K 10 svn:author V 7 trociny K 8 svn:date V 27 2011-03-28T17:41:10.086238Z K 7 svn:log V 7771 MFC r217729, r217730, r217731, r217732, r217737, r217784, r217958, r217961, r217962, r217964, r217965, r217966, r217967, r217969, r218040, r218041, r218042, r218043, r218044, r218045, r218048, r218049, r218119, r218132, r218138, r218139, r218147, r218148, r218158, r218185, r218191, r218192, r218193, r218194, r218201, r218214, r218215, r218217, r218218, r218370, r218373, r218374, r218375, r218376, r218464, r218465, r218474, r219082: r217729 (pjd): - On primary worker reload, update hr_exec field. - Update comment. r217730 (pjd): Use int16 for error. r217731 (pjd): Use more consistent function name with the others (pjdlogv_prefix_set() instead of pjdlog_prefix_setv()). r217732 (pjd): Add nv_assert() which allows to assert that the given name exists. r217737 (pjd): Add missing logs. r217784 (pjd): Don't open configuration file from worker process. Handle SIGHUP in the master process only and pass changes to the worker processes over control socket. This removes access to global namespace in preparation for capsicum sandboxing. r217958 (pjd): Remove __dead2 from pjdlog_verify() prototype, it does return sometimes. r217961 (pjd): - Remove obvious NOTREACHED comment after abort() call. - Remove redundant newline at the end of the file. r217962 (pjd): Add LOG_NDELAY flag to openlog(3) - we want descriptor to be immediately open so there are no surprises once we start chrooting or using capsicum. r217964 (pjd): Use pjd copyright for 2011 work. r217965 (pjd): Add functions to initialize/finalize pjdlog. This allows to open/close log file at will. r217966 (pjd): Extend pjdlog_verify() to support the following additional macros: PJDLOG_RVERIFY() - always check expression and on false log the given message and exit. PJDLOG_RASSERT() - check expression when NDEBUG is not defined and on false log given message and exit. PJDLOG_ABORT() - log the given message and exit. r217967 (pjd): Close the control socket before exiting, so it will be unlinked. r217969 (pjd): Remember created control connection so on fork(2) we can close it in child. r218040 (pjd): Initialize all global variables on pjdlog_init(). r218041 (pjd): Add function to close all unneeded descriptors after fork(2). r218042 (pjd): Add comments to places where we treat errors as ciritical, but it is possible to handle them more gracefully. r218043 (pjd): Close all unneeded descriptors after fork(2). r218044 (pjd): Add function to assert that the only descriptors we have open are the ones we expect to be open. Also assert that they point at expected type. Because openlog(3) API is unable to tell us descriptor number it is using, we have to close syslog socket, remember assert message in local buffer and if we fail on assertion, reopen syslog socket and log the message. r218045 (pjd): Use newly added descriptors_assert() function to ensure only expected descriptors are open. r218046 (pjd), r218047 (pjd), r218119 (maxim): Add 'hast' user and 'hast' group that will be used by hastd (and maybe hastctl) to drop privileges. r218048 (pjd): Implement function that drops privileges by: - chrooting to /var/empty (user hast home directory), - setting groups to 'hast' (user hast primary group), - setting real group id, effective group id and saved group id to 'hast', - setting real user id, effective user id and saved user id to 'hast'. At the end verify that those operations where successfull. r218049 (pjd): Drop privileges in worker processes. Accepting connections and handshaking in secondary is still done before dropping privileges. It should be implemented by only accepting connections in privileged main process and passing connection descriptors to the worker, but is not implemented yet. r218132 (pjd): Rename pjdlog_verify() to pjdlog_abort() as it better describes what the the function does and mark it with __dead2. r218138 (pjd): - Use pjdlog for assertions and aborts as this will log assert/abort message to syslog if we run in background. - Asserts in proto.c that method we want to call is implemented and remove dummy methods from protocols implementation that are only there to abort the program with nice message. r218139 (pjd): Implement two new functions for sending descriptor and receving descriptor over UNIX domain sockets and socket pairs. This is in preparation for capsicum. r218147 (pjd), r218148 (pjd): Fix build on ia64. r218158 (pjd): Do not set socket send and receive buffer. It will be auto-tuned. Confirmed by: rwatson r218185 (pjd): Be prepared that hp_client or hp_server might be NULL now. r218191 (pjd): Move protocol allocation and deallocation to separate functions. r218192 (pjd), r218201 (bz): Allow to specify connection timeout by the caller. r218193 (pjd): Add proto_connect_wait() to wait for connection to finish. If timeout argument to proto_connect() is -1, then the caller needs to use this new function to wait for connection. This change is in preparation for capsicum, where sandboxed worker wants to ask main process to connect in worker's behalf and pass descriptor to the worker. Because we don't want the main process to wait for the connection, it will start async connection and pass descriptor to the worker who will be responsible for waiting for the connection to finish. r218194 (pjd): - Rename proto_descriptor_{send,recv}() functions to proto_connection_{send,recv} and change them to return proto_conn structure. We don't operate directly on descriptors, but on proto_conns. - Add wrap method to wrap descriptor with proto_conn. - Remove methods to send and receive descriptors and implement this functionality as additional argument to send and receive methods. r218214 (pjd): Let the caller log info about successful privilege drop. We don't want to log this in hastctl. r218215 (pjd): Drop privileges after connecting to hastd, but before sending or receiving anything. r218217 (pjd): Add missing locking after moving keepalive_send() to remote send thread in r214692. r218218 (pjd): Setup another socketpair between parent and child, so that primary sandboxed worker can ask the main privileged process to connect in worker's behalf and then we can migrate descriptor using this socketpair to worker. This is not really needed now, but will be needed once we start to use capsicum for sandboxing. r218370 (pjd): Close more descriptors that can be open if the worker process for the given resource is already running. Submitted by: Mikolaj Golub r218373 (pjd): Open syslog when logging sysconf(3) failure. Reported by: Mikolaj Golub r218374 (pjd): Treat fstat(2) failure (different than EBADF) as fatal error. Reported by: Mikolaj Golub r218375 (pjd): Add (void) cast before snprintf(3)s for which we are not interested in return values. r218376 (pjd): Now that we break the loop on fstat(2) failure we no longer need to satisfy gcc's imperfections. r218464 (pjd): Unlink UNIX domain socket file only if: 1. The descriptor is the one we are listening on (not the one when we connect as a client and not the one which is created on accept(2)). 2. Descriptor was created by us (PID matches with the PID stored on bind(2)). Reported by: Mikolaj Golub r218465 (pjd): Explicitly include as suggested by getpid(2) and don't rely on including what's needed. r218474 (pjd): When we decide to unlink socket file, sun_path must be set. If it is set, but there is problem unlinking the file, log a warning. r219082 (pjd): Recognize 'reload' command, as hastd can be reloaded with the SIGHUP signal. Approved by: pjd (mentor) END