2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
44 #include "got_error.h"
45 #include "got_opentemp.h"
47 #include "got_repository.h"
48 #include "got_object.h"
49 #include "got_reference.h"
51 #include "got_lib_delta.h"
52 #include "got_lib_object.h"
53 #include "got_lib_object_cache.h"
54 #include "got_lib_hash.h"
55 #include "got_lib_gitproto.h"
56 #include "got_lib_pack.h"
57 #include "got_lib_repository.h"
64 #include "repo_read.h"
65 #include "repo_write.h"
68 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
71 enum gotd_client_state {
72 GOTD_CLIENT_STATE_NEW,
73 GOTD_CLIENT_STATE_ACCESS_GRANTED,
76 struct gotd_child_proc {
78 enum gotd_procid type;
79 char repo_name[NAME_MAX];
80 char repo_path[PATH_MAX];
82 struct gotd_imsgev iev;
86 STAILQ_ENTRY(gotd_client) entry;
87 enum gotd_client_state state;
90 struct gotd_imsgev iev;
94 struct gotd_child_proc *repo;
95 struct gotd_child_proc *auth;
96 struct gotd_child_proc *session;
99 STAILQ_HEAD(gotd_clients, gotd_client);
101 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
102 static SIPHASH_KEY clients_hash_key;
103 volatile int client_cnt;
104 static struct timeval auth_timeout = { 5, 0 };
105 static struct gotd gotd;
107 void gotd_sighdlr(int sig, short event, void *arg);
108 static void gotd_shutdown(void);
109 static const struct got_error *start_session_child(struct gotd_client *,
110 struct gotd_repo *, char *, const char *, int, int);
111 static const struct got_error *start_repo_child(struct gotd_client *,
112 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
113 static const struct got_error *start_auth_child(struct gotd_client *, int,
114 struct gotd_repo *, char *, const char *, int, int);
115 static void kill_proc(struct gotd_child_proc *, int);
120 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
125 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
127 struct sockaddr_un sun;
129 mode_t old_umask, mode;
131 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
137 sun.sun_family = AF_UNIX;
138 if (strlcpy(sun.sun_path, unix_socket_path,
139 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
140 log_warnx("%s: name too long", unix_socket_path);
145 if (unlink(unix_socket_path) == -1) {
146 if (errno != ENOENT) {
147 log_warn("unlink %s", unix_socket_path);
153 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
154 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
156 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
157 log_warn("bind: %s", unix_socket_path);
165 if (chmod(unix_socket_path, mode) == -1) {
166 log_warn("chmod %o %s", mode, unix_socket_path);
168 unlink(unix_socket_path);
172 if (chown(unix_socket_path, uid, gid) == -1) {
173 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
175 unlink(unix_socket_path);
179 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
182 unlink(unix_socket_path);
190 client_hash(uint32_t client_id)
192 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
196 add_client(struct gotd_client *client)
198 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
199 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
203 static struct gotd_client *
204 find_client(uint32_t client_id)
207 struct gotd_client *c;
209 slot = client_hash(client_id) % nitems(gotd_clients);
210 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
211 if (c->id == client_id)
218 static struct gotd_client *
219 find_client_by_proc_fd(int fd)
223 for (slot = 0; slot < nitems(gotd_clients); slot++) {
224 struct gotd_client *c;
226 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
227 if (c->repo && c->repo->iev.ibuf.fd == fd)
229 if (c->auth && c->auth->iev.ibuf.fd == fd)
231 if (c->session && c->session->iev.ibuf.fd == fd)
240 client_is_reading(struct gotd_client *client)
242 return (client->required_auth &
243 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
247 client_is_writing(struct gotd_client *client)
249 return (client->required_auth &
250 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
251 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
254 static const struct got_error *
255 ensure_client_is_not_writing(struct gotd_client *client)
257 if (client_is_writing(client)) {
258 return got_error_fmt(GOT_ERR_BAD_PACKET,
259 "uid %d made a read-request but is writing to "
260 "a repository", client->euid);
266 static const struct got_error *
267 ensure_client_is_not_reading(struct gotd_client *client)
269 if (client_is_reading(client)) {
270 return got_error_fmt(GOT_ERR_BAD_PACKET,
271 "uid %d made a write-request but is reading from "
272 "a repository", client->euid);
279 wait_for_child(pid_t child_pid)
284 log_debug("waiting for child PID %ld to terminate",
288 pid = waitpid(child_pid, &status, WNOHANG);
290 if (errno != EINTR && errno != ECHILD)
292 } else if (WIFSIGNALED(status)) {
293 log_warnx("child PID %ld terminated; signal %d",
294 (long)pid, WTERMSIG(status));
296 } while (pid != -1 || (pid == -1 && errno == EINTR));
300 proc_done(struct gotd_child_proc *proc)
302 event_del(&proc->iev.ev);
303 msgbuf_clear(&proc->iev.ibuf.w);
304 close(proc->iev.ibuf.fd);
306 wait_for_child(proc->pid);
311 kill_auth_proc(struct gotd_client *client)
313 struct gotd_child_proc *proc;
315 if (client->auth == NULL)
325 kill_session_proc(struct gotd_client *client)
327 struct gotd_child_proc *proc;
329 if (client->session == NULL)
332 proc = client->session;
