2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2009, 2016 Robert N. M. Watson
7 * This software was developed at the University of Cambridge Computer
8 * Laboratory with support from a grant from Google, Inc.
10 * Portions of this software were developed by BAE Systems, the University of
11 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
12 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
13 * Computing (TC) research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * FreeBSD process descriptor facility.
40 * Some processes are represented by a file descriptor, which will be used in
41 * preference to signaling and pids for the purposes of process management,
42 * and is, in effect, a form of capability. When a process descriptor is
43 * used with a process, it ceases to be visible to certain traditional UNIX
44 * process facilities, such as waitpid(2).
48 * - At most one process descriptor will exist for any process, although
49 * references to that descriptor may be held from many processes (or even
50 * be in flight between processes over a local domain socket).
51 * - Last close on the process descriptor will terminate the process using
52 * SIGKILL and reparent it to init so that there's a process to reap it
53 * when it's done exiting.
54 * - If the process exits before the descriptor is closed, it will not
55 * generate SIGCHLD on termination, or be picked up by waitpid().
56 * - The pdkill(2) system call may be used to deliver a signal to the process
57 * using its process descriptor.
58 * - The pdwait4(2) system call may be used to block (or not) on a process
59 * descriptor to collect termination information.
63 * - Will we want to add a pidtoprocdesc(2) system call to allow process
64 * descriptors to be created for processes without pdfork(2)?
67 #include <sys/cdefs.h>
68 __FBSDID("$FreeBSD$");
70 #include <sys/param.h>
71 #include <sys/capsicum.h>
72 #include <sys/fcntl.h>
74 #include <sys/filedesc.h>
75 #include <sys/kernel.h>
77 #include <sys/mutex.h>
80 #include <sys/procdesc.h>
81 #include <sys/resourcevar.h>
83 #include <sys/sysproto.h>
84 #include <sys/sysctl.h>
85 #include <sys/systm.h>
86 #include <sys/ucred.h>
89 #include <security/audit/audit.h>
93 FEATURE(process_descriptors, "Process Descriptors");
95 MALLOC_DEFINE(M_PROCDESC, "procdesc", "process descriptors");
97 static fo_poll_t procdesc_poll;
98 static fo_kqfilter_t procdesc_kqfilter;
99 static fo_stat_t procdesc_stat;
100 static fo_close_t procdesc_close;
101 static fo_fill_kinfo_t procdesc_fill_kinfo;
103 static struct fileops procdesc_ops = {
104 .fo_read = invfo_rdwr,
105 .fo_write = invfo_rdwr,
106 .fo_truncate = invfo_truncate,
107 .fo_ioctl = invfo_ioctl,
108 .fo_poll = procdesc_poll,
109 .fo_kqfilter = procdesc_kqfilter,
110 .fo_stat = procdesc_stat,
111 .fo_close = procdesc_close,
112 .fo_chmod = invfo_chmod,
113 .fo_chown = invfo_chown,
114 .fo_sendfile = invfo_sendfile,
115 .fo_fill_kinfo = procdesc_fill_kinfo,
116 .fo_flags = DFLAG_PASSABLE,
120 * Return a locked process given a process descriptor, or ESRCH if it has
124 procdesc_find(struct thread *td, int fd, cap_rights_t *rightsp,
131 error = fget(td, fd, rightsp, &fp);
134 if (fp->f_type != DTYPE_PROCDESC) {
139 sx_slock(&proctree_lock);
140 if (pd->pd_proc != NULL) {
145 sx_sunlock(&proctree_lock);
152 * Function to be used by procstat(1) sysctls when returning procdesc
156 procdesc_pid(struct file *fp_procdesc)
160 KASSERT(fp_procdesc->f_type == DTYPE_PROCDESC,
161 ("procdesc_pid: !procdesc"));
163 pd = fp_procdesc->f_data;
168 * Retrieve the PID associated with a process descriptor.
171 kern_pdgetpid(struct thread *td, int fd, cap_rights_t *rightsp, pid_t *pidp)
176 error = fget(td, fd, rightsp, &fp);
179 if (fp->f_type != DTYPE_PROCDESC) {
183 *pidp = procdesc_pid(fp);
190 * System call to return the pid of a process given its process descriptor.
193 sys_pdgetpid(struct thread *td, struct pdgetpid_args *uap)
198 AUDIT_ARG_FD(uap->fd);
199 error = kern_pdgetpid(td, uap->fd, &cap_pdgetpid_rights, &pid);
201 error = copyout(&pid, uap->pidp, sizeof(pid));
206 * When a new process is forked by pdfork(), a file descriptor is allocated
207 * by the fork code first, then the process is forked, and then we get a
208 * chance to set up the process descriptor. Failure is not permitted at this
209 * point, so procdesc_new() must succeed.
