1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "ipc/ipc_channel_posix.h"
10 #include <sys/socket.h>
12 #include <sys/types.h>
15 #if defined(OS_OPENBSD)
19 #if !defined(OS_NACL_NONSFI)
26 #include "base/command_line.h"
27 #include "base/files/file_path.h"
28 #include "base/files/file_util.h"
29 #include "base/location.h"
30 #include "base/logging.h"
31 #include "base/memory/scoped_ptr.h"
32 #include "base/memory/singleton.h"
33 #include "base/posix/eintr_wrapper.h"
34 #include "base/posix/global_descriptors.h"
35 #include "base/process/process_handle.h"
36 #include "base/rand_util.h"
37 #include "base/stl_util.h"
38 #include "base/strings/string_util.h"
39 #include "base/synchronization/lock.h"
40 #include "ipc/file_descriptor_set_posix.h"
41 #include "ipc/ipc_descriptors.h"
42 #include "ipc/ipc_listener.h"
43 #include "ipc/ipc_logging.h"
44 #include "ipc/ipc_message_utils.h"
45 #include "ipc/ipc_switches.h"
46 #include "ipc/unix_domain_socket_util.h"
50 // IPC channels on Windows use named pipes (CreateNamedPipe()) with
51 // channel ids as the pipe names. Channels on POSIX use sockets as
52 // pipes These don't quite line up.
54 // When creating a child subprocess we use a socket pair and the parent side of
55 // the fork arranges it such that the initial control channel ends up on the
56 // magic file descriptor kPrimaryIPCChannel in the child. Future
57 // connections (file descriptors) can then be passed via that
58 // connection via sendmsg().
60 // A POSIX IPC channel can also be set up as a server for a bound UNIX domain
61 // socket, and will handle multiple connect and disconnect sequences. Currently
62 // it is limited to one connection at a time.
64 //------------------------------------------------------------------------------
67 // The PipeMap class works around this quirk related to unit tests:
69 // When running as a server, we install the client socket in a
70 // specific file descriptor number (@kPrimaryIPCChannel). However, we
71 // also have to support the case where we are running unittests in the
72 // same process. (We do not support forking without execing.)
74 // Case 1: normal running
75 // The IPC server object will install a mapping in PipeMap from the
76 // name which it was given to the client pipe. When forking the client, the
77 // GetClientFileDescriptorMapping will ensure that the socket is installed in
78 // the magic slot (@kPrimaryIPCChannel). The client will search for the
79 // mapping, but it won't find any since we are in a new process. Thus the
80 // magic fd number is returned. Once the client connects, the server will
81 // close its copy of the client socket and remove the mapping.
83 // Case 2: unittests - client and server in the same process
84 // The IPC server will install a mapping as before. The client will search
85 // for a mapping and find out. It duplicates the file descriptor and
86 // connects. Once the client connects, the server will close the original
87 // copy of the client socket and remove the mapping. Thus, when the client
88 // object closes, it will close the only remaining copy of the client socket
89 // in the fd table and the server will see EOF on its side.
91 // TODO(port): a client process cannot connect to multiple IPC channels with
96 static PipeMap* GetInstance() {
97 return Singleton<PipeMap>::get();
101 // Shouldn't have left over pipes.
102 DCHECK(map_.empty());
105 // Lookup a given channel id. Return -1 if not found.
106 int Lookup(const std::string& channel_id) {
107 base::AutoLock locked(lock_);
109 ChannelToFDMap::const_iterator i = map_.find(channel_id);
115 // Remove the mapping for the given channel id. No error is signaled if the
116 // channel_id doesn't exist
117 void Remove(const std::string& channel_id) {
118 base::AutoLock locked(lock_);
119 map_.erase(channel_id);
122 // Insert a mapping from @channel_id to @fd. It's a fatal error to insert a
123 // mapping if one already exists for the given channel_id
124 void Insert(const std::string& channel_id, int fd) {
125 base::AutoLock locked(lock_);
128 ChannelToFDMap::const_iterator i = map_.find(channel_id);
129 CHECK(i == map_.end()) << "Creating second IPC server (fd " << fd << ") "
130 << "for '" << channel_id << "' while first "
131 << "(fd " << i->second << ") still exists";
132 map_[channel_id] = fd;
137 typedef std::map<std::string, int> ChannelToFDMap;
140 friend struct DefaultSingletonTraits<PipeMap>;
141 #if defined(OS_ANDROID)
142 friend void ::IPC::Channel::NotifyProcessForkedForTesting();
146 //------------------------------------------------------------------------------
148 bool SocketWriteErrorIsRecoverable() {
149 #if defined(OS_MACOSX)
150 // On OS X if sendmsg() is trying to send fds between processes and there
151 // isn't enough room in the output buffer to send the fd structure over
152 // atomically then EMSGSIZE is returned.