333 client->session = NULL;
339 disconnect(struct gotd_client *client)
341 struct gotd_imsg_disconnect idisconnect;
342 struct gotd_child_proc *proc = client->repo;
343 struct gotd_child_proc *listen_proc = gotd.listen_proc;
346 log_debug("uid %d: disconnecting", client->euid);
348 kill_auth_proc(client);
349 kill_session_proc(client);
352 event_del(&proc->iev.ev);
353 msgbuf_clear(&proc->iev.ibuf.w);
354 close(proc->iev.ibuf.fd);
356 wait_for_child(proc->pid);
361 idisconnect.client_id = client->id;
362 if (gotd_imsg_compose_event(&listen_proc->iev,
363 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
364 &idisconnect, sizeof(idisconnect)) == -1)
365 log_warn("imsg compose DISCONNECT");
367 slot = client_hash(client->id) % nitems(gotd_clients);
368 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
369 imsg_clear(&client->iev.ibuf);
370 event_del(&client->iev.ev);
371 evtimer_del(&client->tmo);
372 if (client->fd != -1)
374 else if (client->iev.ibuf.fd != -1)
375 close(client->iev.ibuf.fd);
381 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
385 log_warnx("uid %d: %s", client->euid, err->msg);
386 if (err->code != GOT_ERR_EOF && client->fd != -1) {
387 imsg_init(&ibuf, client->fd);
388 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
394 static const struct got_error *
395 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
397 const struct got_error *err = NULL;
398 struct gotd_imsg_info_repo irepo;
400 memset(&irepo, 0, sizeof(irepo));
402 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
403 >= sizeof(irepo.repo_name))
404 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
405 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
406 >= sizeof(irepo.repo_path))
407 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
409 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
410 &irepo, sizeof(irepo)) == -1) {
411 err = got_error_from_errno("imsg compose INFO_REPO");
419 static const struct got_error *
420 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
422 const struct got_error *err = NULL;
423 struct gotd_imsg_info_client iclient;
424 struct gotd_child_proc *proc;
426 memset(&iclient, 0, sizeof(iclient));
427 iclient.euid = client->euid;
428 iclient.egid = client->egid;
432 if (strlcpy(iclient.repo_name, proc->repo_path,
433 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
434 return got_error_msg(GOT_ERR_NO_SPACE,
435 "repo name too long");
437 if (client_is_writing(client))
438 iclient.is_writing = 1;
440 iclient.repo_child_pid = proc->pid;
444 iclient.session_child_pid = client->session->pid;
446 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
447 &iclient, sizeof(iclient)) == -1) {
448 err = got_error_from_errno("imsg compose INFO_CLIENT");
456 static const struct got_error *
457 send_info(struct gotd_client *client)
459 const struct got_error *err = NULL;
460 struct gotd_imsg_info info;
462 struct gotd_repo *repo;
464 if (client->euid != 0)
465 return got_error_set_errno(EPERM, "info");
468 info.verbosity = gotd.verbosity;
469 info.nrepos = gotd.nrepos;
470 info.nclients = client_cnt - 1;
472 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
473 &info, sizeof(info)) == -1) {
474 err = got_error_from_errno("imsg compose INFO");
479 TAILQ_FOREACH(repo, &gotd.repos, entry) {
480 err = send_repo_info(&client->iev, repo);
485 for (slot = 0; slot < nitems(gotd_clients); slot++) {
486 struct gotd_client *c;
487 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
488 if (c->id == client->id)
490 err = send_client_info(&client->iev, c);
499 static const struct got_error *
500 stop_gotd(struct gotd_client *client)
503 if (client->euid != 0)
504 return got_error_set_errno(EPERM, "stop");
511 static const struct got_error *
512 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
514 const struct got_error *err;
515 struct gotd_imsg_list_refs ireq;
516 struct gotd_repo *repo = NULL;
519 log_debug("list-refs request from uid %d", client->euid);
521 if (client->state != GOTD_CLIENT_STATE_NEW)
522 return got_error_msg(GOT_ERR_BAD_REQUEST,
523 "unexpected list-refs request received");
525 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
526 if (datalen != sizeof(ireq))
527 return got_error(GOT_ERR_PRIVSEP_LEN);
529 memcpy(&ireq, imsg->data, datalen);
531 if (ireq.client_is_reading) {
532 err = ensure_client_is_not_writing(client);
535 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
537 return got_error(GOT_ERR_NOT_GIT_REPO);
538 err = start_auth_child(client, GOTD_AUTH_READ, repo,
539 gotd.argv0, gotd.confpath, gotd.daemonize,
544 err = ensure_client_is_not_reading(client);
547 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
549 return got_error(GOT_ERR_NOT_GIT_REPO);
550 err = start_auth_child(client,
551 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
552 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
558 evtimer_add(&client->tmo, &auth_timeout);
560 /* Flow continues upon authentication successs/failure or timeout. */
565 gotd_request(int fd, short events, void *arg)
567 struct gotd_imsgev *iev = arg;
568 struct imsgbuf *ibuf = &iev->ibuf;
569 struct gotd_client *client = iev->handler_arg;
570 const struct got_error *err = NULL;
574 if (events & EV_WRITE) {
575 while (ibuf->w.queued) {
576 n = msgbuf_write(&ibuf->w);
577 if (n == -1 && errno == EPIPE) {
579 * The client has closed its socket.