212 procdesc_new(struct proc *p, int flags)
216 pd = malloc(sizeof(*pd), M_PROCDESC, M_WAITOK | M_ZERO);
218 pd->pd_pid = p->p_pid;
221 if (flags & PD_DAEMON)
222 pd->pd_flags |= PDF_DAEMON;
223 PROCDESC_LOCK_INIT(pd);
224 knlist_init_mtx(&pd->pd_selinfo.si_note, &pd->pd_lock);
227 * Process descriptors start out with two references: one from their
228 * struct file, and the other from their struct proc.
230 refcount_init(&pd->pd_refcount, 2);
234 * Create a new process decriptor for the process that refers to it.
237 procdesc_falloc(struct thread *td, struct file **resultfp, int *resultfd,
238 int flags, struct filecaps *fcaps)
243 if (flags & PD_CLOEXEC)
246 return (falloc_caps(td, resultfp, resultfd, fflags, fcaps));
250 * Initialize a file with a process descriptor.
253 procdesc_finit(struct procdesc *pdp, struct file *fp)
256 finit(fp, FREAD | FWRITE, DTYPE_PROCDESC, pdp, &procdesc_ops);
260 procdesc_free(struct procdesc *pd)
264 * When the last reference is released, we assert that the descriptor
265 * has been closed, but not that the process has exited, as we will
266 * detach the descriptor before the process dies if the descript is
267 * closed, as we can't wait synchronously.
269 if (refcount_release(&pd->pd_refcount)) {
270 KASSERT(pd->pd_proc == NULL,
271 ("procdesc_free: pd_proc != NULL"));
272 KASSERT((pd->pd_flags & PDF_CLOSED),
273 ("procdesc_free: !PDF_CLOSED"));
275 knlist_destroy(&pd->pd_selinfo.si_note);
276 PROCDESC_LOCK_DESTROY(pd);
277 free(pd, M_PROCDESC);
282 * procdesc_exit() - notify a process descriptor that its process is exiting.
283 * We use the proctree_lock to ensure that process exit either happens
284 * strictly before or strictly after a concurrent call to procdesc_close().
287 procdesc_exit(struct proc *p)
291 sx_assert(&proctree_lock, SA_XLOCKED);
292 PROC_LOCK_ASSERT(p, MA_OWNED);
293 KASSERT(p->p_procdesc != NULL, ("procdesc_exit: p_procdesc NULL"));
298 KASSERT((pd->pd_flags & PDF_CLOSED) == 0 || p->p_pptr == p->p_reaper,
299 ("procdesc_exit: closed && parent not reaper"));
301 pd->pd_flags |= PDF_EXITED;
302 pd->pd_xstat = KW_EXITCODE(p->p_xexit, p->p_xsig);
305 * If the process descriptor has been closed, then we have nothing
306 * to do; return 1 so that init will get SIGCHLD and do the reaping.
307 * Clean up the procdesc now rather than letting it happen during
310 if (pd->pd_flags & PDF_CLOSED) {
313 p->p_procdesc = NULL;
317 if (pd->pd_flags & PDF_SELECTED) {
318 pd->pd_flags &= ~PDF_SELECTED;
319 selwakeup(&pd->pd_selinfo);
321 KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT);
327 * When a process descriptor is reaped, perhaps as a result of close() or
328 * pdwait4(), release the process's reference on the process descriptor.
331 procdesc_reap(struct proc *p)
335 sx_assert(&proctree_lock, SA_XLOCKED);
336 KASSERT(p->p_procdesc != NULL, ("procdesc_reap: p_procdesc == NULL"));
340 p->p_procdesc = NULL;
345 * procdesc_close() - last close on a process descriptor. If the process is
346 * still running, terminate with SIGKILL (unless PDF_DAEMON is set) and let
347 * its reaper clean up the mess; if not, we have to clean up the zombie
351 procdesc_close(struct file *fp, struct thread *td)
356 KASSERT(fp->f_type == DTYPE_PROCDESC, ("procdesc_close: !procdesc"));
359 fp->f_ops = &badfileops;
362 sx_xlock(&proctree_lock);
364 pd->pd_flags |= PDF_CLOSED;
369 * This is the case where process' exit status was already
370 * collected and procdesc_reap() was already called.
372 sx_xunlock(&proctree_lock);
375 AUDIT_ARG_PROCESS(p);
376 if (p->p_state == PRS_ZOMBIE) {
378 * If the process is already dead and just awaiting
379 * reaping, do that now. This will release the
380 * process's reference to the process descriptor when it
381 * calls back into procdesc_reap().