154 // EMSGSIZE presents a problem since the system APIs can only call us when
155 // there's room in the socket buffer and not when there is "enough" room.
157 // The current behavior is to return to the event loop when EMSGSIZE is
158 // received and hopefull service another FD. This is however still
159 // technically a busy wait since the event loop will call us right back until
160 // the receiver has read enough data to allow passing the FD over atomically.
161 return errno == EAGAIN || errno == EMSGSIZE;
163 return errno == EAGAIN;
169 #if defined(OS_ANDROID)
170 // When we fork for simple tests on Android, we can't 'exec', so we need to
171 // reset these entries manually to get the expected testing behavior.
172 void Channel::NotifyProcessForkedForTesting() {
173 PipeMap::GetInstance()->map_.clear();
177 //------------------------------------------------------------------------------
179 #if defined(OS_LINUX)
180 int ChannelPosix::global_pid_ = 0;
183 ChannelPosix::ChannelPosix(const IPC::ChannelHandle& channel_handle,
184 Mode mode, Listener* listener)
185 : ChannelReader(listener),
187 peer_pid_(base::kNullProcessId),
188 is_blocked_on_write_(false),
189 waiting_connect_(true),
190 message_send_bytes_written_(0),
191 pipe_name_(channel_handle.name),
192 must_unlink_(false) {
193 memset(input_cmsg_buf_, 0, sizeof(input_cmsg_buf_));
194 if (!CreatePipe(channel_handle)) {
195 // The pipe may have been closed already.
196 const char *modestr = (mode_ & MODE_SERVER_FLAG) ? "server" : "client";
197 LOG(WARNING) << "Unable to create pipe named \"" << channel_handle.name
198 << "\" in " << modestr << " mode";
202 ChannelPosix::~ChannelPosix() {
206 bool SocketPair(int* fd1, int* fd2) {
208 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pipe_fds) != 0) {
209 PLOG(ERROR) << "socketpair()";
213 // Set both ends to be non-blocking.
214 if (fcntl(pipe_fds[0], F_SETFL, O_NONBLOCK) == -1 ||
215 fcntl(pipe_fds[1], F_SETFL, O_NONBLOCK) == -1) {
216 PLOG(ERROR) << "fcntl(O_NONBLOCK)";
217 if (IGNORE_EINTR(close(pipe_fds[0])) < 0)
218 PLOG(ERROR) << "close";
219 if (IGNORE_EINTR(close(pipe_fds[1])) < 0)
220 PLOG(ERROR) << "close";
230 bool ChannelPosix::CreatePipe(
231 const IPC::ChannelHandle& channel_handle) {
232 DCHECK(!server_listen_pipe_.is_valid() && !pipe_.is_valid());
234 // Four possible cases:
235 // 1) It's a channel wrapping a pipe that is given to us.
236 // 2) It's for a named channel, so we create it.
237 // 3) It's for a client that we implement ourself. This is used
238 // in single-process unittesting.
239 // 4) It's the initial IPC channel:
240 // 4a) Client side: Pull the pipe out of the GlobalDescriptors set.
241 // 4b) Server side: create the pipe.
243 base::ScopedFD local_pipe;
244 if (channel_handle.socket.fd != -1) {
245 // Case 1 from comment above.
246 local_pipe.reset(channel_handle.socket.fd);
247 #if defined(IPC_USES_READWRITE)
248 // Test the socket passed into us to make sure it is nonblocking.
249 // We don't want to call read/write on a blocking socket.
250 int value = fcntl(local_pipe.get(), F_GETFL);
252 PLOG(ERROR) << "fcntl(F_GETFL) " << pipe_name_;
255 if (!(value & O_NONBLOCK)) {
256 LOG(ERROR) << "Socket " << pipe_name_ << " must be O_NONBLOCK";
259 #endif // IPC_USES_READWRITE
260 } else if (mode_ & MODE_NAMED_FLAG) {
261 #if defined(OS_NACL_NONSFI)
263 << "IPC channels in nacl_helper_nonsfi should not be in NAMED mode.";
265 // Case 2 from comment above.