580 * This can happen when Git clients are
581 * done sending pack file data.
583 msgbuf_clear(&ibuf->w);
585 } else if (n == -1 && errno != EAGAIN) {
586 err = got_error_from_errno("imsg_flush");
587 disconnect_on_error(client, err);
591 /* Connection closed. */
592 err = got_error(GOT_ERR_EOF);
593 disconnect_on_error(client, err);
598 /* Disconnect gotctl(8) now that messages have been sent. */
599 if (!client_is_reading(client) && !client_is_writing(client)) {
605 if ((events & EV_READ) == 0)
608 memset(&imsg, 0, sizeof(imsg));
610 while (err == NULL) {
611 err = gotd_imsg_recv(&imsg, ibuf, 0);
613 if (err->code == GOT_ERR_PRIVSEP_READ)
618 evtimer_del(&client->tmo);
620 switch (imsg.hdr.type) {
622 err = send_info(client);
625 err = stop_gotd(client);
627 case GOTD_IMSG_LIST_REFS:
628 err = start_client_authentication(client, &imsg);
631 log_debug("unexpected imsg %d", imsg.hdr.type);
632 err = got_error(GOT_ERR_PRIVSEP_MSG);
640 disconnect_on_error(client, err);
642 gotd_imsg_event_add(&client->iev);
647 gotd_auth_timeout(int fd, short events, void *arg)
649 struct gotd_client *client = arg;
651 log_debug("disconnecting uid %d due to authentication timeout",
656 static const struct got_error *
657 recv_connect(uint32_t *client_id, struct imsg *imsg)
659 const struct got_error *err = NULL;
660 struct gotd_imsg_connect iconnect;
663 struct gotd_client *client = NULL;
667 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
668 if (datalen != sizeof(iconnect))
669 return got_error(GOT_ERR_PRIVSEP_LEN);
670 memcpy(&iconnect, imsg->data, sizeof(iconnect));
674 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
678 if (find_client(iconnect.client_id)) {
679 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
683 client = calloc(1, sizeof(*client));
684 if (client == NULL) {
685 err = got_error_from_errno("calloc");
689 *client_id = iconnect.client_id;
691 client->state = GOTD_CLIENT_STATE_NEW;
692 client->id = iconnect.client_id;
695 /* The auth process will verify UID/GID for us. */
696 client->euid = iconnect.euid;
697 client->egid = iconnect.egid;
699 imsg_init(&client->iev.ibuf, client->fd);
700 client->iev.handler = gotd_request;
701 client->iev.events = EV_READ;
702 client->iev.handler_arg = client;
704 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
706 gotd_imsg_event_add(&client->iev);
708 evtimer_set(&client->tmo, gotd_auth_timeout, client);
711 log_debug("%s: new client uid %d connected on fd %d", __func__,
712 client->euid, client->fd);
715 struct gotd_child_proc *listen_proc = gotd.listen_proc;
716 struct gotd_imsg_disconnect idisconnect;
718 idisconnect.client_id = client->id;
719 if (gotd_imsg_compose_event(&listen_proc->iev,
720 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
721 &idisconnect, sizeof(idisconnect)) == -1)
722 log_warn("imsg compose DISCONNECT");
731 static const char *gotd_proc_names[PROC_MAX] = {
742 kill_proc(struct gotd_child_proc *proc, int fatal)
745 log_warnx("sending SIGKILL to PID %d", proc->pid);
746 kill(proc->pid, SIGKILL);
748 kill(proc->pid, SIGTERM);
754 struct gotd_child_proc *proc;
757 log_debug("shutting down");
758 for (slot = 0; slot < nitems(gotd_clients); slot++) {
759 struct gotd_client *c, *tmp;
761 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
765 proc = gotd.listen_proc;
766 msgbuf_clear(&proc->iev.ibuf.w);
767 close(proc->iev.ibuf.fd);
769 wait_for_child(proc->pid);
772 log_info("terminating");
777 gotd_sighdlr(int sig, short event, void *arg)
780 * Normal signal handler rules don't apply because libevent
786 log_info("%s: ignoring SIGHUP", __func__);
789 log_info("%s: ignoring SIGUSR1", __func__);
796 fatalx("unexpected signal");
800 static const struct got_error *
801 ensure_proc_is_reading(struct gotd_client *client,
802 struct gotd_child_proc *proc)
804 if (!client_is_reading(client)) {
806 return got_error_fmt(GOT_ERR_BAD_PACKET,
807 "PID %d handled a read-request for uid %d but this "
808 "user is not reading from a repository", proc->pid,
815 static const struct got_error *
816 ensure_proc_is_writing(struct gotd_client *client,
817 struct gotd_child_proc *proc)
819 if (!client_is_writing(client)) {
821 return got_error_fmt(GOT_ERR_BAD_PACKET,
822 "PID %d handled a write-request for uid %d but this "
823 "user is not writing to a repository", proc->pid,
831 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
834 const struct got_error *err;
837 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
838 if (client->repo == NULL)
839 fatalx("no process found for uid %d", client->euid);
840 if (proc->pid != client->repo->pid) {
842 log_warnx("received message from PID %d for uid %d, "
843 "while PID %d is the process serving this user",
844 proc->pid, client->euid, client->repo->pid);
848 if (proc->type == PROC_SESSION_READ ||
849 proc->type == PROC_SESSION_WRITE) {