383 proc_reap(curthread, p, NULL, 0);
386 * If the process is not yet dead, we need to kill it,
387 * but we can't wait around synchronously for it to go
388 * away, as that path leads to madness (and deadlocks).
389 * First, detach the process from its descriptor so that
390 * its exit status will be reported normally.
393 p->p_procdesc = NULL;
397 * Next, reparent it to its reaper (usually init(8)) so
398 * that there's someone to pick up the pieces; finally,
399 * terminate with prejudice.
401 p->p_sigparent = SIGCHLD;
402 if ((p->p_flag & P_TRACED) == 0) {
403 proc_reparent(p, p->p_reaper, true);
405 proc_clear_orphan(p);
406 p->p_oppid = p->p_reaper->p_pid;
407 proc_add_orphan(p, p->p_reaper);
409 if ((pd->pd_flags & PDF_DAEMON) == 0)
410 kern_psignal(p, SIGKILL);
412 sx_xunlock(&proctree_lock);
417 * Release the file descriptor's reference on the process descriptor.
424 procdesc_poll(struct file *fp, int events, struct ucred *active_cred,
433 if (pd->pd_flags & PDF_EXITED)
436 selrecord(td, &pd->pd_selinfo);
437 pd->pd_flags |= PDF_SELECTED;
444 procdesc_kqops_detach(struct knote *kn)
448 pd = kn->kn_fp->f_data;
449 knlist_remove(&pd->pd_selinfo.si_note, kn, 0);
453 procdesc_kqops_event(struct knote *kn, long hint)
458 pd = kn->kn_fp->f_data;
461 * Initial test after registration. Generate a NOTE_EXIT in
462 * case the process already terminated before registration.
464 event = pd->pd_flags & PDF_EXITED ? NOTE_EXIT : 0;
466 /* Mask off extra data. */
467 event = (u_int)hint & NOTE_PCTRLMASK;
470 /* If the user is interested in this event, record it. */
471 if (kn->kn_sfflags & event)
472 kn->kn_fflags |= event;
474 /* Process is gone, so flag the event as finished. */
475 if (event == NOTE_EXIT) {
476 kn->kn_flags |= EV_EOF | EV_ONESHOT;
477 if (kn->kn_fflags & NOTE_EXIT)
478 kn->kn_data = pd->pd_xstat;
479 if (kn->kn_fflags == 0)
480 kn->kn_flags |= EV_DROP;
484 return (kn->kn_fflags != 0);
487 static struct filterops procdesc_kqops = {
489 .f_detach = procdesc_kqops_detach,
490 .f_event = procdesc_kqops_event,
494 procdesc_kqfilter(struct file *fp, struct knote *kn)
499 switch (kn->kn_filter) {
500 case EVFILT_PROCDESC:
501 kn->kn_fop = &procdesc_kqops;
502 kn->kn_flags |= EV_CLEAR;
503 knlist_add(&pd->pd_selinfo.si_note, kn, 0);
511 procdesc_stat(struct file *fp, struct stat *sb, struct ucred *active_cred,
515 struct timeval pstart, boottime;
518 * XXXRW: Perhaps we should cache some more information from the
519 * process so that we can return it reliably here even after it has
520 * died. For example, caching its credential data.
522 bzero(sb, sizeof(*sb));
524 sx_slock(&proctree_lock);
525 if (pd->pd_proc != NULL) {
526 PROC_LOCK(pd->pd_proc);
527 AUDIT_ARG_PROCESS(pd->pd_proc);
529 /* Set birth and [acm] times to process start time. */
530 pstart = pd->pd_proc->p_stats->p_start;
531 getboottime(&boottime);
532 timevaladd(&pstart, &boottime);
533 TIMEVAL_TO_TIMESPEC(&pstart, &sb->st_birthtim);
534 sb->st_atim = sb->st_birthtim;
535 sb->st_ctim = sb->st_birthtim;
536 sb->st_mtim = sb->st_birthtim;
537 if (pd->pd_proc->p_state != PRS_ZOMBIE)
538 sb->st_mode = S_IFREG | S_IRWXU;
540 sb->st_mode = S_IFREG;
541 sb->st_uid = pd->pd_proc->p_ucred->cr_ruid;
542 sb->st_gid = pd->pd_proc->p_ucred->cr_rgid;
543 PROC_UNLOCK(pd->pd_proc);
545 sb->st_mode = S_IFREG;
546 sx_sunlock(&proctree_lock);
551 procdesc_fill_kinfo(struct file *fp, struct kinfo_file *kif,
552 struct filedesc *fdp)
554 struct procdesc *pdp;
556 kif->kf_type = KF_TYPE_PROCDESC;
558 kif->kf_un.kf_proc.kf_pid = pdp->pd_pid;
projects / FreeBSD / FreeBSD.git / blob