266 int local_pipe_fd = -1;
268 if (mode_ & MODE_SERVER_FLAG) {
269 if (!CreateServerUnixDomainSocket(base::FilePath(pipe_name_),
275 } else if (mode_ & MODE_CLIENT_FLAG) {
276 if (!CreateClientUnixDomainSocket(base::FilePath(pipe_name_),
281 LOG(ERROR) << "Bad mode: " << mode_;
285 local_pipe.reset(local_pipe_fd);
286 #endif // !defined(OS_NACL_NONSFI)
288 local_pipe.reset(PipeMap::GetInstance()->Lookup(pipe_name_));
289 if (mode_ & MODE_CLIENT_FLAG) {
290 if (local_pipe.is_valid()) {
291 // Case 3 from comment above.
292 // We only allow one connection.
293 local_pipe.reset(HANDLE_EINTR(dup(local_pipe.release())));
294 PipeMap::GetInstance()->Remove(pipe_name_);
296 // Case 4a from comment above.
297 // Guard against inappropriate reuse of the initial IPC channel. If
298 // an IPC channel closes and someone attempts to reuse it by name, the
299 // initial channel must not be recycled here. http://crbug.com/26754.
300 static bool used_initial_channel = false;
301 if (used_initial_channel) {
302 LOG(FATAL) << "Denying attempt to reuse initial IPC channel for "
306 used_initial_channel = true;
309 base::GlobalDescriptors::GetInstance()->Get(kPrimaryIPCChannel));
311 } else if (mode_ & MODE_SERVER_FLAG) {
312 // Case 4b from comment above.
313 if (local_pipe.is_valid()) {
314 LOG(ERROR) << "Server already exists for " << pipe_name_;
315 // This is a client side pipe registered by other server and
316 // shouldn't be closed.
317 ignore_result(local_pipe.release());
320 base::AutoLock lock(client_pipe_lock_);
321 int local_pipe_fd = -1, client_pipe_fd = -1;
322 if (!SocketPair(&local_pipe_fd, &client_pipe_fd))
324 local_pipe.reset(local_pipe_fd);
325 client_pipe_.reset(client_pipe_fd);
326 PipeMap::GetInstance()->Insert(pipe_name_, client_pipe_fd);
328 LOG(ERROR) << "Bad mode: " << mode_;
333 #if defined(IPC_USES_READWRITE)
334 // Create a dedicated socketpair() for exchanging file descriptors.
335 // See comments for IPC_USES_READWRITE for details.
336 if (mode_ & MODE_CLIENT_FLAG) {
337 int fd_pipe_fd = 1, remote_fd_pipe_fd = -1;
338 if (!SocketPair(&fd_pipe_fd, &remote_fd_pipe_fd)) {
342 fd_pipe_.reset(fd_pipe_fd);
343 remote_fd_pipe_.reset(remote_fd_pipe_fd);
345 #endif // IPC_USES_READWRITE
347 if ((mode_ & MODE_SERVER_FLAG) && (mode_ & MODE_NAMED_FLAG)) {
348 #if defined(OS_NACL_NONSFI)
349 LOG(FATAL) << "IPC channels in nacl_helper_nonsfi "
350 << "should not be in NAMED or SERVER mode.";
352 server_listen_pipe_.reset(local_pipe.release());
355 pipe_.reset(local_pipe.release());
360 bool ChannelPosix::Connect() {
361 if (!server_listen_pipe_.is_valid() && !pipe_.is_valid()) {
362 DLOG(WARNING) << "Channel creation failed: " << pipe_name_;
366 bool did_connect = true;
367 if (server_listen_pipe_.is_valid()) {
368 #if defined(OS_NACL_NONSFI)
369 LOG(FATAL) << "IPC channels in nacl_helper_nonsfi "
370 << "should always be in client mode.";
372 // Watch the pipe for connections, and turn any connections into
374 base::MessageLoopForIO::current()->WatchFileDescriptor(
375 server_listen_pipe_.get(),
377 base::MessageLoopForIO::WATCH_READ,
378 &server_listen_connection_watcher_,
382 did_connect = AcceptConnection();
387 void ChannelPosix::CloseFileDescriptors(Message* msg) {
388 #if defined(OS_MACOSX)
389 // There is a bug on OSX which makes it dangerous to close
390 // a file descriptor while it is in transit. So instead we
391 // store the file descriptor in a set and send a message to
392 // the recipient, which is queued AFTER the message that
393 // sent the FD. The recipient will reply to the message,
394 // letting us know that it is now safe to close the file
395 // descriptor. For more information, see:
396 // http://crbug.com/298276
397 std::vector<int> to_close;
398 msg->file_descriptor_set()->ReleaseFDsToClose(&to_close);
399 for (size_t i = 0; i < to_close.size(); i++) {
400 fds_to_close_.insert(to_close[i]);
401 QueueCloseFDMessage(to_close[i], 2);
404 msg->file_descriptor_set()->CommitAll();
408 bool ChannelPosix::ProcessOutgoingMessages() {
409 DCHECK(!waiting_connect_); // Why are we trying to send messages if there's
411 if (output_queue_.empty())
414 if (!pipe_.is_valid())
417 // Write out all the messages we can till the write blocks or there are no
418 // more outgoing messages.