850 if (client->session == NULL) {
851 log_warnx("no session found for uid %d", client->euid);
854 if (proc->pid != client->session->pid) {
856 log_warnx("received message from PID %d for uid %d, "
857 "while PID %d is the process serving this user",
858 proc->pid, client->euid, client->session->pid);
863 switch (imsg->hdr.type) {
864 case GOTD_IMSG_ERROR:
867 case GOTD_IMSG_CONNECT:
868 if (proc->type != PROC_LISTEN) {
869 err = got_error_fmt(GOT_ERR_BAD_PACKET,
870 "new connection for uid %d from PID %d "
871 "which is not the listen process",
872 proc->pid, client->euid);
876 case GOTD_IMSG_ACCESS_GRANTED:
877 if (proc->type != PROC_AUTH) {
878 err = got_error_fmt(GOT_ERR_BAD_PACKET,
879 "authentication of uid %d from PID %d "
880 "which is not the auth process",
881 proc->pid, client->euid);
885 case GOTD_IMSG_CLIENT_SESSION_READY:
886 if (proc->type != PROC_SESSION_READ &&
887 proc->type != PROC_SESSION_WRITE) {
888 err = got_error_fmt(GOT_ERR_BAD_PACKET,
889 "unexpected \"ready\" signal from PID %d",
894 case GOTD_IMSG_REPO_CHILD_READY:
895 if (proc->type != PROC_REPO_READ &&
896 proc->type != PROC_REPO_WRITE) {
897 err = got_error_fmt(GOT_ERR_BAD_PACKET,
898 "unexpected \"ready\" signal from PID %d",
903 case GOTD_IMSG_PACKFILE_DONE:
904 err = ensure_proc_is_reading(client, proc);
906 log_warnx("uid %d: %s", client->euid, err->msg);
910 case GOTD_IMSG_PACKFILE_INSTALL:
911 case GOTD_IMSG_REF_UPDATES_START:
912 case GOTD_IMSG_REF_UPDATE:
913 err = ensure_proc_is_writing(client, proc);
915 log_warnx("uid %d: %s", client->euid, err->msg);
920 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
927 static const struct got_error *
928 connect_repo_child(struct gotd_client *client,
929 struct gotd_child_proc *repo_proc)
931 static const struct got_error *err;
932 struct gotd_imsgev *session_iev = &client->session->iev;
933 struct gotd_imsg_connect_repo_child ireq;
936 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
937 return got_error_msg(GOT_ERR_BAD_REQUEST,
938 "unexpected repo child ready signal received");
940 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
941 PF_UNSPEC, pipe) == -1)
944 memset(&ireq, 0, sizeof(ireq));
945 ireq.client_id = client->id;
946 ireq.proc_id = repo_proc->type;
948 /* Pass repo child pipe to session child process. */
949 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
950 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
951 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
957 /* Pass session child pipe to repo child process. */
958 if (gotd_imsg_compose_event(&repo_proc->iev,
959 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
960 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
969 gotd_dispatch_listener(int fd, short event, void *arg)
971 struct gotd_imsgev *iev = arg;
972 struct imsgbuf *ibuf = &iev->ibuf;
973 struct gotd_child_proc *proc = gotd.listen_proc;
978 if (proc->iev.ibuf.fd != fd)
979 fatalx("%s: unexpected fd %d", __func__, fd);
981 if (event & EV_READ) {
982 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
983 fatal("imsg_read error");
985 /* Connection closed. */
991 if (event & EV_WRITE) {
992 n = msgbuf_write(&ibuf->w);
993 if (n == -1 && errno != EAGAIN)
994 fatal("msgbuf_write");
996 /* Connection closed. */
1003 const struct got_error *err = NULL;
1004 struct gotd_client *client = NULL;
1005 uint32_t client_id = 0;
1006 int do_disconnect = 0;
1008 if ((n = imsg_get(ibuf, &imsg)) == -1)
1009 fatal("%s: imsg_get error", __func__);
1010 if (n == 0) /* No more messages. */
1013 switch (imsg.hdr.type) {
1014 case GOTD_IMSG_ERROR:
1016 err = gotd_imsg_recv_error(&client_id, &imsg);
1018 case GOTD_IMSG_CONNECT:
1019 err = recv_connect(&client_id, &imsg);
1022 log_debug("unexpected imsg %d", imsg.hdr.type);
1026 client = find_client(client_id);
1027 if (client == NULL) {
1028 log_warnx("%s: client not found", __func__);
1034 log_warnx("uid %d: %s", client->euid, err->msg);
1036 if (do_disconnect) {
1038 disconnect_on_error(client, err);
1047 gotd_imsg_event_add(iev);
1049 /* This pipe is dead. Remove its event handler */
1050 event_del(&iev->ev);
1051 event_loopexit(NULL);
1056 gotd_dispatch_auth_child(int fd, short event, void *arg)
1058 const struct got_error *err = NULL;
1059 struct gotd_imsgev *iev = arg;
1060 struct imsgbuf *ibuf = &iev->ibuf;
1061 struct gotd_client *client;
1062 struct gotd_repo *repo = NULL;
1066 uint32_t client_id = 0;
1067 int do_disconnect = 0;
1069 client = find_client_by_proc_fd(fd);
1070 if (client == NULL) {
1071 /* Can happen during process teardown. */
1072 warnx("cannot find client for fd %d", fd);
1077 if (client->auth == NULL)
1078 fatalx("cannot find auth child process for fd %d", fd);
1080 if (event & EV_READ) {
1081 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1082 fatal("imsg_read error");
