| blob | 545ad0ca401566f949ae06763beda727866ebd22 |
1 // Copyright (c) 2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stddef.h>
10 #include <sys/types.h>
11 #include <sys/socket.h>
12 #include <sys/stat.h>
13 #include <sys/un.h>
15 #include <string>
16 #include <map>
36 // IPC channels on Windows use named pipes (CreateNamedPipe()) with
37 // channel ids as the pipe names. Channels on POSIX use anonymous
38 // Unix domain sockets created via socketpair() as pipes. These don't
39 // quite line up.
40 //
41 // When creating a child subprocess, the parent side of the fork
42 // arranges it such that the initial control channel ends up on the
43 // magic file descriptor kPrimaryIPCChannel in the child. Future
44 // connections (file descriptors) can then be passed via that
45 // connection via sendmsg().
47 //------------------------------------------------------------------------------
50 // The PipeMap class works around this quirk related to unit tests:
51 //
52 // When running as a server, we install the client socket in a
53 // specific file descriptor number (@kPrimaryIPCChannel). However, we
54 // also have to support the case where we are running unittests in the
55 // same process. (We do not support forking without execing.)
56 //
57 // Case 1: normal running
58 // The IPC server object will install a mapping in PipeMap from the
59 // name which it was given to the client pipe. When forking the client, the
60 // GetClientFileDescriptorMapping will ensure that the socket is installed in
61 // the magic slot (@kPrimaryIPCChannel). The client will search for the
62 // mapping, but it won't find any since we are in a new process. Thus the
63 // magic fd number is returned. Once the client connects, the server will
64 // close its copy of the client socket and remove the mapping.
65 //
66 // Case 2: unittests - client and server in the same process
67 // The IPC server will install a mapping as before. The client will search
68 // for a mapping and find out. It duplicates the file descriptor and
69 // connects. Once the client connects, the server will close the original
70 // copy of the client socket and remove the mapping. Thus, when the client
71 // object closes, it will close the only remaining copy of the client socket
72 // in the fd table and the server will see EOF on its side.
73 //
74 // TODO(port): a client process cannot connect to multiple IPC channels with
75 // this scheme.
79 // Lookup a given channel id. Return -1 if not found.
87 }
89 // Remove the mapping for the given channel id. No error is signaled if the
90 // channel_id doesn't exist
98 }
99 }
101 // Insert a mapping from @channel_id to @fd. It's a fatal error to insert a
102 // mapping if one already exists for the given channel_id
112 }
115 Lock lock_;
117 ChannelToFDMap map_;
118 };
120 // Used to map a channel name to the equivalent FD # in the current process.
121 // Returns -1 if the channel is unknown.
123 // See the large block comment above PipeMap for the reasoning here.
131 }
134 }
136 //------------------------------------------------------------------------------
137 sockaddr_un sizecheck;
140 // Creates a Fifo with the specified name ready to listen on.
148 }
150 // Create socket.
154 }
156 // Make socket non-blocking
160 }
162 // Delete any old FS instances.
165 // Create unix_addr structure
173 // Bind the socket.
178 }
180 // Start listening on the socket.
185 }
189 }
191 // Accept a connection on a fifo.
201 }
205 }
211 // Create socket.
216 }
218 // Make socket non-blocking
223 }
225 // Create server side of socket.
238 }
242 }
245 #if defined(OS_MACOSX)
246 // On OS X if sendmsg() is trying to send fds between processes and there
247 // isn't enough room in the output buffer to send the fd structure over
248 // atomically then EMSGSIZE is returned.
249 //
250 // EMSGSIZE presents a problem since the system APIs can only call us when
251 // there's room in the socket buffer and not when there is "enough" room.
252 //
253 // The current behavior is to return to the event loop when EMSGSIZE is
254 // received and hopefull service another FD. This is however still
255 // technically a busy wait since the event loop will call us right back until
256 // the receiver has read enough data to allow passing the FD over atomically.
258 #else
260 #endif
261 }
264 //------------------------------------------------------------------------------
276 #if defined(OS_LINUX)
279 #endif
284 // The pipe may have been closed already.
288 }
289 }
291 // static
294 }
296 // static
299 }
301 // static
307 }
309 // Set both ends to be non-blocking.
316 }
322 }
325 Mode mode) {
329 // This only happens in unit tests; see the comment above PipeMap.
330 // TODO(playmobil): We shouldn't need to create fifos on disk.
331 // TODO(playmobil): If we do, they should be in the user data directory.
332 // TODO(playmobil): Cleanup any stale fifos.
337 }
341 }
343 }
345 // This is the normal (non-unit-test) case, where we're using sockets.
346 // Three possible cases:
347 // 1) It's for a channel we already have a pipe for; reuse it.
348 // 2) It's the initial IPC channel:
349 // 2a) Server side: create the pipe.
350 // 2b) Client side: Pull the pipe out of the GlobalDescriptors set.
354 // Initial IPC channel.
360 // Guard against inappropriate reuse of the initial IPC channel. If
361 // an IPC channel closes and someone attempts to reuse it by name, the
362 // initial channel must not be recycled here. http://crbug.com/26754.
367 }
371 }
374 }
375 }
377 // Create the Hello message to be sent when Connect is called
379 HELLO_MESSAGE_TYPE,
381 #if defined(OS_LINUX)
383 // On Linux, the seccomp sandbox makes it very expensive to call
384 // recvmsg() and sendmsg(). Often, we are perfectly OK with resorting to
385 // read() and write(), which are cheap.