419 while (!output_queue_.empty()) {
420 Message* msg = output_queue_.front();
422 size_t amt_to_write = msg->size() - message_send_bytes_written_;
423 DCHECK_NE(0U, amt_to_write);
424 const char* out_bytes = reinterpret_cast<const char*>(msg->data()) +
425 message_send_bytes_written_;
427 struct msghdr msgh = {0};
428 struct iovec iov = {const_cast<char*>(out_bytes), amt_to_write};
432 sizeof(int) * FileDescriptorSet::kMaxDescriptorsPerMessage)];
434 ssize_t bytes_written = 1;
437 if (message_send_bytes_written_ == 0 &&
438 !msg->file_descriptor_set()->empty()) {
439 // This is the first chunk of a message which has descriptors to send
440 struct cmsghdr *cmsg;
441 const unsigned num_fds = msg->file_descriptor_set()->size();
443 DCHECK(num_fds <= FileDescriptorSet::kMaxDescriptorsPerMessage);
444 if (msg->file_descriptor_set()->ContainsDirectoryDescriptor()) {
445 LOG(FATAL) << "Panic: attempting to transport directory descriptor over"
446 " IPC. Aborting to maintain sandbox isolation.";
447 // If you have hit this then something tried to send a file descriptor
448 // to a directory over an IPC channel. Since IPC channels span
449 // sandboxes this is very bad: the receiving process can use openat
450 // with ".." elements in the path in order to reach the real
454 msgh.msg_control = buf;
455 msgh.msg_controllen = CMSG_SPACE(sizeof(int) * num_fds);
456 cmsg = CMSG_FIRSTHDR(&msgh);
457 cmsg->cmsg_level = SOL_SOCKET;
458 cmsg->cmsg_type = SCM_RIGHTS;
459 cmsg->cmsg_len = CMSG_LEN(sizeof(int) * num_fds);
460 msg->file_descriptor_set()->PeekDescriptors(
461 reinterpret_cast<int*>(CMSG_DATA(cmsg)));
462 msgh.msg_controllen = cmsg->cmsg_len;
464 // DCHECK_LE above already checks that
465 // num_fds < kMaxDescriptorsPerMessage so no danger of overflow.
466 msg->header()->num_fds = static_cast<uint16>(num_fds);
468 #if defined(IPC_USES_READWRITE)
469 if (!IsHelloMessage(*msg)) {
470 // Only the Hello message sends the file descriptor with the message.
471 // Subsequently, we can send file descriptors on the dedicated
472 // fd_pipe_ which makes Seccomp sandbox operation more efficient.
473 struct iovec fd_pipe_iov = { const_cast<char *>(""), 1 };
474 msgh.msg_iov = &fd_pipe_iov;
475 fd_written = fd_pipe_.get();
477 HANDLE_EINTR(sendmsg(fd_pipe_.get(), &msgh, MSG_DONTWAIT));
479 msgh.msg_controllen = 0;
480 if (bytes_written > 0) {
481 CloseFileDescriptors(msg);
484 #endif // IPC_USES_READWRITE
487 if (bytes_written == 1) {
488 fd_written = pipe_.get();
489 #if defined(IPC_USES_READWRITE)
490 if ((mode_ & MODE_CLIENT_FLAG) && IsHelloMessage(*msg)) {
491 DCHECK_EQ(msg->file_descriptor_set()->size(), 1U);
493 if (!msgh.msg_controllen) {
495 HANDLE_EINTR(write(pipe_.get(), out_bytes, amt_to_write));
497 #endif // IPC_USES_READWRITE
499 bytes_written = HANDLE_EINTR(sendmsg(pipe_.get(), &msgh, MSG_DONTWAIT));
502 if (bytes_written > 0)
503 CloseFileDescriptors(msg);
505 if (bytes_written < 0 && !SocketWriteErrorIsRecoverable()) {
506 // We can't close the pipe here, because calling OnChannelError
507 // may destroy this object, and that would be bad if we are
508 // called from Send(). Instead, we return false and hope the
509 // caller will close the pipe. If they do not, the pipe will
510 // still be closed next time OnFileCanReadWithoutBlocking is
512 #if defined(OS_MACOSX)
513 // On OSX writing to a pipe with no listener returns EPERM.
