2 * Copyright (c) 2013 The FreeBSD Foundation
5 * This software was developed by Pawel Jakub Dawidek under sponsorship from
6 * the FreeBSD Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/types.h>
34 #include <sys/capsicum.h>
35 #include <sys/queue.h>
36 #include <sys/socket.h>
52 #include <libcapsicum.h>
53 #include <libcasper.h>
54 #include <libcasper_impl.h>
59 * Currently there is only one service_connection per service.
60 * In the future we may want multiple connections from multiple clients
61 * per one service instance, but it has to be carefully designed.
62 * The problem is that we may restrict/sandbox service instance according
63 * to the limits provided. When new connection comes in with different
64 * limits we won't be able to access requested resources.
65 * Not to mention one process will serve to mutiple mutually untrusted
66 * clients and compromise of this service instance by one of its clients
67 * can lead to compromise of the other clients.
71 * Client connections to the given service.
73 #define SERVICE_CONNECTION_MAGIC 0x5e91c0ec
74 struct service_connection {
76 cap_channel_t *sc_chan;
78 TAILQ_ENTRY(service_connection) sc_next;
81 #define SERVICE_MAGIC 0x5e91ce
85 service_limit_func_t *s_limit;
86 service_command_func_t *s_command;
87 TAILQ_HEAD(, service_connection) s_connections;
91 service_alloc(const char *name, service_limit_func_t *limitfunc,
92 service_command_func_t *commandfunc)
94 struct service *service;
96 service = malloc(sizeof(*service));
99 service->s_name = strdup(name);
100 if (service->s_name == NULL) {
104 service->s_limit = limitfunc;
105 service->s_command = commandfunc;
106 TAILQ_INIT(&service->s_connections);
107 service->s_magic = SERVICE_MAGIC;
113 service_free(struct service *service)
115 struct service_connection *sconn;
117 PJDLOG_ASSERT(service->s_magic == SERVICE_MAGIC);
119 service->s_magic = 0;
120 while ((sconn = service_connection_first(service)) != NULL)
121 service_connection_remove(service, sconn);
122 free(service->s_name);
126 struct service_connection *
127 service_connection_add(struct service *service, int sock,
128 const nvlist_t *limits)
130 struct service_connection *sconn;
133 PJDLOG_ASSERT(service->s_magic == SERVICE_MAGIC);
135 sconn = malloc(sizeof(*sconn));
137 pjdlog_error("Unable to allocate memory for service connection.");
140 sconn->sc_chan = cap_wrap(sock);
141 if (sconn->sc_chan == NULL) {
143 pjdlog_error("Unable to wrap communication channel.");
148 if (limits == NULL) {
149 sconn->sc_limits = NULL;
151 sconn->sc_limits = nvlist_clone(limits);
152 if (sconn->sc_limits == NULL) {
154 pjdlog_error("Unable to clone limits.");
155 (void)cap_unwrap(sconn->sc_chan);
161 sconn->sc_magic = SERVICE_CONNECTION_MAGIC;
162 TAILQ_INSERT_TAIL(&service->s_connections, sconn, sc_next);
167 service_connection_remove(struct service *service,
168 struct service_connection *sconn)
171 PJDLOG_ASSERT(service->s_magic == SERVICE_MAGIC);
172 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
174 TAILQ_REMOVE(&service->s_connections, sconn, sc_next);
176 nvlist_destroy(sconn->sc_limits);
177 cap_close(sconn->sc_chan);
182 service_connection_clone(struct service *service,
183 struct service_connection *sconn)
185 struct service_connection *newsconn;
188 if (socketpair(PF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, 0, sock) < 0)
191 newsconn = service_connection_add(service, sock[0],
192 service_connection_get_limits(sconn));
193 if (newsconn == NULL) {
204 struct service_connection *
205 service_connection_first(struct service *service)
207 struct service_connection *sconn;
209 PJDLOG_ASSERT(service->s_magic == SERVICE_MAGIC);
211 sconn = TAILQ_FIRST(&service->s_connections);
212 PJDLOG_ASSERT(sconn == NULL ||
213 sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
217 struct service_connection *
218 service_connection_next(struct service_connection *sconn)
221 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
223 sconn = TAILQ_NEXT(sconn, sc_next);
224 PJDLOG_ASSERT(sconn == NULL ||
225 sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
230 service_connection_get_chan(const struct service_connection *sconn)
