2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2009, 2016 Robert N. M. Watson
7 * This software was developed at the University of Cambridge Computer
8 * Laboratory with support from a grant from Google, Inc.
10 * Portions of this software were developed by BAE Systems, the University of
11 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
12 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
13 * Computing (TC) research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * FreeBSD process descriptor facility.
40 * Some processes are represented by a file descriptor, which will be used in
41 * preference to signaling and pids for the purposes of process management,
42 * and is, in effect, a form of capability. When a process descriptor is
43 * used with a process, it ceases to be visible to certain traditional UNIX
44 * process facilities, such as waitpid(2).
48 * - At most one process descriptor will exist for any process, although
49 * references to that descriptor may be held from many processes (or even
50 * be in flight between processes over a local domain socket).
51 * - Last close on the process descriptor will terminate the process using
52 * SIGKILL and reparent it to init so that there's a process to reap it
53 * when it's done exiting.
54 * - If the process exits before the descriptor is closed, it will not
55 * generate SIGCHLD on termination, or be picked up by waitpid().
56 * - The pdkill(2) system call may be used to deliver a signal to the process
57 * using its process descriptor.
58 * - The pdwait4(2) system call may be used to block (or not) on a process
59 * descriptor to collect termination information.
63 * - Will we want to add a pidtoprocdesc(2) system call to allow process
64 * descriptors to be created for processes without pdfork(2)?
67 #include <sys/cdefs.h>
68 #include <sys/param.h>
69 #include <sys/capsicum.h>
70 #include <sys/fcntl.h>
72 #include <sys/filedesc.h>
73 #include <sys/kernel.h>
75 #include <sys/mutex.h>
78 #include <sys/procdesc.h>
79 #include <sys/resourcevar.h>
81 #include <sys/sysproto.h>
82 #include <sys/sysctl.h>
83 #include <sys/systm.h>
84 #include <sys/ucred.h>
87 #include <security/audit/audit.h>
91 FEATURE(process_descriptors, "Process Descriptors");
93 MALLOC_DEFINE(M_PROCDESC, "procdesc", "process descriptors");
95 static fo_poll_t procdesc_poll;
96 static fo_kqfilter_t procdesc_kqfilter;
97 static fo_stat_t procdesc_stat;
98 static fo_close_t procdesc_close;
99 static fo_fill_kinfo_t procdesc_fill_kinfo;
101 static struct fileops procdesc_ops = {
102 .fo_read = invfo_rdwr,
103 .fo_write = invfo_rdwr,
104 .fo_truncate = invfo_truncate,
105 .fo_ioctl = invfo_ioctl,
106 .fo_poll = procdesc_poll,
107 .fo_kqfilter = procdesc_kqfilter,
108 .fo_stat = procdesc_stat,
109 .fo_close = procdesc_close,
110 .fo_chmod = invfo_chmod,
111 .fo_chown = invfo_chown,
112 .fo_sendfile = invfo_sendfile,
113 .fo_fill_kinfo = procdesc_fill_kinfo,
114 .fo_flags = DFLAG_PASSABLE,
118 * Return a locked process given a process descriptor, or ESRCH if it has
122 procdesc_find(struct thread *td, int fd, cap_rights_t *rightsp,
129 error = fget(td, fd, rightsp, &fp);
132 if (fp->f_type != DTYPE_PROCDESC) {
137 sx_slock(&proctree_lock);
138 if (pd->pd_proc != NULL) {
143 sx_sunlock(&proctree_lock);
150 * Function to be used by procstat(1) sysctls when returning procdesc
154 procdesc_pid(struct file *fp_procdesc)
158 KASSERT(fp_procdesc->f_type == DTYPE_PROCDESC,
159 ("procdesc_pid: !procdesc"));
161 pd = fp_procdesc->f_data;
166 * Retrieve the PID associated with a process descriptor.
169 kern_pdgetpid(struct thread *td, int fd, cap_rights_t *rightsp, pid_t *pidp)
174 error = fget(td, fd, rightsp, &fp);
177 if (fp->f_type != DTYPE_PROCDESC) {
181 *pidp = procdesc_pid(fp);
188 * System call to return the pid of a process given its process descriptor.
191 sys_pdgetpid(struct thread *td, struct pdgetpid_args *uap)
196 AUDIT_ARG_FD(uap->fd);
197 error = kern_pdgetpid(td, uap->fd, &cap_pdgetpid_rights, &pid);
199 error = copyout(&pid, uap->pidp, sizeof(pid));
204 * When a new process is forked by pdfork(), a file descriptor is allocated
205 * by the fork code first, then the process is forked, and then we get a
206 * chance to set up the process descriptor. Failure is not permitted at this
207 * point, so procdesc_new() must succeed.