514 if (errno == EPERM) {
518 if (errno == EPIPE) {
521 PLOG(ERROR) << "pipe error on "
523 << " Currently writing message of size: "
528 if (static_cast<size_t>(bytes_written) != amt_to_write) {
529 if (bytes_written > 0) {
530 // If write() fails with EAGAIN then bytes_written will be -1.
531 message_send_bytes_written_ += bytes_written;
534 // Tell libevent to call us back once things are unblocked.
535 is_blocked_on_write_ = true;
536 base::MessageLoopForIO::current()->WatchFileDescriptor(
539 base::MessageLoopForIO::WATCH_WRITE,
544 message_send_bytes_written_ = 0;
547 DVLOG(2) << "sent message @" << msg << " on channel @" << this
548 << " with type " << msg->type() << " on fd " << pipe_.get();
549 delete output_queue_.front();
556 bool ChannelPosix::Send(Message* message) {
557 DVLOG(2) << "sending message @" << message << " on channel @" << this
558 << " with type " << message->type()
559 << " (" << output_queue_.size() << " in queue)";
561 #ifdef IPC_MESSAGE_LOG_ENABLED
562 Logging::GetInstance()->OnSendMessage(message, "");
563 #endif // IPC_MESSAGE_LOG_ENABLED
565 message->TraceMessageBegin();
566 output_queue_.push(message);
567 if (!is_blocked_on_write_ && !waiting_connect_) {
568 return ProcessOutgoingMessages();
574 int ChannelPosix::GetClientFileDescriptor() const {
575 base::AutoLock lock(client_pipe_lock_);
576 return client_pipe_.get();
579 base::ScopedFD ChannelPosix::TakeClientFileDescriptor() {
580 base::AutoLock lock(client_pipe_lock_);
581 if (!client_pipe_.is_valid())
582 return base::ScopedFD();
583 PipeMap::GetInstance()->Remove(pipe_name_);
584 return client_pipe_.Pass();
587 void ChannelPosix::CloseClientFileDescriptor() {
588 base::AutoLock lock(client_pipe_lock_);
589 if (!client_pipe_.is_valid())
591 PipeMap::GetInstance()->Remove(pipe_name_);
592 client_pipe_.reset();
595 bool ChannelPosix::AcceptsConnections() const {
596 return server_listen_pipe_.is_valid();
599 bool ChannelPosix::HasAcceptedConnection() const {
600 return AcceptsConnections() && pipe_.is_valid();
603 #if !defined(OS_NACL_NONSFI)
604 // GetPeerEuid is not supported in nacl_helper_nonsfi.
605 bool ChannelPosix::GetPeerEuid(uid_t* peer_euid) const {
606 DCHECK(!(mode_ & MODE_SERVER) || HasAcceptedConnection());
607 return IPC::GetPeerEuid(pipe_.get(), peer_euid);
611 void ChannelPosix::ResetToAcceptingConnectionState() {
612 // Unregister libevent for the unix domain socket and close it.
613 read_watcher_.StopWatchingFileDescriptor();
614 write_watcher_.StopWatchingFileDescriptor();
616 #if defined(IPC_USES_READWRITE)
618 remote_fd_pipe_.reset();
619 #endif // IPC_USES_READWRITE
621 while (!output_queue_.empty()) {
622 Message* m = output_queue_.front();
627 // Close any outstanding, received file descriptors.
630 #if defined(OS_MACOSX)
631 // Clear any outstanding, sent file descriptors.
632 for (std::set<int>::iterator i = fds_to_close_.begin();
633 i != fds_to_close_.end();
635 if (IGNORE_EINTR(close(*i)) < 0)
636 PLOG(ERROR) << "close";
638 fds_to_close_.clear();
643 bool ChannelPosix::IsNamedServerInitialized(
644 const std::string& channel_id) {
645 return base::PathExists(base::FilePath(channel_id));
648 #if defined(OS_LINUX)
650 void ChannelPosix::SetGlobalPid(int pid) {
655 // Called by libevent when we can read from the pipe without blocking.