1084 /* Connection closed. */
1090 if (event & EV_WRITE) {
1091 n = msgbuf_write(&ibuf->w);
1092 if (n == -1 && errno != EAGAIN)
1093 fatal("msgbuf_write");
1095 /* Connection closed. */
1101 if (client->auth->iev.ibuf.fd != fd)
1102 fatalx("%s: unexpected fd %d", __func__, fd);
1104 if ((n = imsg_get(ibuf, &imsg)) == -1)
1105 fatal("%s: imsg_get error", __func__);
1106 if (n == 0) /* No more messages. */
1109 evtimer_del(&client->tmo);
1111 switch (imsg.hdr.type) {
1112 case GOTD_IMSG_ERROR:
1114 err = gotd_imsg_recv_error(&client_id, &imsg);
1116 case GOTD_IMSG_ACCESS_GRANTED:
1117 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1121 log_debug("unexpected imsg %d", imsg.hdr.type);
1125 if (!verify_imsg_src(client, client->auth, &imsg)) {
1127 log_debug("dropping imsg type %d from PID %d",
1128 imsg.hdr.type, client->auth->pid);
1132 if (do_disconnect) {
1134 disconnect_on_error(client, err);
1140 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1142 err = got_error(GOT_ERR_NOT_GIT_REPO);
1145 kill_auth_proc(client);
1147 log_info("authenticated uid %d for repository %s",
1148 client->euid, repo->name);
1150 err = start_session_child(client, repo, gotd.argv0,
1151 gotd.confpath, gotd.daemonize, gotd.verbosity);
1156 log_warnx("uid %d: %s", client->euid, err->msg);
1158 /* We might have killed the auth process by now. */
1159 if (client->auth != NULL) {
1161 gotd_imsg_event_add(iev);
1163 /* This pipe is dead. Remove its event handler */
1164 event_del(&iev->ev);
1169 static const struct got_error *
1170 connect_session(struct gotd_client *client)
1172 const struct got_error *err = NULL;
1173 struct gotd_imsg_connect iconnect;
1176 memset(&iconnect, 0, sizeof(iconnect));
1178 s = dup(client->fd);
1180 return got_error_from_errno("dup");
1182 iconnect.client_id = client->id;
1183 iconnect.euid = client->euid;
1184 iconnect.egid = client->egid;
1186 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1187 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1188 err = got_error_from_errno("imsg compose CONNECT");
1194 * We are no longer interested in messages from this client.
1195 * Further client requests will be handled by the session process.
1197 msgbuf_clear(&client->iev.ibuf.w);
1198 imsg_clear(&client->iev.ibuf);
1199 event_del(&client->iev.ev);
1200 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1206 gotd_dispatch_client_session(int fd, short event, void *arg)
1208 struct gotd_imsgev *iev = arg;
1209 struct imsgbuf *ibuf = &iev->ibuf;
1210 struct gotd_child_proc *proc = NULL;
1211 struct gotd_client *client = NULL;
1216 client = find_client_by_proc_fd(fd);
1217 if (client == NULL) {
1218 /* Can happen during process teardown. */
1219 warnx("cannot find client for fd %d", fd);
1224 if (event & EV_READ) {
1225 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1226 fatal("imsg_read error");
1228 /* Connection closed. */
1234 if (event & EV_WRITE) {
1235 n = msgbuf_write(&ibuf->w);
1236 if (n == -1 && errno != EAGAIN)
1237 fatal("msgbuf_write");
1239 /* Connection closed. */
1245 proc = client->session;
1247 fatalx("cannot find session child process for fd %d", fd);
1250 const struct got_error *err = NULL;
1251 uint32_t client_id = 0;
1252 int do_disconnect = 0, do_start_repo_child = 0;
1254 if ((n = imsg_get(ibuf, &imsg)) == -1)
1255 fatal("%s: imsg_get error", __func__);
1256 if (n == 0) /* No more messages. */
1259 switch (imsg.hdr.type) {
1260 case GOTD_IMSG_ERROR:
1262 err = gotd_imsg_recv_error(&client_id, &imsg);
1264 case GOTD_IMSG_CLIENT_SESSION_READY:
1265 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1266 err = got_error(GOT_ERR_PRIVSEP_MSG);
1269 do_start_repo_child = 1;
1271 case GOTD_IMSG_DISCONNECT:
1275 log_debug("unexpected imsg %d", imsg.hdr.type);
1279 if (!verify_imsg_src(client, proc, &imsg)) {
1280 log_debug("dropping imsg type %d from PID %d",
1281 imsg.hdr.type, proc->pid);
1286 log_warnx("uid %d: %s", client->euid, err->msg);
1288 if (do_start_repo_child) {
1289 struct gotd_repo *repo;
1290 const char *name = client->session->repo_name;
1292 repo = gotd_find_repo_by_name(name, &gotd);
1294 enum gotd_procid proc_type;
1296 if (client->required_auth & GOTD_AUTH_WRITE)
1297 proc_type = PROC_REPO_WRITE;
1299 proc_type = PROC_REPO_READ;
1301 err = start_repo_child(client, proc_type, repo,
1302 gotd.argv0, gotd.confpath, gotd.daemonize,
1305 err = got_error(GOT_ERR_NOT_GIT_REPO);
1308 log_warnx("uid %d: %s", client->euid, err->msg);
1313 if (do_disconnect) {
1315 disconnect_on_error(client, err);
1324 gotd_imsg_event_add(iev);
1326 /* This pipe is dead. Remove its event handler */
1327 event_del(&iev->ev);
1333 gotd_dispatch_repo_child(int fd, short event, void *arg)
1335 struct gotd_imsgev *iev = arg;
1336 struct imsgbuf *ibuf = &iev->ibuf;
1337 struct gotd_child_proc *proc = NULL;
