POTD skeleton #67.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 13:56:56 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 13:56:56 +0200
commit: 472a5a7a0078b1d2792cb52003e3bd50e208cafc (patch)
tree: cb8383f7df000e45d0f0f8ee4d5c9fc2927b0b07
parent: 50bb59a86d354f775f78198b7ecf27ce5300dacf (diff)
5 files changed, 63 insertions, 13 deletions
diff --git a/src/jail.c b/src/jail.c
index 450051f..d0da50b 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -3,6 +3,7 @@
 #include <sched.h>
 #include <signal.h>
 #include <pty.h>
+#include <sys/signalfd.h>
 #include <sys/wait.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
@@ -29,6 +30,7 @@ typedef struct server_event {
 typedef struct client_event {
     psocket *client_sock;
     int tty_fd;
+    int signal_fd;
     char tty_logbuf[BUFSIZ];
     size_t off_logbuf;
     char *tty_logbuf_escaped;
@@ -238,7 +240,7 @@ static int jail_childfn(prisoner_process *ctx)
     const char *path_devpts = "/dev/pts";
     const char *path_proc = "/proc";
     const char *path_shell = "/bin/sh";
-    int s, master_fd;
+    int i, s, master_fd;
     int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|
         CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/;
     //unsigned int ug_map[3] = { 0, 10000, 65535 };
@@ -248,12 +250,9 @@ static int jail_childfn(prisoner_process *ctx)
     assert(ctx);
     self_pid = getpid();
     set_procname("[potd] jail-client");
-    if (set_child_sighandler())
-        FATAL("Set sighandler for pid %d", self_pid);
-    if (setpgrp())
-        FATAL("Jail set process group for pid %d", self_pid);
-    if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0)
+    if (prctl(PR_SET_PDEATHSIG, SIGTERM) != 0)
         FATAL("Jail child prctl for pid %d", self_pid);
+
     if (!ctx->newroot)
         FATAL("New root set for pid %d", self_pid);
 
@@ -331,6 +330,9 @@ static int jail_childfn(prisoner_process *ctx)
             if (close_fds_except(0, 1, 2, -1))
                 exit(EXIT_FAILURE);
 
+            if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0)
+                exit(EXIT_FAILURE);
+
             printf("%s",
                 "  _______                     ________        __\n"
                 " |       |.-----.-----.-----.|  |  |  |.----.|  |_\n"
@@ -360,26 +362,39 @@ static int jail_childfn(prisoner_process *ctx)
             if (execl(path_shell, path_shell, (char *) NULL))
                 exit(EXIT_FAILURE);
         default:
-            if (set_fd_nonblock(master_fd))
-                FATAL("Pty master fd nonblock for prisoner pid %d",
+            if (set_fd_nonblock(master_fd)) {
+                E_STRERR("Pty master fd nonblock for prisoner pid %d",
                     child_pid);
+                goto finalise;
+            }
             N("Socket to tty I/O for prisoner pid %d",
                 child_pid);
             if (jail_socket_tty(ctx, master_fd))
-                FATAL("Socket to tty I/O for prisoner pid %d",
+                E_STRERR("Socket to tty I/O for prisoner pid %d",
                     child_pid);
-            waitpid(child_pid, &s, 0);
+
+            kill(child_pid, SIGTERM);
+            i = 10;
+            while (i > 0 && waitpid(child_pid, &s, WNOHANG) > 0) {
+                if (WIFEXITED(s))
+                    break;
+                usleep(250000);
+                i--;
+            }
+            kill(child_pid, SIGKILL);
     }
 
+finalise:
     close(master_fd);
     exit(EXIT_FAILURE);
 }
 
 static int jail_socket_tty(prisoner_process *ctx, int tty_fd)
 {
-    static client_event ev_cli = {NULL, 0, {0}, 0, 0, 0};
+    static client_event ev_cli = {NULL, -1, -1, {0}, 0, 0, 0};
     int s, rc = 1;
     event_ctx *ev_ctx = NULL;
+    sigset_t mask;
 
     assert(ctx);
     ev_cli.tty_fd = tty_fd;
@@ -407,9 +422,27 @@ static int jail_socket_tty(prisoner_process *ctx, int tty_fd)
         goto finish;
     }
 