656 void ChannelPosix::OnFileCanReadWithoutBlocking(int fd) {
657 if (fd == server_listen_pipe_.get()) {
658 #if defined(OS_NACL_NONSFI)
660 << "IPC channels in nacl_helper_nonsfi should not be SERVER mode.";
663 if (!ServerAcceptConnection(server_listen_pipe_.get(), &new_pipe) ||
666 listener()->OnChannelListenError();
669 if (pipe_.is_valid()) {
670 // We already have a connection. We only handle one at a time.
671 // close our new descriptor.
672 if (HANDLE_EINTR(shutdown(new_pipe, SHUT_RDWR)) < 0)
673 DPLOG(ERROR) << "shutdown " << pipe_name_;
674 if (IGNORE_EINTR(close(new_pipe)) < 0)
675 DPLOG(ERROR) << "close " << pipe_name_;
676 listener()->OnChannelDenied();
679 pipe_.reset(new_pipe);
681 if ((mode_ & MODE_OPEN_ACCESS_FLAG) == 0) {
682 // Verify that the IPC channel peer is running as the same user.
684 if (!GetPeerEuid(&client_euid)) {
685 DLOG(ERROR) << "Unable to query client euid";
686 ResetToAcceptingConnectionState();
689 if (client_euid != geteuid()) {
690 DLOG(WARNING) << "Client euid is not authorised";
691 ResetToAcceptingConnectionState();
696 if (!AcceptConnection()) {
697 NOTREACHED() << "AcceptConnection should not fail on server";
699 waiting_connect_ = false;
701 } else if (fd == pipe_) {
702 if (waiting_connect_ && (mode_ & MODE_SERVER_FLAG)) {
703 waiting_connect_ = false;
705 if (!ProcessIncomingMessages()) {
706 // ClosePipeOnError may delete this object, so we mustn't call
707 // ProcessOutgoingMessages.
712 NOTREACHED() << "Unknown pipe " << fd;
715 // If we're a server and handshaking, then we want to make sure that we
716 // only send our handshake message after we've processed the client's.
717 // This gives us a chance to kill the client if the incoming handshake
718 // is invalid. This also flushes any closefd messages.
719 if (!is_blocked_on_write_) {
720 if (!ProcessOutgoingMessages()) {
726 // Called by libevent when we can write to the pipe without blocking.
727 void ChannelPosix::OnFileCanWriteWithoutBlocking(int fd) {
728 DCHECK_EQ(pipe_.get(), fd);
729 is_blocked_on_write_ = false;
730 if (!ProcessOutgoingMessages()) {
735 bool ChannelPosix::AcceptConnection() {
736 base::MessageLoopForIO::current()->WatchFileDescriptor(
739 base::MessageLoopForIO::WATCH_READ,
744 if (mode_ & MODE_CLIENT_FLAG) {
745 // If we are a client we want to send a hello message out immediately.
746 // In server mode we will send a hello message when we receive one from a
748 waiting_connect_ = false;
749 return ProcessOutgoingMessages();
750 } else if (mode_ & MODE_SERVER_FLAG) {
751 waiting_connect_ = true;
759 void ChannelPosix::ClosePipeOnError() {
760 if (HasAcceptedConnection()) {
761 ResetToAcceptingConnectionState();
762 listener()->OnChannelError();
765 if (AcceptsConnections()) {
766 listener()->OnChannelListenError();
768 listener()->OnChannelError();
773 int ChannelPosix::GetHelloMessageProcId() const {
774 int pid = base::GetCurrentProcId();
775 #if defined(OS_LINUX)
776 // Our process may be in a sandbox with a separate PID namespace.
784 void ChannelPosix::QueueHelloMessage() {
785 // Create the Hello message
786 scoped_ptr<Message> msg(new Message(MSG_ROUTING_NONE,
788 IPC::Message::PRIORITY_NORMAL));
789 if (!msg->WriteInt(GetHelloMessageProcId())) {
790 NOTREACHED() << "Unable to pickle hello message proc id";
792 #if defined(IPC_USES_READWRITE)
793 scoped_ptr<Message> hello;
794 if (remote_fd_pipe_.is_valid()) {
795 if (!msg->WriteBorrowingFile(remote_fd_pipe_.get())) {
796 NOTREACHED() << "Unable to pickle hello message file descriptors";
798 DCHECK_EQ(msg->file_descriptor_set()->size(), 1U);
800 #endif // IPC_USES_READWRITE
801 output_queue_.push(msg.release());
804 ChannelPosix::ReadState ChannelPosix::ReadData(
808 if (!pipe_.is_valid())
811 struct msghdr msg = {0};
813 struct iovec iov = {buffer, static_cast<size_t>(buffer_len)};
817 msg.msg_control = input_cmsg_buf_;
819 // recvmsg() returns 0 if the connection has closed or EAGAIN if no data
820 // is waiting on the pipe.