1338 struct gotd_client *client;
1343 client = find_client_by_proc_fd(fd);
1344 if (client == NULL) {
1345 /* Can happen during process teardown. */
1346 warnx("cannot find client for fd %d", fd);
1351 if (event & EV_READ) {
1352 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1353 fatal("imsg_read error");
1355 /* Connection closed. */
1361 if (event & EV_WRITE) {
1362 n = msgbuf_write(&ibuf->w);
1363 if (n == -1 && errno != EAGAIN)
1364 fatal("msgbuf_write");
1366 /* Connection closed. */
1372 proc = client->repo;
1374 fatalx("cannot find child process for fd %d", fd);
1377 const struct got_error *err = NULL;
1378 uint32_t client_id = 0;
1379 int do_disconnect = 0;
1381 if ((n = imsg_get(ibuf, &imsg)) == -1)
1382 fatal("%s: imsg_get error", __func__);
1383 if (n == 0) /* No more messages. */
1386 switch (imsg.hdr.type) {
1387 case GOTD_IMSG_ERROR:
1389 err = gotd_imsg_recv_error(&client_id, &imsg);
1391 case GOTD_IMSG_REPO_CHILD_READY:
1392 err = connect_session(client);
1395 err = connect_repo_child(client, proc);
1398 log_debug("unexpected imsg %d", imsg.hdr.type);
1402 if (!verify_imsg_src(client, proc, &imsg)) {
1403 log_debug("dropping imsg type %d from PID %d",
1404 imsg.hdr.type, proc->pid);
1409 log_warnx("uid %d: %s", client->euid, err->msg);
1411 if (do_disconnect) {
1413 disconnect_on_error(client, err);
1422 gotd_imsg_event_add(iev);
1424 /* This pipe is dead. Remove its event handler */
1425 event_del(&iev->ev);
1431 start_child(enum gotd_procid proc_id, const char *repo_path,
1432 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1438 switch (pid = fork()) {
1440 fatal("cannot fork");
1448 if (fd != GOTD_FILENO_MSG_PIPE) {
1449 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1450 fatal("cannot setup imsg fd");
1451 } else if (fcntl(fd, F_SETFD, 0) == -1)
1452 fatal("cannot setup imsg fd");
1454 argv[argc++] = argv0;
1457 argv[argc++] = (char *)"-L";
1460 argv[argc++] = (char *)"-A";
1462 case PROC_SESSION_READ:
1463 argv[argc++] = (char *)"-s";
1465 case PROC_SESSION_WRITE:
1466 argv[argc++] = (char *)"-S";
1468 case PROC_REPO_READ:
1469 argv[argc++] = (char *)"-R";
1471 case PROC_REPO_WRITE:
1472 argv[argc++] = (char *)"-W";
1475 fatalx("invalid process id %d", proc_id);
1478 argv[argc++] = (char *)"-f";
1479 argv[argc++] = (char *)confpath;
1482 argv[argc++] = (char *)"-P";
1483 argv[argc++] = (char *)repo_path;
1487 argv[argc++] = (char *)"-d";
1489 argv[argc++] = (char *)"-v";
1491 argv[argc++] = (char *)"-v";
1492 argv[argc++] = NULL;
1494 execvp(argv0, argv);
1499 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1501 struct gotd_child_proc *proc;
1503 proc = calloc(1, sizeof(*proc));
1507 proc->type = PROC_LISTEN;
1509 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1510 PF_UNSPEC, proc->pipe) == -1)
1511 fatal("socketpair");
1513 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1514 proc->pipe[1], daemonize, verbosity);
1515 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1516 proc->iev.handler = gotd_dispatch_listener;
1517 proc->iev.events = EV_READ;
1518 proc->iev.handler_arg = NULL;
1520 gotd.listen_proc = proc;
1523 static const struct got_error *
1524 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1525 char *argv0, const char *confpath, int daemonize, int verbosity)
1527 struct gotd_child_proc *proc;
1529 proc = calloc(1, sizeof(*proc));
1531 return got_error_from_errno("calloc");
1533 if (client_is_reading(client))
1534 proc->type = PROC_SESSION_READ;
1536 proc->type = PROC_SESSION_WRITE;
1537 if (strlcpy(proc->repo_name, repo->name,
1538 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1539 fatalx("repository name too long: %s", repo->name);
1540 log_debug("starting client uid %d session for repository %s",
1541 client->euid, repo->name);
1542 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1543 sizeof(proc->repo_path))
1544 fatalx("repository path too long: %s", repo->path);
1545 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1546 PF_UNSPEC, proc->pipe) == -1)
1547 fatal("socketpair");
1548 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1549 confpath, proc->pipe[1], daemonize, verbosity);
1550 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1551 log_debug("proc %s %s is on fd %d",
1552 gotd_proc_names[proc->type], proc->repo_path,
1554 proc->iev.handler = gotd_dispatch_client_session;
1555 proc->iev.events = EV_READ;
1556 proc->iev.handler_arg = NULL;
1557 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1558 gotd_dispatch_client_session, &proc->iev);
1559 gotd_imsg_event_add(&proc->iev);
1561 client->session = proc;
1565 static const struct got_error *
1566 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1567 struct gotd_repo *repo, char *argv0, const char *confpath,
1568 int daemonize, int verbosity)
1570 struct gotd_child_proc *proc;
