| blob | 0d3b1f4334bdba5c9187f85035e969ea8e55df1c |
1 /*-
2 * Copyright (c) 2009 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * This software was developed at the University of Cambridge Computer
6 * Laboratory with support from a grant from Google, Inc.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
30 /*-
31 * FreeBSD process descriptor facility.
32 *
33 * Some processes are represented by a file descriptor, which will be used in
34 * preference to signaling and pids for the purposes of process management,
35 * and is, in effect, a form of capability. When a process descriptor is
36 * used with a process, it ceases to be visible to certain traditional UNIX
37 * process facilities, such as waitpid(2).
38 *
39 * Some semantics:
40 *
41 * - At most one process descriptor will exist for any process, although
42 * references to that descriptor may be held from many processes (or even
43 * be in flight between processes over a local domain socket).
44 * - Last close on the process descriptor will terminate the process using
45 * SIGKILL and reparent it to init so that there's a process to reap it
46 * when it's done exiting.
47 * - If the process exits before the descriptor is closed, it will not
48 * generate SIGCHLD on termination, or be picked up by waitpid().
49 * - The pdkill(2) system call may be used to deliver a signal to the process
50 * using its process descriptor.
51 * - The pdwait4(2) system call may be used to block (or not) on a process
52 * descriptor to collect termination information.
53 *
54 * Open questions:
55 *
56 * - How to handle ptrace(2)?
57 * - Will we want to add a pidtoprocdesc(2) system call to allow process
58 * descriptors to be created for processes without pdfork(2)?
59 */
61 #include <sys/cdefs.h>
64 #include <sys/param.h>
65 #include <sys/capsicum.h>
66 #include <sys/fcntl.h>
67 #include <sys/file.h>
68 #include <sys/filedesc.h>
69 #include <sys/kernel.h>
70 #include <sys/lock.h>
71 #include <sys/mutex.h>
72 #include <sys/poll.h>
73 #include <sys/proc.h>
74 #include <sys/procdesc.h>
75 #include <sys/resourcevar.h>
76 #include <sys/stat.h>
77 #include <sys/sysproto.h>
78 #include <sys/sysctl.h>
79 #include <sys/systm.h>
80 #include <sys/ucred.h>
81 #include <sys/user.h>
83 #include <security/audit/audit.h>
85 #include <vm/uma.h>
111 };
113 /*
114 * Initialize with VFS so that process descriptors are available along with
115 * other file descriptor types. As long as it runs before init(8) starts,
116 * there shouldn't be a problem.
117 */
118 static void
120 {
126 }
129 /*
130 * Return a locked process given a process descriptor, or ESRCH if it has
131 * died.
132 */
133 int
136 {
147 }
156 out:
159 }
161 /*
162 * Function to be used by procstat(1) sysctls when returning procdesc
163 * information.
164 */
165 pid_t
167 {
175 }
177 /*
178 * Retrieve the PID associated with a process descriptor.
179 */
180 int
182 {
192 }
194 out:
197 }
199 /*
200 * System call to return the pid of a process given its process descriptor.
201 */
202 int
204 {
205 cap_rights_t rights;
206 pid_t pid;
215 }
217 /*
218 * When a new process is forked by pdfork(), a file descriptor is allocated
219 * by the fork code first, then the process is forked, and then we get a
220 * chance to set up the process descriptor. Failure is not permitted at this
221 * point, so procdesc_new() must succeed.
222 */
223 void
225 {
238 /*
239 * Process descriptors start out with two references: one from their
240 * struct file, and the other from their struct proc.
241 */
243 }
245 /*
246 * Initialize a file with a process descriptor.
247 */
248 void
250 {
253 }
255 static void
257 {
259 /*
260 * When the last reference is released, we assert that the descriptor
261 * has been closed, but not that the process has exited, as we will
262 * detach the descriptor before the process dies if the descript is
263 * closed, as we can't wait synchronously.
264 */
274 }
275 }
277 /*
278 * procdesc_exit() - notify a process descriptor that its process is exiting.
279 * We use the proctree_lock to ensure that process exit either happens
280 * strictly before or strictly after a concurrent call to procdesc_close().
281 */
282 int
284 {
300 /*
301 * If the process descriptor has been closed, then we have nothing
302 * to do; return 1 so that init will get SIGCHLD and do the reaping.
303 * Clean up the procdesc now rather than letting it happen during
304 * that reap.
305 */
312 }
316 }
320 }
322 /*
323 * When a process descriptor is reaped, perhaps as a result of close() or
324 * pdwait4(), release the process's reference on the process descriptor.
325 */
326 void
328 {
338 }
340 /*
341 * procdesc_close() - last close on a process descriptor. If the process is
342 * still running, terminate with SIGKILL (unless PDF_DAEMON is set) and let
343 * init(8) clean up the mess; if not, we have to clean up the zombie ourselves.
344 */
345 static int
347 {
363 /*
364 * This is the case where process' exit status was already
365 * collected and procdesc_reap() was already called.
366 */
371 /*
372 * If the process is already dead and just awaiting
373 * reaping, do that now. This will release the
374 * process's reference to the process descriptor when it
375 * calls back into procdesc_reap().
376 */
380 /*
381 * If the process is not yet dead, we need to kill it,
382 * but we can't wait around synchronously for it to go
383 * away, as that path leads to madness (and deadlocks).
384 * First, detach the process from its descriptor so that
385 * its exit status will be reported normally.
386 */
391 /*
392 * Next, reparent it to init(8) so that there's someone
393 * to pick up the pieces; finally, terminate with
394 * prejudice.
395 */
402 }
403 }
405 /*
406 * Release the file descriptor's reference on the process descriptor.
407 */
410 }
412 static int
415 {
427 }
430 }
432 static void
434 {
439 }
441 static int
443 {
445 u_int event;
449 /*
450 * Initial test after registration. Generate a NOTE_EXIT in
451 * case the process already terminated before registration.
452 */
455 /* Mask off extra data. */
457 }
459 /* If the user is interested in this event, record it. */
463 /* Process is gone, so flag the event as finished. */
471 }
474 }
480 };
482 static int
484 {
496 }
497 }
499 static int
502 {
506 /*
507 * XXXRW: Perhaps we should cache some more information from the
508 * process so that we can return it reliably here even after it has
509 * died. For example, caching its credential data.
510 */
517 /* Set birth and [acm] times to process start time. */
526 else
535 }
537 static int
540 {
547 }