821 #if defined(IPC_USES_READWRITE)
822 if (fd_pipe_.is_valid()) {
823 *bytes_read = HANDLE_EINTR(read(pipe_.get(), buffer, buffer_len));
824 msg.msg_controllen = 0;
826 #endif // IPC_USES_READWRITE
828 msg.msg_controllen = sizeof(input_cmsg_buf_);
829 *bytes_read = HANDLE_EINTR(recvmsg(pipe_.get(), &msg, MSG_DONTWAIT));
831 if (*bytes_read < 0) {
832 if (errno == EAGAIN) {
834 #if defined(OS_MACOSX)
835 } else if (errno == EPERM) {
836 // On OSX, reading from a pipe with no listener returns EPERM
837 // treat this as a special case to prevent spurious error messages
841 } else if (errno == ECONNRESET || errno == EPIPE) {
844 PLOG(ERROR) << "pipe error (" << pipe_.get() << ")";
847 } else if (*bytes_read == 0) {
848 // The pipe has closed...
853 CloseClientFileDescriptor();
855 // Read any file descriptors from the message.
856 if (!ExtractFileDescriptorsFromMsghdr(&msg))
858 return READ_SUCCEEDED;
861 #if defined(IPC_USES_READWRITE)
862 bool ChannelPosix::ReadFileDescriptorsFromFDPipe() {
864 struct iovec fd_pipe_iov = { &dummy, 1 };
866 struct msghdr msg = { 0 };
867 msg.msg_iov = &fd_pipe_iov;
869 msg.msg_control = input_cmsg_buf_;
870 msg.msg_controllen = sizeof(input_cmsg_buf_);
871 ssize_t bytes_received =
872 HANDLE_EINTR(recvmsg(fd_pipe_.get(), &msg, MSG_DONTWAIT));
874 if (bytes_received != 1)
875 return true; // No message waiting.
877 if (!ExtractFileDescriptorsFromMsghdr(&msg))
883 // On Posix, we need to fix up the file descriptors before the input message
886 // This will read from the input_fds_ (READWRITE mode only) and read more
887 // handles from the FD pipe if necessary.
888 bool ChannelPosix::WillDispatchInputMessage(Message* msg) {
889 uint16 header_fds = msg->header()->num_fds;
891 return true; // Nothing to do.
893 // The message has file descriptors.
894 const char* error = NULL;
895 if (header_fds > input_fds_.size()) {
896 // The message has been completely received, but we didn't get
897 // enough file descriptors.
898 #if defined(IPC_USES_READWRITE)
899 if (!ReadFileDescriptorsFromFDPipe())
901 if (header_fds > input_fds_.size())
902 #endif // IPC_USES_READWRITE
903 error = "Message needs unreceived descriptors";
906 if (header_fds > FileDescriptorSet::kMaxDescriptorsPerMessage)
907 error = "Message requires an excessive number of descriptors";
910 LOG(WARNING) << error
911 << " channel:" << this
912 << " message-type:" << msg->type()
913 << " header()->num_fds:" << header_fds;
914 // Abort the connection.
919 // The shenaniganery below with &foo.front() requires input_fds_ to have
920 // contiguous underlying storage (such as a simple array or a std::vector).
921 // This is why the header warns not to make input_fds_ a deque<>.
922 msg->file_descriptor_set()->AddDescriptorsToOwn(&input_fds_.front(),
924 input_fds_.erase(input_fds_.begin(), input_fds_.begin() + header_fds);
928 bool ChannelPosix::DidEmptyInputBuffers() {
929 // When the input data buffer is empty, the fds should be too. If this is
930 // not the case, we probably have a rogue renderer which is trying to fill
931 // our descriptor table.
932 return input_fds_.empty();
935 bool ChannelPosix::ExtractFileDescriptorsFromMsghdr(msghdr* msg) {
936 // Check that there are any control messages. On OSX, CMSG_FIRSTHDR will
937 // return an invalid non-NULL pointer in the case that controllen == 0.
