;
294 goto end;
295 }
296 ret = do_send_fd(worker, data.cmd, ret);
297 if (ret) {
298 PERROR("do_send_fd error");
299 ret = -1;
300 goto end;
301 }
302 if (seteuid(prev_euid) < 0) {
303 PERROR("seteuid");
304 ret = -1;
305 goto end;
306 }
307 ret = 0;
308 end:
309 return ret;
310 }
311
312 static
313 int run_as_worker(struct run_as_worker *worker)
314 {
315 int ret;
316 ssize_t writelen;
317 struct run_as_ret sendret;
318 size_t proc_orig_len;
319
320 /*
321 * Initialize worker. Set a different process cmdline.
322 */
323 proc_orig_len = strlen(worker->procname);
324 memset(worker->procname, 0, proc_orig_len);
325 strncpy(worker->procname, DEFAULT_RUN_AS_WORKER_NAME, proc_orig_len);
326
327 ret = lttng_prctl(PR_SET_NAME,
328 (unsigned long) DEFAULT_RUN_AS_WORKER_NAME, 0, 0, 0);
329 if (ret && ret != -ENOSYS) {
330 /* Don't fail as this is not essential. */
331 PERROR("prctl PR_SET_NAME");
332 ret = 0;
333 }
334
335 sendret.ret = 0;
336 sendret._errno = 0;
337 writelen = lttcomm_send_unix_sock(worker->sockpair[1], &sendret,
338 sizeof(sendret));
339 if (writelen < sizeof(sendret)) {
340 PERROR("lttcomm_send_unix_sock error");
341 ret = EXIT_FAILURE;
342 goto end;
343 }
344
345 for (;;) {
346 ret = handle_one_cmd(worker);
347 if (ret < 0) {
348 ret = EXIT_FAILURE;
349 goto end;
350 } else if (ret > 0) {
351 break;
352 } else {
353 continue; /* Next command. */
354 }
355 }
356 ret = EXIT_SUCCESS;
357 end:
358 return ret;
359 }
360
361 static
362 int run_as_cmd(struct run_as_worker *worker,
363 enum run_as_cmd cmd,
364 struct run_as_data *data,
365 uid_t uid, gid_t gid)
366 {
367 ssize_t readlen, writelen;
368 struct run_as_ret recvret;
369
370 /*
371 * If we are non-root, we can only deal with our own uid.
372 */
373 if (geteuid() != 0) {
374 if (uid != geteuid()) {
375 recvret.ret = -1;
376 recvret._errno = EPERM;
377 ERR("Client (%d)/Server (%d) UID mismatch (and sessiond is not root)",
378 (int) uid, (int) geteuid());
379 goto end;
380 }
381 }
382
383 data->cmd = cmd;
384 data->uid = uid;
385 data->gid = gid;
386
387 writelen = lttcomm_send_unix_sock(worker->sockpair[0], data,
388 sizeof(*data));
389 if (writelen < sizeof(*data)) {
390 PERROR("Error writing message to run_as");
391 recvret.ret = -1;
392 recvret._errno = errno;
393 goto end;
394 }
395
396 /* receive return value */
397 readlen = lttcomm_recv_unix_sock(worker->sockpair[0], &recvret,
398 sizeof(recvret));
399 if (!readlen) {
400 ERR("Run-as worker has hung-up during run_as_cmd");
401 recvret.ret = -1;
402 recvret._errno = EIO;
403 goto end;
404 } else if (readlen < sizeof(recvret)) {
405 PERROR("Error reading response from run_as");
406 recvret.ret = -1;
407 recvret._errno = errno;
408 }
409 if (do_recv_fd(worker, cmd, &recvret.ret)) {
410 recvret.ret = -1;
411 recvret._errno = EIO;
412 }
413
414 end:
415 errno = recvret._errno;
416 return recvret.ret;
417 }
418
419 /*
420 * This is for debugging ONLY and should not be considered secure.
