2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
44 #include "got_error.h"
45 #include "got_opentemp.h"
47 #include "got_repository.h"
48 #include "got_object.h"
49 #include "got_reference.h"
51 #include "got_lib_delta.h"
52 #include "got_lib_object.h"
53 #include "got_lib_object_cache.h"
54 #include "got_lib_hash.h"
55 #include "got_lib_gitproto.h"
56 #include "got_lib_pack.h"
57 #include "got_lib_repository.h"
64 #include "repo_read.h"
65 #include "repo_write.h"
68 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
71 enum gotd_client_state {
72 GOTD_CLIENT_STATE_NEW,
73 GOTD_CLIENT_STATE_ACCESS_GRANTED,
77 STAILQ_ENTRY(gotd_client) entry;
78 enum gotd_client_state state;
81 struct gotd_imsgev iev;
85 struct gotd_child_proc *repo;
86 struct gotd_child_proc *auth;
87 struct gotd_child_proc *session;
90 STAILQ_HEAD(gotd_clients, gotd_client);
92 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
93 static SIPHASH_KEY clients_hash_key;
94 volatile int client_cnt;
95 static struct timeval auth_timeout = { 5, 0 };
96 static struct gotd gotd;
98 void gotd_sighdlr(int sig, short event, void *arg);
99 static void gotd_shutdown(void);
100 static const struct got_error *start_session_child(struct gotd_client *,
101 struct gotd_repo *, char *, const char *, int, int);
102 static const struct got_error *start_repo_child(struct gotd_client *,
103 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
104 static const struct got_error *start_auth_child(struct gotd_client *, int,
105 struct gotd_repo *, char *, const char *, int, int);
106 static void kill_proc(struct gotd_child_proc *, int);
111 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
116 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
118 struct sockaddr_un sun;
120 mode_t old_umask, mode;
122 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
128 sun.sun_family = AF_UNIX;
129 if (strlcpy(sun.sun_path, unix_socket_path,
130 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
131 log_warnx("%s: name too long", unix_socket_path);
136 if (unlink(unix_socket_path) == -1) {
137 if (errno != ENOENT) {
138 log_warn("unlink %s", unix_socket_path);
144 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
145 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
147 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
148 log_warn("bind: %s", unix_socket_path);
156 if (chmod(unix_socket_path, mode) == -1) {
157 log_warn("chmod %o %s", mode, unix_socket_path);
159 unlink(unix_socket_path);
163 if (chown(unix_socket_path, uid, gid) == -1) {
164 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
166 unlink(unix_socket_path);
170 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
173 unlink(unix_socket_path);
181 client_hash(uint32_t client_id)
183 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
187 add_client(struct gotd_client *client)
189 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
190 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
194 static struct gotd_client *
195 find_client(uint32_t client_id)
198 struct gotd_client *c;
200 slot = client_hash(client_id) % nitems(gotd_clients);
201 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
202 if (c->id == client_id)
209 static struct gotd_client *
210 find_client_by_proc_fd(int fd)
214 for (slot = 0; slot < nitems(gotd_clients); slot++) {
215 struct gotd_client *c;
217 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
218 if (c->repo && c->repo->iev.ibuf.fd == fd)
220 if (c->auth && c->auth->iev.ibuf.fd == fd)
222 if (c->session && c->session->iev.ibuf.fd == fd)
231 client_is_reading(struct gotd_client *client)
233 return (client->required_auth &
234 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
238 client_is_writing(struct gotd_client *client)
240 return (client->required_auth &
241 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
242 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
245 static const struct got_error *
246 ensure_client_is_not_writing(struct gotd_client *client)
248 if (client_is_writing(client)) {
249 return got_error_fmt(GOT_ERR_BAD_PACKET,
250 "uid %d made a read-request but is writing to "
251 "a repository", client->euid);
257 static const struct got_error *
258 ensure_client_is_not_reading(struct gotd_client *client)