210 procdesc_new(struct proc *p, int flags)
214 pd = malloc(sizeof(*pd), M_PROCDESC, M_WAITOK | M_ZERO);
216 pd->pd_pid = p->p_pid;
219 if (flags & PD_DAEMON)
220 pd->pd_flags |= PDF_DAEMON;
221 PROCDESC_LOCK_INIT(pd);
222 knlist_init_mtx(&pd->pd_selinfo.si_note, &pd->pd_lock);
225 * Process descriptors start out with two references: one from their
226 * struct file, and the other from their struct proc.
228 refcount_init(&pd->pd_refcount, 2);
232 * Create a new process decriptor for the process that refers to it.
235 procdesc_falloc(struct thread *td, struct file **resultfp, int *resultfd,
236 int flags, struct filecaps *fcaps)
241 if (flags & PD_CLOEXEC)
244 return (falloc_caps(td, resultfp, resultfd, fflags, fcaps));
248 * Initialize a file with a process descriptor.
251 procdesc_finit(struct procdesc *pdp, struct file *fp)
254 finit(fp, FREAD | FWRITE, DTYPE_PROCDESC, pdp, &procdesc_ops);
258 procdesc_free(struct procdesc *pd)
262 * When the last reference is released, we assert that the descriptor
263 * has been closed, but not that the process has exited, as we will
264 * detach the descriptor before the process dies if the descript is
265 * closed, as we can't wait synchronously.
267 if (refcount_release(&pd->pd_refcount)) {
268 KASSERT(pd->pd_proc == NULL,
269 ("procdesc_free: pd_proc != NULL"));
270 KASSERT((pd->pd_flags & PDF_CLOSED),
271 ("procdesc_free: !PDF_CLOSED"));
273 knlist_destroy(&pd->pd_selinfo.si_note);
274 PROCDESC_LOCK_DESTROY(pd);
275 free(pd, M_PROCDESC);
280 * procdesc_exit() - notify a process descriptor that its process is exiting.
281 * We use the proctree_lock to ensure that process exit either happens
282 * strictly before or strictly after a concurrent call to procdesc_close().
285 procdesc_exit(struct proc *p)
289 sx_assert(&proctree_lock, SA_XLOCKED);
290 PROC_LOCK_ASSERT(p, MA_OWNED);
291 KASSERT(p->p_procdesc != NULL, ("procdesc_exit: p_procdesc NULL"));
296 KASSERT((pd->pd_flags & PDF_CLOSED) == 0 || p->p_pptr == p->p_reaper,
297 ("procdesc_exit: closed && parent not reaper"));
299 pd->pd_flags |= PDF_EXITED;
300 pd->pd_xstat = KW_EXITCODE(p->p_xexit, p->p_xsig);
303 * If the process descriptor has been closed, then we have nothing
304 * to do; return 1 so that init will get SIGCHLD and do the reaping.
305 * Clean up the procdesc now rather than letting it happen during
308 if (pd->pd_flags & PDF_CLOSED) {
311 p->p_procdesc = NULL;
315 if (pd->pd_flags & PDF_SELECTED) {
316 pd->pd_flags &= ~PDF_SELECTED;
317 selwakeup(&pd->pd_selinfo);
319 KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT);
325 * When a process descriptor is reaped, perhaps as a result of close() or
326 * pdwait4(), release the process's reference on the process descriptor.
329 procdesc_reap(struct proc *p)
333 sx_assert(&proctree_lock, SA_XLOCKED);
334 KASSERT(p->p_procdesc != NULL, ("procdesc_reap: p_procdesc == NULL"));
338 p->p_procdesc = NULL;
343 * procdesc_close() - last close on a process descriptor. If the process is
344 * still running, terminate with SIGKILL (unless PDF_DAEMON is set) and let
345 * its reaper clean up the mess; if not, we have to clean up the zombie
349 procdesc_close(struct file *fp, struct thread *td)
354 KASSERT(fp->f_type == DTYPE_PROCDESC, ("procdesc_close: !procdesc"));
357 fp->f_ops = &badfileops;
360 sx_xlock(&proctree_lock);
362 pd->pd_flags |= PDF_CLOSED;
367 * This is the case where process' exit status was already
368 * collected and procdesc_reap() was already called.
370 sx_xunlock(&proctree_lock);
373 AUDIT_ARG_PROCESS(p);
374 if (p->p_state == PRS_ZOMBIE) {
376 * If the process is already dead and just awaiting
377 * reaping, do that now. This will release the
378 * process's reference to the process descriptor when it
379 * calls back into procdesc_reap().