421 */
422 static
423 int run_as_noworker(enum run_as_cmd cmd,
424 struct run_as_data *data, uid_t uid, gid_t gid)
425 {
426 int ret, saved_errno;
427 mode_t old_mask;
428 run_as_fct fct;
429
430 fct = run_as_enum_to_fct(cmd);
431 if (!fct) {
432 errno = -ENOSYS;
433 ret = -1;
434 goto end;
435 }
436 old_mask = umask(0);
437 ret = fct(data);
438 saved_errno = errno;
439 umask(old_mask);
440 errno = saved_errno;
441 end:
442 return ret;
443 }
444
445 static
446 int run_as(enum run_as_cmd cmd, struct run_as_data *data, uid_t uid, gid_t gid)
447 {
448 int ret;
449
450 if (use_clone()) {
451 DBG("Using run_as worker");
452 pthread_mutex_lock(&worker_lock);
453 assert(global_worker);
454 ret = run_as_cmd(global_worker, cmd, data, uid, gid);
455 pthread_mutex_unlock(&worker_lock);
456
457 } else {
458 DBG("Using run_as without worker");
459 ret = run_as_noworker(cmd, data, uid, gid);
460 }
461 return ret;
462 }
463
464 LTTNG_HIDDEN
465 int run_as_mkdir_recursive(const char *path, mode_t mode, uid_t uid, gid_t gid)
466 {
467 struct run_as_data data;
468
469 DBG3("mkdir() recursive %s with mode %d for uid %d and gid %d",
470 path, (int) mode, (int) uid, (int) gid);
471 strncpy(data.u.mkdir.path, path, PATH_MAX - 1);
472 data.u.mkdir.path[PATH_MAX - 1] = '\0';
473 data.u.mkdir.mode = mode;
474 return run_as(RUN_AS_MKDIR_RECURSIVE, &data, uid, gid);
475 }
476
477 LTTNG_HIDDEN
478 int run_as_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid)
479 {
480 struct run_as_data data;
481
482 DBG3("mkdir() %s with mode %d for uid %d and gid %d",
483 path, (int) mode, (int) uid, (int) gid);
484 strncpy(data.u.mkdir.path, path, PATH_MAX - 1);
485 data.u.mkdir.path[PATH_MAX - 1] = '\0';
486 data.u.mkdir.mode = mode;
487 return run_as(RUN_AS_MKDIR, &data, uid, gid);
488 }
489
490 /*
491 * Note: open_run_as is currently not working. We'd need to pass the fd
492 * opened in the child to the parent.
493 */
494 LTTNG_HIDDEN
495 int run_as_open(const char *path, int flags, mode_t mode, uid_t uid, gid_t gid)
496 {
497 struct run_as_data data;
498
499 DBG3("open() %s with flags %X mode %d for uid %d and gid %d",
500 path, flags, (int) mode, (int) uid, (int) gid);
501 strncpy(data.u.open.path, path, PATH_MAX - 1);
502 data.u.open.path[PATH_MAX - 1] = '\0';
503 data.u.open.flags = flags;
504 data.u.open.mode = mode;
505 return run_as(RUN_AS_OPEN, &data, uid, gid);
506 }
507
508 LTTNG_HIDDEN
509 int run_as_unlink(const char *path, uid_t uid, gid_t gid)
510 {
511 struct run_as_data data;
512
513 DBG3("unlink() %s with for uid %d and gid %d",
514 path, (int) uid, (int) gid);
515 strncpy(data.u.unlink.path, path, PATH_MAX - 1);
516 data.u.unlink.path[PATH_MAX - 1] = '\0';
517 return run_as(RUN_AS_UNLINK, &data, uid, gid);
518 }
519
520 LTTNG_HIDDEN
521 int run_as_rmdir_recursive(const char *path, uid_t uid, gid_t gid)
522 {
523 struct run_as_data data;
524
525 DBG3("rmdir_recursive() %s with for uid %d and gid %d",
526 path, (int) uid, (int) gid);
527 strncpy(data.u.rmdir_recursive.path, path, PATH_MAX - 1);
528 data.u.rmdir_recursive.path[PATH_MAX - 1] = '\0';
529 return run_as(RUN_AS_RMDIR_RECURSIVE, &data, uid, gid);
530 }
531
532 static
533 int reset_sighandler(void)
534 {
535 int sig;
536
537 DBG("Resetting run_as worker signal handlers to default");
538 for (sig = 1; sig <= 31; sig++) {
539 (void) signal(sig, SIG_DFL);
540 }
541 return 0;
542 }
543
544 static
545 void worker_sighandler(int sig)
546 {
547 const char *signame;
548
549 /*
550 * The worker will inherit its parent's signals since they are part of
551 * the same process group. However, in the case of SIGINT and SIGTERM,
552 * we want to give the worker a chance to teardown gracefully when its
553 * parent closes the command socket.
554 */
555 switch (sig) {
556 case SIGINT:
557 signame = "SIGINT";
558 break;
559 case SIGTERM:
560 signame = "SIGTERM";
561 break;
562 default:
563 signame = NULL;
564 }
565
566 if (signame) {
567 DBG("run_as worker received signal %s", signame);
568 } else {
569 DBG("run_as_worker received signal %d", sig);
570 }
571 }
572
573 static
574 int set_worker_sighandlers(void)
575 {
576 int ret = 0;
577 sigset_t sigset;
578 struct sigaction sa;
579
580 if ((ret = sigemptyset(&sigset)) < 0) {
581 PERROR("sigemptyset");
582 goto end;
583 }
584
585 sa.sa_handler = worker_sighandler;
586 sa.sa_mask = sigset;
587 sa.sa_flags = 0;
588 if ((ret = sigaction(SIGINT, &sa, NULL)) < 0) {
589 PERROR("sigaction SIGINT");
590 goto end;
591 }
592
593 if ((ret = sigaction(SIGTERM, &sa, NULL)) < 0) {
594 PERROR("sigaction SIGTERM");
595 goto end;
596 }
597
598 DBG("run_as signal handler set for SIGTERM and SIGINT");
599 end:
600 return ret;
601 }
602
603 LTTNG_HIDDEN
604 int run_as_create_worker(char *procname)
605 {
606 pid_t pid;
607 int i, ret = 0;
608 ssize_t readlen;
609 struct run_as_ret recvret;
610 struct run_as_worker *worker;
611
612 pthread_mutex_lock(&worker_lock);
613 assert(!global_worker);
614 if (!use_clone()) {
615 /*
616 * Don't initialize a worker, all run_as tasks will be performed
617 * in the current process.