260 if (client_is_reading(client)) {
261 return got_error_fmt(GOT_ERR_BAD_PACKET,
262 "uid %d made a write-request but is reading from "
263 "a repository", client->euid);
270 wait_for_child(pid_t child_pid)
275 log_debug("waiting for child PID %ld to terminate",
279 pid = waitpid(child_pid, &status, WNOHANG);
281 if (errno != EINTR && errno != ECHILD)
283 } else if (WIFSIGNALED(status)) {
284 log_warnx("child PID %ld terminated; signal %d",
285 (long)pid, WTERMSIG(status));
287 } while (pid != -1 || (pid == -1 && errno == EINTR));
291 proc_done(struct gotd_child_proc *proc)
293 event_del(&proc->iev.ev);
294 msgbuf_clear(&proc->iev.ibuf.w);
295 close(proc->iev.ibuf.fd);
297 wait_for_child(proc->pid);
302 kill_auth_proc(struct gotd_client *client)
304 struct gotd_child_proc *proc;
306 if (client->auth == NULL)
316 kill_session_proc(struct gotd_client *client)
318 struct gotd_child_proc *proc;
320 if (client->session == NULL)
323 proc = client->session;
324 client->session = NULL;
330 disconnect(struct gotd_client *client)
332 struct gotd_imsg_disconnect idisconnect;
333 struct gotd_child_proc *proc = client->repo;
334 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
337 log_debug("uid %d: disconnecting", client->euid);
339 kill_auth_proc(client);
340 kill_session_proc(client);
343 event_del(&proc->iev.ev);
344 msgbuf_clear(&proc->iev.ibuf.w);
345 close(proc->iev.ibuf.fd);
347 wait_for_child(proc->pid);
352 idisconnect.client_id = client->id;
353 if (gotd_imsg_compose_event(&listen_proc->iev,
354 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
355 &idisconnect, sizeof(idisconnect)) == -1)
356 log_warn("imsg compose DISCONNECT");
358 slot = client_hash(client->id) % nitems(gotd_clients);
359 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
360 imsg_clear(&client->iev.ibuf);
361 event_del(&client->iev.ev);
362 evtimer_del(&client->tmo);
363 if (client->fd != -1)
365 else if (client->iev.ibuf.fd != -1)
366 close(client->iev.ibuf.fd);
372 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
376 log_warnx("uid %d: %s", client->euid, err->msg);
377 if (err->code != GOT_ERR_EOF && client->fd != -1) {
378 imsg_init(&ibuf, client->fd);
379 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
385 static const struct got_error *
386 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
388 const struct got_error *err = NULL;
389 struct gotd_imsg_info_repo irepo;
391 memset(&irepo, 0, sizeof(irepo));
393 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
394 >= sizeof(irepo.repo_name))
395 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
396 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
397 >= sizeof(irepo.repo_path))
398 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
400 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
401 &irepo, sizeof(irepo)) == -1) {
402 err = got_error_from_errno("imsg compose INFO_REPO");
410 static const struct got_error *
411 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
413 const struct got_error *err = NULL;
414 struct gotd_imsg_info_client iclient;
415 struct gotd_child_proc *proc;
417 memset(&iclient, 0, sizeof(iclient));
418 iclient.euid = client->euid;
419 iclient.egid = client->egid;
423 if (strlcpy(iclient.repo_name, proc->repo_path,
424 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
425 return got_error_msg(GOT_ERR_NO_SPACE,
426 "repo name too long");
428 if (client_is_writing(client))
429 iclient.is_writing = 1;
431 iclient.repo_child_pid = proc->pid;
435 iclient.session_child_pid = client->session->pid;
437 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
438 &iclient, sizeof(iclient)) == -1) {
439 err = got_error_from_errno("imsg compose INFO_CLIENT");
447 static const struct got_error *
448 send_info(struct gotd_client *client)
450 const struct got_error *err = NULL;
451 struct gotd_imsg_info info;
453 struct gotd_repo *repo;
455 if (client->euid != 0)
456 return got_error_set_errno(EPERM, "info");
459 info.verbosity = gotd.verbosity;
460 info.nrepos = gotd.nrepos;
461 info.nclients = client_cnt - 1;
463 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
464 &info, sizeof(info)) == -1) {
465 err = got_error_from_errno("imsg compose INFO");
470 TAILQ_FOREACH(repo, &gotd.repos, entry) {