1572 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1573 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1575 proc = calloc(1, sizeof(*proc));
1577 return got_error_from_errno("calloc");
1579 proc->type = proc_type;
1580 if (strlcpy(proc->repo_name, repo->name,
1581 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1582 fatalx("repository name too long: %s", repo->name);
1583 log_debug("starting %s for repository %s",
1584 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1585 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1586 sizeof(proc->repo_path))
1587 fatalx("repository path too long: %s", repo->path);
1588 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1589 PF_UNSPEC, proc->pipe) == -1)
1590 fatal("socketpair");
1591 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1592 confpath, proc->pipe[1], daemonize, verbosity);
1593 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1594 log_debug("proc %s %s is on fd %d",
1595 gotd_proc_names[proc->type], proc->repo_path,
1597 proc->iev.handler = gotd_dispatch_repo_child;
1598 proc->iev.events = EV_READ;
1599 proc->iev.handler_arg = NULL;
1600 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1601 gotd_dispatch_repo_child, &proc->iev);
1602 gotd_imsg_event_add(&proc->iev);
1604 client->repo = proc;
1608 static const struct got_error *
1609 start_auth_child(struct gotd_client *client, int required_auth,
1610 struct gotd_repo *repo, char *argv0, const char *confpath,
1611 int daemonize, int verbosity)
1613 const struct got_error *err = NULL;
1614 struct gotd_child_proc *proc;
1615 struct gotd_imsg_auth iauth;
1618 memset(&iauth, 0, sizeof(iauth));
1620 fd = dup(client->fd);
1622 return got_error_from_errno("dup");
1624 proc = calloc(1, sizeof(*proc));
1626 err = got_error_from_errno("calloc");
1631 proc->type = PROC_AUTH;
1632 if (strlcpy(proc->repo_name, repo->name,
1633 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1634 fatalx("repository name too long: %s", repo->name);
1635 log_debug("starting auth for uid %d repository %s",
1636 client->euid, repo->name);
1637 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1638 sizeof(proc->repo_path))
1639 fatalx("repository path too long: %s", repo->path);
1640 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1641 PF_UNSPEC, proc->pipe) == -1)
1642 fatal("socketpair");
1643 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1644 confpath, proc->pipe[1], daemonize, verbosity);
1645 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1646 log_debug("proc %s %s is on fd %d",
1647 gotd_proc_names[proc->type], proc->repo_path,
1649 proc->iev.handler = gotd_dispatch_auth_child;
1650 proc->iev.events = EV_READ;
1651 proc->iev.handler_arg = NULL;
1652 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1653 gotd_dispatch_auth_child, &proc->iev);
1654 gotd_imsg_event_add(&proc->iev);
1656 iauth.euid = client->euid;
1657 iauth.egid = client->egid;
1658 iauth.required_auth = required_auth;
1659 iauth.client_id = client->id;
1660 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1661 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1662 log_warn("imsg compose AUTHENTICATE");
1664 /* Let the auth_timeout handler tidy up. */
1667 client->auth = proc;
1668 client->required_auth = required_auth;
1673 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1676 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1677 fatal("unveil %s", GOT_TMPDIR_STR);
1680 if (unveil(repo_path, "r") == -1)
1681 fatal("unveil %s", repo_path);
1683 if (unveil(NULL, NULL) == -1)
1688 apply_unveil_repo_readwrite(const char *repo_path)
1690 if (unveil(repo_path, "rwc") == -1)
1691 fatal("unveil %s", repo_path);
1693 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1694 fatal("unveil %s", GOT_TMPDIR_STR);
1696 if (unveil(NULL, NULL) == -1)
1701 apply_unveil_none(void)
1703 if (unveil("/", "") == -1)
1706 if (unveil(NULL, NULL) == -1)
1711 apply_unveil_selfexec(void)
1713 if (unveil(gotd.argv0, "x") == -1)
1714 fatal("unveil %s", gotd.argv0);
1716 if (unveil(NULL, NULL) == -1)
1721 main(int argc, char **argv)
1723 const struct got_error *error = NULL;
1724 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1725 const char *confpath = GOTD_CONF_PATH;
1726 char *argv0 = argv[0];
1728 struct passwd *pw = NULL;
1729 char *repo_path = NULL;
1730 enum gotd_procid proc_id = PROC_GOTD;
1731 struct event evsigint, evsigterm, evsighup, evsigusr1;
1732 int *pack_fds = NULL, *temp_fds = NULL;
1733 struct gotd_repo *repo = NULL;
1735 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1737 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1740 proc_id = PROC_AUTH;
1749 proc_id = PROC_LISTEN;
1755 repo_path = realpath(optarg, NULL);
1756 if (repo_path == NULL)
1757 fatal("realpath '%s'", optarg);
1760 proc_id = PROC_REPO_READ;