618 */
619 ret = 0;
620 goto end;
621 }
622 worker = zmalloc(sizeof(*worker));
623 if (!worker) {
624 ret = -ENOMEM;
625 goto end;
626 }
627 worker->procname = procname;
628 /* Create unix socket. */
629 if (lttcomm_create_anon_unix_socketpair(worker->sockpair) < 0) {
630 ret = -1;
631 goto error_sock;
632 }
633 /* Fork worker. */
634 pid = fork();
635 if (pid < 0) {
636 PERROR("fork");
637 ret = -1;
638 goto error_fork;
639 } else if (pid == 0) {
640 /* Child */
641
642 reset_sighandler();
643
644 set_worker_sighandlers();
645
646 /* The child has no use for this lock. */
647 pthread_mutex_unlock(&worker_lock);
648 /* Just close, no shutdown. */
649 if (close(worker->sockpair[0])) {
650 PERROR("close");
651 exit(EXIT_FAILURE);
652 }
653 worker->sockpair[0] = -1;
654 ret = run_as_worker(worker);
655 if (lttcomm_close_unix_sock(worker->sockpair[1])) {
656 PERROR("close");
657 ret = -1;
658 }
659 worker->sockpair[1] = -1;
660 LOG(ret ? PRINT_ERR : PRINT_DBG, "run_as worker exiting (ret = %d)", ret);
661 exit(ret ? EXIT_FAILURE : EXIT_SUCCESS);
662 } else {
663 /* Parent */
664
665 /* Just close, no shutdown. */
666 if (close(worker->sockpair[1])) {
667 PERROR("close");
668 ret = -1;
669 goto error_fork;
670 }
671 worker->sockpair[1] = -1;
672 worker->pid = pid;
673 /* Wait for worker to become ready. */
674 readlen = lttcomm_recv_unix_sock(worker->sockpair[0],
675 &recvret, sizeof(recvret));
676 if (readlen < sizeof(recvret)) {
677 ERR("readlen: %zd", readlen);
678 PERROR("Error reading response from run_as at creation");
679 ret = -1;
680 goto error_fork;
681 }
682 global_worker = worker;
683 }
684 end:
685 pthread_mutex_unlock(&worker_lock);
686 return ret;
687
688 /* Error handling. */
689 error_fork:
690 for (i = 0; i < 2; i++) {
691 if (worker->sockpair[i] < 0) {
692 continue;
693 }
694 if (lttcomm_close_unix_sock(worker->sockpair[i])) {
695 PERROR("close");
696 }
697 worker->sockpair[i] = -1;
698 }
699 error_sock:
700 free(worker);
701 pthread_mutex_unlock(&worker_lock);
702 return ret;
703 }
704
705 LTTNG_HIDDEN
706 void run_as_destroy_worker(void)
707 {
708 struct run_as_worker *worker = global_worker;
709
710 DBG("Destroying run_as worker");
711 pthread_mutex_lock(&worker_lock);
712 if (!worker) {
713 goto end;
714 }
715 /* Close unix socket */
716 DBG("Closing run_as worker socket");
717 if (lttcomm_close_unix_sock(worker->sockpair[0])) {
718 PERROR("close");
719 }
720 worker->sockpair[0] = -1;
721 /* Wait for worker. */
722 for (;;) {
723 int status;
724 pid_t wait_ret;
725
726 wait_ret = waitpid(worker->pid, &status, 0);
727 if (wait_ret < 0) {
728 if (errno == EINTR) {
729 continue;
730 }
731 PERROR("waitpid");
732 break;
733 }
734
735 if (WIFEXITED(status)) {
736 LOG(WEXITSTATUS(status) == 0 ? PRINT_DBG : PRINT_ERR,
737 DEFAULT_RUN_AS_WORKER_NAME " terminated with status code %d",
738 WEXITSTATUS(status));
739 break;
740 } else if (WIFSIGNALED(status)) {
741 ERR(DEFAULT_RUN_AS_WORKER_NAME " was killed by signal %d",
742 WTERMSIG(status));
743 break;
744 }
745 }
746 free(worker);
747 global_worker = NULL;
748 end:
749 pthread_mutex_unlock(&worker_lock);
750 }
This page took 0.050176 seconds and 4 git commands to generate.