938 if (msg->msg_controllen == 0)
941 for (cmsghdr* cmsg = CMSG_FIRSTHDR(msg);
943 cmsg = CMSG_NXTHDR(msg, cmsg)) {
944 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
945 unsigned payload_len = cmsg->cmsg_len - CMSG_LEN(0);
946 DCHECK_EQ(0U, payload_len % sizeof(int));
947 const int* file_descriptors = reinterpret_cast<int*>(CMSG_DATA(cmsg));
948 unsigned num_file_descriptors = payload_len / 4;
949 input_fds_.insert(input_fds_.end(),
951 file_descriptors + num_file_descriptors);
953 // Check this after adding the FDs so we don't leak them.
954 if (msg->msg_flags & MSG_CTRUNC) {
963 // No file descriptors found, but that's OK.
967 void ChannelPosix::ClearInputFDs() {
968 for (size_t i = 0; i < input_fds_.size(); ++i) {
969 if (IGNORE_EINTR(close(input_fds_[i])) < 0)
970 PLOG(ERROR) << "close ";
975 void ChannelPosix::QueueCloseFDMessage(int fd, int hops) {
979 // Create the message
980 scoped_ptr<Message> msg(new Message(MSG_ROUTING_NONE,
981 CLOSE_FD_MESSAGE_TYPE,
982 IPC::Message::PRIORITY_NORMAL));
983 if (!msg->WriteInt(hops - 1) || !msg->WriteInt(fd)) {
984 NOTREACHED() << "Unable to pickle close fd.";
986 // Send(msg.release());
987 output_queue_.push(msg.release());
997 void ChannelPosix::HandleInternalMessage(const Message& msg) {
998 // The Hello message contains only the process id.
999 PickleIterator iter(msg);
1001 switch (msg.type()) {
1006 case Channel::HELLO_MESSAGE_TYPE:
1008 if (!msg.ReadInt(&iter, &pid))
1011 #if defined(IPC_USES_READWRITE)
1012 if (mode_ & MODE_SERVER_FLAG) {
1013 // With IPC_USES_READWRITE, the Hello message from the client to the
1014 // server also contains the fd_pipe_, which will be used for all
1015 // subsequent file descriptor passing.
1016 DCHECK_EQ(msg.file_descriptor_set()->size(), 1U);
1017 base::ScopedFD descriptor;
1018 if (!msg.ReadFile(&iter, &descriptor)) {
1021 fd_pipe_.reset(descriptor.release());
1023 #endif // IPC_USES_READWRITE
1025 listener()->OnChannelConnected(pid);
1028 #if defined(OS_MACOSX)
1029 case Channel::CLOSE_FD_MESSAGE_TYPE:
1031 if (!msg.ReadInt(&iter, &hops))
1033 if (!msg.ReadInt(&iter, &fd))
1036 if (fds_to_close_.erase(fd) > 0) {
1037 if (IGNORE_EINTR(close(fd)) < 0)
1038 PLOG(ERROR) << "close";
1043 QueueCloseFDMessage(fd, hops);
1050 void ChannelPosix::Close() {
1051 // Close can be called multiple time, so we need to make sure we're
1054 ResetToAcceptingConnectionState();
1057 unlink(pipe_name_.c_str());
1058 must_unlink_ = false;
1061 if (server_listen_pipe_.is_valid()) {
1062 #if defined(OS_NACL_NONSFI)
1064 << "IPC channels in nacl_helper_nonsfi should not be SERVER mode.";
1066 server_listen_pipe_.reset();
1067 // Unregister libevent for the listening socket and close it.
1068 server_listen_connection_watcher_.StopWatchingFileDescriptor();
1072 CloseClientFileDescriptor();
1075 base::ProcessId ChannelPosix::GetPeerPID() const {
1079 base::ProcessId ChannelPosix::GetSelfPID() const {
1080 return GetHelloMessageProcId();
1083 //------------------------------------------------------------------------------
1084 // Channel's methods
1087 scoped_ptr<Channel> Channel::Create(
1088 const IPC::ChannelHandle &channel_handle, Mode mode, Listener* listener) {
1089 return make_scoped_ptr(new ChannelPosix(channel_handle, mode, listener));
1093 std::string Channel::GenerateVerifiedChannelID(const std::string& prefix) {
1094 // A random name is sufficient validation on posix systems, so we don't need
1095 // an additional shared secret.
1097 std::string id = prefix;
1101 return id.append(GenerateUniqueRandomChannelID());
1105 bool Channel::IsNamedServerInitialized(
1106 const std::string& channel_id) {
1107 return ChannelPosix::IsNamedServerInitialized(channel_id);
1110 #if defined(OS_LINUX)
1112 void Channel::SetGlobalPid(int pid) {
1113 ChannelPosix::SetGlobalPid(pid);