386 //
387 // As we cannot anticipate, when the sender will provide us with file
388 // handles, we have to make the decision about whether we call read() or
389 // recvmsg() before we actually make the call. The easiest option is to
390 // create a dedicated socketpair() for exchanging file handles.
396 }
397 }
398 }
399 #endif
403 }
407 }
413 }
415 server_listen_pipe_,
423 }
425 pipe_,
431 }
436 }
454 // Read from pipe.
455 // recvmsg() returns 0 if the connection has closed or EAGAIN if no data
456 // is waiting on the pipe.
457 #if defined(OS_LINUX)
463 #endif
464 {
467 }
471 #if defined(OS_MACOSX)
473 // On OSX, reading from a pipe with no listener returns EPERM
474 // treat this as a special case to prevent spurious error messages
475 // to the console.
483 }
485 // The pipe has closed...
487 }
488 }
494 }
496 // a pointer to an array of |num_wire_fds| file descriptors from the read
500 // walk the list of control messages and, if we find an array of file
501 // descriptors, save a pointer to the array
503 // This next if statement is to work around an OSX issue where
504 // CMSG_FIRSTHDR will return non-NULL in the case that controllen == 0.
505 // Here's a test case:
506 //
507 // int main() {
508 // struct msghdr msg;
509 // msg.msg_control = &msg;
510 // msg.msg_controllen = 0;
511 // if (CMSG_FIRSTHDR(&msg))
512 // printf("Bug found!\n");
513 // }
515 // On OSX, CMSG_FIRSTHDR doesn't handle the case where controllen is 0
516 // and will return a pointer into nowhere.
533 }
535 }
536 }
537 }
539 // Process messages from input buffer.
551 }
555 }
557 // A pointer to an array of |num_fds| file descriptors which includes any
558 // fds that have spilled over from a previous read.
572 }
575 }
584 // the message has file descriptors
587 // the message has been completely received, but we didn't get
588 // enough file descriptors.
589 #if defined(OS_LINUX)
613 }
615 }
616 }
626 }
629 }
630 }
631 }
633 #endif
635 }
639 // There are too many descriptors in this message
641 }
650 // close the existing file descriptors so that we don't leak them
654 // abort the connection
656 }
661 }
662 #ifdef IPC_MESSAGE_DEBUG_EXTRA
665 #endif
668 // The Hello message contains only the process id.
673 }
674 #if defined(OS_LINUX)
676 // On Linux, the Hello message from the client to the server
677 // also contains the fd_pipe_, which will be used for all
678 // subsequent file descriptor passing.
683 }
686 }
687 #endif
691 }
694 // Last message is partial.
696 }
701 }
705 // When the input data buffer is empty, the overflow fds should be too. If
706 // this is not the case, we probably have a rogue renderer which is trying
707 // to fill our descriptor table.
709 // We close these descriptors in Close()
711 }
714 }
717 }
721 // no connection?
726 }
730 }
732 // Write out all the messages we can till the write blocks or there are no
733 // more outgoing messages.
737 #if defined(OS_LINUX)
743 HELLO_MESSAGE_TYPE,
750 }
755 }
758 }
759 #endif
764 message_send_bytes_written_;
778 // This is the first chunk of a message which has descriptors to send
794 // DCHECK_LE above already checks that
795 // num_fds < MAX_DESCRIPTORS_PER_MESSAGE so no danger of overflow.
798 #if defined(OS_LINUX)
802 // Only the Hello message sends the file descriptor with the message.
803 // Subsequently, we can send file descriptors on the dedicated
804 // fd_pipe_ which makes Seccomp sandbox operation more efficient.
813 }
814 }
815 #endif
816 }
820 #if defined(OS_LINUX)
825 }
829 #endif
830 {
832 }
833 }
838 #if defined(OS_MACOSX)
839 // On OSX writing to a pipe with no listener returns EPERM.
843 }
848 }
850 << fd_written
854 }
858 // If write() fails with EAGAIN then bytes_written will be -1.
860 }
862 // Tell libevent to call us back once things are unblocked.
865 pipe_,
874 // Message sent OK!
875 #ifdef IPC_MESSAGE_DEBUG_EXTRA
878 #endif
881 }
882 }
884 }
887 #ifdef IPC_MESSAGE_DEBUG_EXTRA
891 #endif
893 #ifdef IPC_MESSAGE_LOG_ENABLED
895 #endif
902 }
903 }
906 }
910 }
912 // Called by libevent when we can read from th pipe without blocking.
919 }
921 // No need to watch the listening socket any longer since only one client
922 // can connect. So unregister with libevent.
925 // Start watching our end of the socket.
927 pipe_,
935 // In the case of a socketpair() the server starts listening on its end
936 // of the pipe in Connect().
938 }
940 }
946 // The OnChannelError() call may delete this, so we need to exit now.
948 }
949 }
951 // If we're a server and handshaking, then we want to make sure that we
952 // only send our handshake message after we've processed the client's.
953 // This gives us a chance to kill the client if the incoming handshake
954 // is invalid.
957 }
958 }
960 // Called by libevent when we can write to the pipe without blocking.
965 }
966 }
969 // Close can be called multiple time, so we need to make sure we're
970 // idempotent.
972 // Unregister libevent for the listening socket and close it.
978 }
980 // Unregister libevent for the FIFO and close it.
986 }
990 }
991 #if defined(OS_LINUX)
995 }
999 }
1000 #endif
1003 // Unlink the FIFO
1005 }
1011 }
1013 // Close any outstanding, received file descriptors
1017 }
1019 }
1021 //------------------------------------------------------------------------------
1022 // Channel's methods simply call through to ChannelImpl.
1026 }
1030 }
1034 }
1038 }
1042 }
1046 }
1050 }