POTD skeleton #67.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 13:56:56 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 13:56:56 +0200
commit: 472a5a7a0078b1d2792cb52003e3bd50e208cafc (patch)
tree: cb8383f7df000e45d0f0f8ee4d5c9fc2927b0b07 /src/jail.c
parent: 50bb59a86d354f775f78198b7ecf27ce5300dacf (diff)
1 files changed, 47 insertions, 11 deletions
diff --git a/src/jail.c b/src/jail.c
index 450051f..d0da50b 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -3,6 +3,7 @@
 #include <sched.h>
 #include <signal.h>
 #include <pty.h>
+#include <sys/signalfd.h>
 #include <sys/wait.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
@@ -29,6 +30,7 @@ typedef struct server_event {
 typedef struct client_event {
     psocket *client_sock;
     int tty_fd;
+    int signal_fd;
     char tty_logbuf[BUFSIZ];
     size_t off_logbuf;
     char *tty_logbuf_escaped;
@@ -238,7 +240,7 @@ static int jail_childfn(prisoner_process *ctx)
     const char *path_devpts = "/dev/pts";
     const char *path_proc = "/proc";
     const char *path_shell = "/bin/sh";
-    int s, master_fd;
+    int i, s, master_fd;
     int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|
         CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/;
     //unsigned int ug_map[3] = { 0, 10000, 65535 };
@@ -248,12 +250,9 @@ static int jail_childfn(prisoner_process *ctx)
     assert(ctx);
     self_pid = getpid();
     set_procname("[potd] jail-client");
-    if (set_child_sighandler())
-        FATAL("Set sighandler for pid %d", self_pid);
-    if (setpgrp())
-        FATAL("Jail set process group for pid %d", self_pid);
-    if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0)
+    if (prctl(PR_SET_PDEATHSIG, SIGTERM) != 0)
         FATAL("Jail child prctl for pid %d", self_pid);
+
     if (!ctx->newroot)
         FATAL("New root set for pid %d", self_pid);
 
@@ -331,6 +330,9 @@ static int jail_childfn(prisoner_process *ctx)
             if (close_fds_except(0, 1, 2, -1))
                 exit(EXIT_FAILURE);
 
+            if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0)
+                exit(EXIT_FAILURE);
+
             printf("%s",
                 "  _______                     ________        __\n"
                 " |       |.-----.-----.-----.|  |  |  |.----.|  |_\n"
@@ -360,26 +362,39 @@ static int jail_childfn(prisoner_process *ctx)
             if (execl(path_shell, path_shell, (char *) NULL))
                 exit(EXIT_FAILURE);
         default:
-            if (set_fd_nonblock(master_fd))
-                FATAL("Pty master fd nonblock for prisoner pid %d",
+            if (set_fd_nonblock(master_fd)) {
+                E_STRERR("Pty master fd nonblock for prisoner pid %d",
                     child_pid);
+                goto finalise;
+            }
             N("Socket to tty I/O for prisoner pid %d",
                 child_pid);
             if (jail_socket_tty(ctx, master_fd))
-                FATAL("Socket to tty I/O for prisoner pid %d",
+                E_STRERR("Socket to tty I/O for prisoner pid %d",
                     child_pid);
-            waitpid(child_pid, &s, 0);
+
+            kill(child_pid, SIGTERM);
+            i = 10;
+            while (i > 0 && waitpid(child_pid, &s, WNOHANG) > 0) {
+                if (WIFEXITED(s))
+                    break;
+                usleep(250000);
+                i--;
+            }
+            kill(child_pid, SIGKILL);
     }
 
+finalise:
     close(master_fd);
     exit(EXIT_FAILURE);
 }
 
 static int jail_socket_tty(prisoner_process *ctx, int tty_fd)
 {
-    static client_event ev_cli = {NULL, 0, {0}, 0, 0, 0};
+    static client_event ev_cli = {NULL, -1, -1, {0}, 0, 0, 0};
     int s, rc = 1;
     event_ctx *ev_ctx = NULL;
+    sigset_t mask;
 
     assert(ctx);
     ev_cli.tty_fd = tty_fd;
@@ -407,9 +422,27 @@ static int jail_socket_tty(prisoner_process *ctx, int tty_fd)
         goto finish;
     }
 
+    sigemptyset(&mask);
+    sigaddset(&mask, SIGTERM);
+    sigaddset(&mask, SIGINT);
+    if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1) {
+        E_STRERR("%s", "SIGTERM block");
+        goto finish;
+    }
+    ev_cli.signal_fd = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC);
+    if (ev_cli.signal_fd < 0) {
+        E_STRERR("%s", "SIGNAL fd");
+        goto finish;
+    }
+    if (event_add_fd(ev_ctx, ev_cli.signal_fd)) {
+        E_STRERR("Jail SIGNAL fd %d", ev_cli.signal_fd);
+        goto finish;
+    }
+
     ev_cli.client_sock = &ctx->client_psock;
     rc = event_loop(ev_ctx, jail_socket_tty_io, &ev_cli);
 finish:
+    close(ev_cli.signal_fd);
     event_free(&ev_ctx);
     return rc;
 }
@@ -429,6 +462,9 @@ jail_socket_tty_io(event_ctx *ev_ctx, int src_fd, void *user_data)
         dest_fd = ev_cli->tty_fd;
     } else if (src_fd == ev_cli->tty_fd) {
         dest_fd = ev_cli->client_sock->fd;
+    } else if (src_fd == ev_cli->signal_fd) {
+        ev_ctx->active = 0;
+        return 0;
     } else return 0;
 
     fwd_state = event_forward_connection(ev_ctx, dest_fd, jail_log_input,
author	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 13:56:56 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 13:56:56 +0200
commit	472a5a7a0078b1d2792cb52003e3bd50e208cafc (patch)
tree	cb8383f7df000e45d0f0f8ee4d5c9fc2927b0b07 /src/jail.c
parent	50bb59a86d354f775f78198b7ecf27ce5300dacf (diff)