+    sigemptyset(&mask);
+    sigaddset(&mask, SIGTERM);
+    sigaddset(&mask, SIGINT);
+    if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1) {
+        E_STRERR("%s", "SIGTERM block");
+        goto finish;
+    }
+    ev_cli.signal_fd = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC);
+    if (ev_cli.signal_fd < 0) {
+        E_STRERR("%s", "SIGNAL fd");
+        goto finish;
+    }
+    if (event_add_fd(ev_ctx, ev_cli.signal_fd)) {
+        E_STRERR("Jail SIGNAL fd %d", ev_cli.signal_fd);
+        goto finish;
+    }
+
     ev_cli.client_sock = &ctx->client_psock;
     rc = event_loop(ev_ctx, jail_socket_tty_io, &ev_cli);
 finish:
+    close(ev_cli.signal_fd);
     event_free(&ev_ctx);
     return rc;
 }
@@ -429,6 +462,9 @@ jail_socket_tty_io(event_ctx *ev_ctx, int src_fd, void *user_data)
         dest_fd = ev_cli->tty_fd;
     } else if (src_fd == ev_cli->tty_fd) {
         dest_fd = ev_cli->client_sock->fd;
+    } else if (src_fd == ev_cli->signal_fd) {
+        ev_ctx->active = 0;
+        return 0;
     } else return 0;
 
     fwd_state = event_forward_connection(ev_ctx, dest_fd, jail_log_input,
diff --git a/src/main.c b/src/main.c
index 310dbe5..e1c0229 100644
--- a/src/main.c
+++ b/src/main.c
@@ -150,9 +150,9 @@ int main(int argc, char *argv[])
             E2("%s daemon with pid %d terminated, exiting",
                 (child_pid == jail_pid ? "Jail" : "Redirector"),
                 (child_pid == jail_pid ? jail_pid : rdr_pid));
-            kill(0, SIGTERM);
+            kill(getpid(), SIGTERM);
             break;
-        }
+        } else W2("Process with pid %d terminated", child_pid);
     }
 
     return 0;
diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c
index 1941dbb..559dfe7 100644
--- a/src/protocol_ssh.c
+++ b/src/protocol_ssh.c
@@ -162,12 +162,23 @@ int ssh_on_listen(protocol_ctx *ctx)
             break;
     }
     D2("SSH protocol pid: %d", p);
+    ssh_on_shutdown(ctx);
 
     return s != 0;
 }
 
 int ssh_on_shutdown(protocol_ctx *ctx)
 {
+    ssh_data *d;
+
+    assert(ctx->src.data);
+
+    d = (ssh_data *) ctx->src.data;
+    ssh_bind_free(d->sshbind);
+    free(d);
+    ctx->src.data = NULL;
+    ssh_finalize();
+
     return 0;
 }
 
diff --git a/src/pseccomp.c b/src/pseccomp.c
index da39cbb..97504d2 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -9,6 +9,7 @@
 static int pseccomp_using_valgrind(void);
 
 static const int default_allowed_syscalls[] = {
+    SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
     SCMP_SYS(exit), SCMP_SYS(exit_group),
@@ -45,6 +46,7 @@ static const int protocol_disabled_syscalls[] = {
 };
 
 static const int jail_allowed_syscalls[] = {
+    SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
     SCMP_SYS(exit), SCMP_SYS(exit_group),
diff --git a/src/utils.c b/src/utils.c
index aa65c28..7953614 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -76,6 +76,7 @@ static void sighandler_master(int signo)
         case SIGINT:
         case SIGTERM:
         case SIGABRT:
+            W("Got signal %d, exiting", signo);
             kill(0, SIGTERM);
             exit(EXIT_FAILURE);
     }
author	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 13:56:56 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 13:56:56 +0200
commit	472a5a7a0078b1d2792cb52003e3bd50e208cafc (patch)
tree	cb8383f7df000e45d0f0f8ee4d5c9fc2927b0b07
parent	50bb59a86d354f775f78198b7ecf27ce5300dacf (diff)