From: Robert Swiecki Date: Sun, 30 Aug 2020 20:02:08 +0000 (+0200) Subject: subproc: kill a process once in the -Ml mode once the TCP connection has ended X-Git-Tag: 3.0.20210707~18 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=608618ea7b807fdb18eebdea9e15436df3bdc98f;p=platform%2Fupstream%2Fnsjail.git subproc: kill a process once in the -Ml mode once the TCP connection has ended --- diff --git a/nsjail.cc b/nsjail.cc index 8d57b86..52f85f6 100644 --- a/nsjail.cc +++ b/nsjail.cc @@ -200,6 +200,9 @@ static bool pipeTraffic(nsjconf_t* nsjconf, int listenfd) { close(nsjconf->pipes[pipe_no].sock_fd); close(nsjconf->pipes[pipe_no].pipe_in); close(nsjconf->pipes[pipe_no].pipe_out); + if (nsjconf->pipes[pipe_no].pid > 0) { + kill(nsjconf->pipes[pipe_no].pid, SIGKILL); + } nsjconf->pipes[pipe_no] = {}; } } @@ -237,12 +240,14 @@ static int listenMode(nsjconf_t* nsjconf) { PLOG_E("pipe"); continue; } + pid_t pid = + subproc::runChild(nsjconf, connfd, in[0], out[1], out[1]); nsjconf->pipes.push_back({ .sock_fd = connfd, .pipe_in = in[1], .pipe_out = out[0], + .pid = pid, }); - subproc::runChild(nsjconf, connfd, in[0], out[1], out[1]); close(in[0]); close(out[1]); } @@ -253,8 +258,8 @@ static int listenMode(nsjconf_t* nsjconf) { static int standaloneMode(nsjconf_t* nsjconf) { for (;;) { - if (!subproc::runChild( - nsjconf, /* netfd= */ -1, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO)) { + if (subproc::runChild(nsjconf, /* netfd= */ -1, STDIN_FILENO, STDOUT_FILENO, + STDERR_FILENO) == -1) { LOG_E("Couldn't launch the child process"); return 0xff; } diff --git a/nsjail.h b/nsjail.h index 8200486..fda3392 100644 --- a/nsjail.h +++ b/nsjail.h @@ -86,6 +86,7 @@ struct pipemap_t { int sock_fd; int pipe_in; int pipe_out; + pid_t pid; bool operator==(const pipemap_t& o) { return sock_fd == o.sock_fd && pipe_in == o.pipe_in && pipe_out == o.pipe_out; } diff --git a/subproc.cc b/subproc.cc index 2f1c5cd..6da7a51 100644 --- a/subproc.cc +++ b/subproc.cc @@ -408,9 +408,9 @@ static bool initParent(nsjconf_t* nsjconf, pid_t pid, int pipefd) { return true; } -bool runChild(nsjconf_t* nsjconf, int netfd, int fd_in, int fd_out, int fd_err) { +pid_t runChild(nsjconf_t* nsjconf, int netfd, int fd_in, int fd_out, int fd_err) { if (!net::limitConns(nsjconf, netfd)) { - return true; + return 0; } unsigned long flags = 0UL; flags |= (nsjconf->clone_newnet ? CLONE_NEWNET : 0); @@ -435,7 +435,7 @@ bool runChild(nsjconf_t* nsjconf, int netfd, int fd_in, int fd_out, int fd_err) int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, sv) == -1) { PLOG_E("socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC) failed"); - return false; + return -1; } int child_fd = sv[0]; int parent_fd = sv[1]; @@ -463,13 +463,13 @@ bool runChild(nsjconf_t* nsjconf, int netfd, int fd_in, int fd_out, int fd_err) "kernel.unprivileged_userns_clone sysctl", cloneFlagsToStr(flags).c_str()); close(parent_fd); - return false; + return -1; } addProc(nsjconf, pid, netfd); if (!initParent(nsjconf, pid, parent_fd)) { close(parent_fd); - return false; + return -1; } char rcvChar; @@ -477,11 +477,11 @@ bool runChild(nsjconf_t* nsjconf, int netfd, int fd_in, int fd_out, int fd_err) rcvChar == kSubprocErrorChar) { LOG_W("Received error message from the child process before it has been executed"); close(parent_fd); - return false; + return -1; } close(parent_fd); - return true; + return pid; } /* diff --git a/subproc.h b/subproc.h index c33991f..5497abd 100644 --- a/subproc.h +++ b/subproc.h @@ -33,7 +33,8 @@ namespace subproc { -bool runChild(nsjconf_t* nsjconf, int listen_fd, int fd_in, int fd_out, int fd_err); +/* 0 - network connection limit reached, -1 - error */ +pid_t runChild(nsjconf_t* nsjconf, int listen_fd, int fd_in, int fd_out, int fd_err); int countProc(nsjconf_t* nsjconf); void displayProc(nsjconf_t* nsjconf); void killAndReapAll(nsjconf_t* nsjconf);