From 7e0a61d1c10f30e694f5f536b374c72f774b50a1 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>

Date: Sun, 8 Jan 2017 23:27:57 +0100

Subject: [PATCH 158/160] SERVER: Set the process group during server_setup()

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

By calling setpgid() in server_setup() we are able to kill the process

in the watchdog by simply doing kill(-getpid(), SIGTERM).

However, in order to have it working properly the SELinux policy for

SSSD has to be updated and unless SSSD is ran with SELinux on permissive

mode, each of the responders and the monitor will trigger a similar

message:

    Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied

    { setpgid } for  pid=11630 comm="sssd_pac"

    scontext=system_u:system_r:sssd_t:s0

    tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

It's important to say that till SELinux policy is fixed, we might end up

leaking some processes.

Related:

https://fedorahosted.org/sssd/ticket/3266

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

(cherry picked from commit 087162b85e191af51637904702813969b35eaadc)

(cherry picked from commit 442985a7af2262fab57f56c7a8cd40af10081610)

---

 src/monitor/monitor.c |  6 +++---

 src/util/server.c     | 11 +++++++++++

 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c

index 0f01580e01b6a0a9ab507a54183e5813133be5a9..17e980dbf165634491a05012399945f2d21c2056 100644

--- a/src/monitor/monitor.c

+++ b/src/monitor/monitor.c

@@ -1606,7 +1606,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)

               "Terminating [%s][%d]\n", svc->name, svc->pid);

         do {

             errno = 0;

-            kret = kill(svc->pid, SIGTERM);

+            kret = kill(-svc->pid, SIGTERM);

             if (kret < 0) {

                 error = errno;

                 DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",

@@ -1627,7 +1627,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)

                               "[%d][%s] while waiting for [%s]\n",

                                   error, strerror(error), svc->name);

                         /* Forcibly kill this child */

-                        kill(svc->pid, SIGKILL);

+                        kill(-svc->pid, SIGKILL);

                         break;

                     }

                 } else if (pid != 0) {

@@ -1642,7 +1642,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)

                         DEBUG(SSSDBG_FATAL_FAILURE,

                               "Child [%s] did not exit cleanly\n", svc->name);

                         /* Forcibly kill this child */

-                        kill(svc->pid, SIGKILL);

+                        kill(-svc->pid, SIGKILL);

                     }

                     killed = true;

                 }

diff --git a/src/util/server.c b/src/util/server.c

index 013e572e6284b16534910088f7801219251896d8..d333c3c3c771c38005183831fc7a4b004a59a6c3 100644

--- a/src/util/server.c

+++ b/src/util/server.c

@@ -460,6 +460,17 @@ int server_setup(const char *name, int flags,

     struct logrotate_ctx *lctx;

     char *locale;

     int watchdog_interval;

+    pid_t my_pid;

+

+    my_pid = getpid();

+    ret = setpgid(my_pid, my_pid);

+    if (ret != EOK) {

+        ret = errno;

+        DEBUG(SSSDBG_MINOR_FAILURE,

+              "Failed setting process group: %s[%d]. "

+              "We might leak processes in case of failure\n",

+              sss_strerror(ret), ret);

+    }

     ret = chown_debug_file(NULL, uid, gid);

     if (ret != EOK) {

-- 

2.9.3