381 proc_reap(curthread, p, NULL, 0);
384 * If the process is not yet dead, we need to kill it,
385 * but we can't wait around synchronously for it to go
386 * away, as that path leads to madness (and deadlocks).
387 * First, detach the process from its descriptor so that
388 * its exit status will be reported normally.
391 p->p_procdesc = NULL;
395 * Next, reparent it to its reaper (usually init(8)) so
396 * that there's someone to pick up the pieces; finally,
397 * terminate with prejudice.
399 p->p_sigparent = SIGCHLD;
400 if ((p->p_flag & P_TRACED) == 0) {
401 proc_reparent(p, p->p_reaper, true);
403 proc_clear_orphan(p);
404 p->p_oppid = p->p_reaper->p_pid;
405 proc_add_orphan(p, p->p_reaper);
407 if ((pd->pd_flags & PDF_DAEMON) == 0)
408 kern_psignal(p, SIGKILL);
410 sx_xunlock(&proctree_lock);
415 * Release the file descriptor's reference on the process descriptor.
422 procdesc_poll(struct file *fp, int events, struct ucred *active_cred,
431 if (pd->pd_flags & PDF_EXITED)
434 selrecord(td, &pd->pd_selinfo);
435 pd->pd_flags |= PDF_SELECTED;
442 procdesc_kqops_detach(struct knote *kn)
446 pd = kn->kn_fp->f_data;
447 knlist_remove(&pd->pd_selinfo.si_note, kn, 0);
451 procdesc_kqops_event(struct knote *kn, long hint)
456 pd = kn->kn_fp->f_data;
459 * Initial test after registration. Generate a NOTE_EXIT in
460 * case the process already terminated before registration.
462 event = pd->pd_flags & PDF_EXITED ? NOTE_EXIT : 0;
464 /* Mask off extra data. */
465 event = (u_int)hint & NOTE_PCTRLMASK;
468 /* If the user is interested in this event, record it. */
469 if (kn->kn_sfflags & event)
470 kn->kn_fflags |= event;
472 /* Process is gone, so flag the event as finished. */
473 if (event == NOTE_EXIT) {
474 kn->kn_flags |= EV_EOF | EV_ONESHOT;
475 if (kn->kn_fflags & NOTE_EXIT)
476 kn->kn_data = pd->pd_xstat;
477 if (kn->kn_fflags == 0)
478 kn->kn_flags |= EV_DROP;
482 return (kn->kn_fflags != 0);
485 static struct filterops procdesc_kqops = {
487 .f_detach = procdesc_kqops_detach,
488 .f_event = procdesc_kqops_event,
492 procdesc_kqfilter(struct file *fp, struct knote *kn)
497 switch (kn->kn_filter) {
498 case EVFILT_PROCDESC:
499 kn->kn_fop = &procdesc_kqops;
500 kn->kn_flags |= EV_CLEAR;
501 knlist_add(&pd->pd_selinfo.si_note, kn, 0);
509 procdesc_stat(struct file *fp, struct stat *sb, struct ucred *active_cred)
512 struct timeval pstart, boottime;
515 * XXXRW: Perhaps we should cache some more information from the
516 * process so that we can return it reliably here even after it has
517 * died. For example, caching its credential data.
519 bzero(sb, sizeof(*sb));
521 sx_slock(&proctree_lock);
522 if (pd->pd_proc != NULL) {
523 PROC_LOCK(pd->pd_proc);
524 AUDIT_ARG_PROCESS(pd->pd_proc);
526 /* Set birth and [acm] times to process start time. */
527 pstart = pd->pd_proc->p_stats->p_start;
528 getboottime(&boottime);
529 timevaladd(&pstart, &boottime);
530 TIMEVAL_TO_TIMESPEC(&pstart, &sb->st_birthtim);
531 sb->st_atim = sb->st_birthtim;
532 sb->st_ctim = sb->st_birthtim;
533 sb->st_mtim = sb->st_birthtim;
534 if (pd->pd_proc->p_state != PRS_ZOMBIE)
535 sb->st_mode = S_IFREG | S_IRWXU;
537 sb->st_mode = S_IFREG;
538 sb->st_uid = pd->pd_proc->p_ucred->cr_ruid;
539 sb->st_gid = pd->pd_proc->p_ucred->cr_rgid;
540 PROC_UNLOCK(pd->pd_proc);
542 sb->st_mode = S_IFREG;
543 sx_sunlock(&proctree_lock);
548 procdesc_fill_kinfo(struct file *fp, struct kinfo_file *kif,
549 struct filedesc *fdp)
551 struct procdesc *pdp;
553 kif->kf_type = KF_TYPE_PROCDESC;
555 kif->kf_un.kf_proc.kf_pid = pdp->pd_pid;