1763 proc_id = PROC_SESSION_READ;
1766 proc_id = PROC_SESSION_WRITE;
1773 proc_id = PROC_REPO_WRITE;
1786 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1787 fatalx("need root privileges");
1789 if (parse_config(confpath, proc_id, &gotd, 1) != 0)
1792 pw = getpwnam(gotd.user_name);
1794 fatalx("user %s not found", gotd.user_name);
1796 if (pw->pw_uid == 0)
1797 fatalx("cannot run %s as the superuser", getprogname());
1800 fprintf(stderr, "configuration OK\n");
1805 gotd.daemonize = daemonize;
1806 gotd.verbosity = verbosity;
1807 gotd.confpath = confpath;
1809 /* Require an absolute path in argv[0] for reliable re-exec. */
1810 if (!got_path_is_absolute(argv0))
1811 fatalx("bad path \"%s\": must be an absolute path", argv0);
1813 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1814 log_setverbose(verbosity);
1816 if (proc_id == PROC_GOTD) {
1817 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1818 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1819 if (daemonize && daemon(1, 0) == -1)
1821 gotd.pid = getpid();
1822 start_listener(argv0, confpath, daemonize, verbosity);
1823 } else if (proc_id == PROC_LISTEN) {
1824 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1826 log_info("socket: %s", gotd.unix_socket_path);
1827 log_info("user: %s", pw->pw_name);
1830 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1833 fatal("cannot listen on unix socket %s",
1834 gotd.unix_socket_path);
1836 } else if (proc_id == PROC_AUTH) {
1837 snprintf(title, sizeof(title), "%s %s",
1838 gotd_proc_names[proc_id], repo_path);
1839 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1840 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1841 error = got_repo_pack_fds_open(&pack_fds);
1843 fatalx("cannot open pack tempfiles: %s", error->msg);
1844 error = got_repo_temp_fds_open(&temp_fds);
1846 fatalx("cannot open pack tempfiles: %s", error->msg);
1847 if (repo_path == NULL)
1848 fatalx("repository path not specified");
1849 snprintf(title, sizeof(title), "%s %s",
1850 gotd_proc_names[proc_id], repo_path);
1852 fatal("invalid process id %d", proc_id);
1854 setproctitle("%s", title);
1855 log_procinit(title);
1857 /* Drop root privileges. */
1858 if (setgid(pw->pw_gid) == -1)
1859 fatal("setgid %d failed", pw->pw_gid);
1860 if (setuid(pw->pw_uid) == -1)
1861 fatal("setuid %d failed", pw->pw_uid);
1868 /* "exec" promise will be limited to argv[0] via unveil(2). */
1869 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1875 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1879 * Ensure that AF_UNIX bind(2) cannot be used with any other
1880 * sockets by revoking all filesystem access via unveil(2).
1882 apply_unveil_none();
1884 listen_main(title, fd, gotd.connection_limits,
1885 gotd.nconnection_limits);
1890 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1894 * We need the "unix" pledge promise for getpeername(2) only.
1895 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1896 * filesystem access via unveil(2). Access to password database
1897 * files will still work since "getpw" bypasses unveil(2).
1899 apply_unveil_none();
1901 auth_main(title, &gotd.repos, repo_path);
1904 case PROC_SESSION_READ:
1905 case PROC_SESSION_WRITE:
1908 * The "recvfd" promise is only needed during setup and
1909 * will be removed in a later pledge(2) call.
1911 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1912 "unveil", NULL) == -1)
1915 if (proc_id == PROC_SESSION_READ)
1916 apply_unveil_repo_readonly(repo_path, 1);
1918 apply_unveil_repo_readwrite(repo_path);
1919 session_main(title, repo_path, pack_fds, temp_fds,
1920 &gotd.request_timeout, proc_id);
1923 case PROC_REPO_READ:
1925 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1928 apply_unveil_repo_readonly(repo_path, 0);
1929 repo_read_main(title, repo_path, pack_fds, temp_fds);
1932 case PROC_REPO_WRITE:
1934 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1937 apply_unveil_repo_readonly(repo_path, 0);
1938 repo = gotd_find_repo_by_path(repo_path, &gotd);
1940 fatalx("no repository for path %s", repo_path);
1941 repo_write_main(title, repo_path, pack_fds, temp_fds,
1942 &repo->protected_tag_namespaces,
1943 &repo->protected_branch_namespaces,
1944 &repo->protected_branches);
1948 fatal("invalid process id %d", proc_id);
1951 if (proc_id != PROC_GOTD)
1952 fatal("invalid process id %d", proc_id);
1954 apply_unveil_selfexec();
1956 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
1957 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
1958 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
1959 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
1960 signal(SIGPIPE, SIG_IGN);
1962 signal_add(&evsigint, NULL);
1963 signal_add(&evsigterm, NULL);
1964 signal_add(&evsighup, NULL);
1965 signal_add(&evsigusr1, NULL);
1967 gotd_imsg_event_add(&gotd.listen_proc->iev);