233 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
235 return (sconn->sc_chan);
239 service_connection_get_sock(const struct service_connection *sconn)
242 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
244 return (cap_sock(sconn->sc_chan));
248 service_connection_get_limits(const struct service_connection *sconn)
251 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
253 return (sconn->sc_limits);
257 service_connection_set_limits(struct service_connection *sconn,
261 PJDLOG_ASSERT(sconn->sc_magic == SERVICE_CONNECTION_MAGIC);
263 nvlist_destroy(sconn->sc_limits);
264 sconn->sc_limits = limits;
269 casper_message_connection(struct service *service, const nvlist_t *nvl)
272 service_connection_add(&service->s_connections,
273 nvlist_get_descriptor(nvl, "sock"));
277 casper_message(const cap_channel_t *capcas, struct service *service)
282 nvl = cap_recv_nvlist(capcas);
284 pjdlog_exit(1, "Unable to receive message from Casper");
285 cmd = nvlist_get_string(nvl, "cmd");
286 if (strcmp(cmd, "connection") == 0)
287 casper_message_connection(service, nvl);
289 PJDLOG_ABORT("Unknown command from Casper: %s.", cmd);
294 service_message(struct service *service, struct service_connection *sconn)
296 nvlist_t *nvlin, *nvlout;
300 nvlin = cap_recv_nvlist(service_connection_get_chan(sconn));
302 if (errno == ENOTCONN) {
303 pjdlog_debug(1, "Connection closed by the client.");
305 pjdlog_errno(LOG_ERR,
306 "Unable to receive message from client");
308 service_connection_remove(service, sconn);
313 nvlout = nvlist_create(0);
315 cmd = nvlist_get_string(nvlin, "cmd");
316 pjdlog_debug(1, "Command received from client: %s.", cmd);
317 if (pjdlog_debug_get() >= 2)
318 nvlist_fdump(nvlin, stderr);
319 if (strcmp(cmd, "limit_set") == 0) {
322 nvllim = nvlist_take_nvlist(nvlin, "limits");
323 error = service->s_limit(service_connection_get_limits(sconn),
326 service_connection_set_limits(sconn, nvllim);
327 /* Function consumes nvllim. */
329 nvlist_destroy(nvllim);
331 } else if (strcmp(cmd, "limit_get") == 0) {
332 const nvlist_t *nvllim;
334 nvllim = service_connection_get_limits(sconn);
336 nvlist_add_nvlist(nvlout, "limits", nvllim);
338 nvlist_add_null(nvlout, "limits");
340 } else if (strcmp(cmd, "clone") == 0) {
343 sock = service_connection_clone(service, sconn);
347 nvlist_move_descriptor(nvlout, "sock", sock);
351 error = service->s_command(cmd,
352 service_connection_get_limits(sconn), nvlin, nvlout);
355 nvlist_destroy(nvlin);
356 nvlist_add_number(nvlout, "error", (uint64_t)error);
357 pjdlog_debug(1, "Sending reply to client (error=%d).", error);
358 if (pjdlog_debug_get() >= 2)
359 nvlist_fdump(nvlout, stderr);
361 if (cap_send_nvlist(service_connection_get_chan(sconn), nvlout) == -1) {
362 pjdlog_errno(LOG_ERR, "Unable to send message to client");
363 service_connection_remove(service, sconn);
366 nvlist_destroy(nvlout);
370 fd_add(fd_set *fdsp, int maxfd, int fd)
374 return (fd > maxfd ? fd : maxfd);
378 service_start(const char *name, int sock, service_limit_func_t *limitfunc,
379 service_command_func_t *commandfunc, int argc, char *argv[])
381 struct service *service;
382 struct service_connection *sconn, *sconntmp;
384 int maxfd, nfds, serrno;
388 pjdlog_init(PJDLOG_MODE_STD);
389 pjdlog_debug_set(atoi(argv[1]));
391 service = service_alloc(name, limitfunc, commandfunc);
394 if (service_connection_add(service, sock, NULL) == NULL) {
396 service_free(service);
403 for (sconn = service_connection_first(service); sconn != NULL;
404 sconn = service_connection_next(sconn)) {
405 maxfd = fd_add(&fds, maxfd,
406 service_connection_get_sock(sconn));
409 PJDLOG_ASSERT(maxfd >= 0);
410 PJDLOG_ASSERT(maxfd + 1 <= (int)FD_SETSIZE);
411 nfds = select(maxfd + 1, &fds, NULL, NULL, NULL);
414 pjdlog_errno(LOG_ERR, "select() failed");
416 } else if (nfds == 0) {
418 PJDLOG_ABORT("select() timeout");
422 for (sconn = service_connection_first(service); sconn != NULL;
425 * Prepare for connection to be removed from the list
428 sconntmp = service_connection_next(sconn);
429 if (FD_ISSET(service_connection_get_sock(sconn), &fds))
430 service_message(service, sconn);
432 if (service_connection_first(service) == NULL) {
434 * No connections left, exiting.