471 err = send_repo_info(&client->iev, repo);
476 for (slot = 0; slot < nitems(gotd_clients); slot++) {
477 struct gotd_client *c;
478 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
479 if (c->id == client->id)
481 err = send_client_info(&client->iev, c);
490 static const struct got_error *
491 stop_gotd(struct gotd_client *client)
494 if (client->euid != 0)
495 return got_error_set_errno(EPERM, "stop");
502 static struct gotd_repo *
503 find_repo_by_name(const char *repo_name)
505 struct gotd_repo *repo;
508 TAILQ_FOREACH(repo, &gotd.repos, entry) {
509 namelen = strlen(repo->name);
510 if (strncmp(repo->name, repo_name, namelen) != 0)
512 if (repo_name[namelen] == '\0' ||
513 strcmp(&repo_name[namelen], ".git") == 0)
520 static const struct got_error *
521 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
523 const struct got_error *err;
524 struct gotd_imsg_list_refs ireq;
525 struct gotd_repo *repo = NULL;
528 log_debug("list-refs request from uid %d", client->euid);
530 if (client->state != GOTD_CLIENT_STATE_NEW)
531 return got_error_msg(GOT_ERR_BAD_REQUEST,
532 "unexpected list-refs request received");
534 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
535 if (datalen != sizeof(ireq))
536 return got_error(GOT_ERR_PRIVSEP_LEN);
538 memcpy(&ireq, imsg->data, datalen);
540 if (ireq.client_is_reading) {
541 err = ensure_client_is_not_writing(client);
544 repo = find_repo_by_name(ireq.repo_name);
546 return got_error(GOT_ERR_NOT_GIT_REPO);
547 err = start_auth_child(client, GOTD_AUTH_READ, repo,
548 gotd.argv0, gotd.confpath, gotd.daemonize,
553 err = ensure_client_is_not_reading(client);
556 repo = find_repo_by_name(ireq.repo_name);
558 return got_error(GOT_ERR_NOT_GIT_REPO);
559 err = start_auth_child(client,
560 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
561 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
567 evtimer_add(&client->tmo, &auth_timeout);
569 /* Flow continues upon authentication successs/failure or timeout. */
574 gotd_request(int fd, short events, void *arg)
576 struct gotd_imsgev *iev = arg;
577 struct imsgbuf *ibuf = &iev->ibuf;
578 struct gotd_client *client = iev->handler_arg;
579 const struct got_error *err = NULL;
583 if (events & EV_WRITE) {
584 while (ibuf->w.queued) {
585 n = msgbuf_write(&ibuf->w);
586 if (n == -1 && errno == EPIPE) {
588 * The client has closed its socket.
589 * This can happen when Git clients are
590 * done sending pack file data.
592 msgbuf_clear(&ibuf->w);
594 } else if (n == -1 && errno != EAGAIN) {
595 err = got_error_from_errno("imsg_flush");
596 disconnect_on_error(client, err);
600 /* Connection closed. */
601 err = got_error(GOT_ERR_EOF);
602 disconnect_on_error(client, err);
607 /* Disconnect gotctl(8) now that messages have been sent. */
608 if (!client_is_reading(client) && !client_is_writing(client)) {
614 if ((events & EV_READ) == 0)
617 memset(&imsg, 0, sizeof(imsg));
619 while (err == NULL) {
620 err = gotd_imsg_recv(&imsg, ibuf, 0);
622 if (err->code == GOT_ERR_PRIVSEP_READ)
627 evtimer_del(&client->tmo);
629 switch (imsg.hdr.type) {
631 err = send_info(client);
634 err = stop_gotd(client);
636 case GOTD_IMSG_LIST_REFS:
637 err = start_client_authentication(client, &imsg);
640 log_debug("unexpected imsg %d", imsg.hdr.type);
641 err = got_error(GOT_ERR_PRIVSEP_MSG);
649 disconnect_on_error(client, err);
651 gotd_imsg_event_add(&client->iev);
656 gotd_auth_timeout(int fd, short events, void *arg)
658 struct gotd_client *client = arg;
660 log_debug("disconnecting uid %d due to authentication timeout",
665 static const struct got_error *
666 recv_connect(uint32_t *client_id, struct imsg *imsg)
668 const struct got_error *err = NULL;
669 struct gotd_imsg_connect iconnect;
672 struct gotd_client *client = NULL;
676 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
677 if (datalen != sizeof(iconnect))
678 return got_error(GOT_ERR_PRIVSEP_LEN);
679 memcpy(&iconnect, imsg->data, sizeof(iconnect));
683 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
687 if (find_client(iconnect.client_id)) {
688 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
692 client = calloc(1, sizeof(*client));
693 if (client == NULL) {
694 err = got_error_from_errno("calloc");
698 *client_id = iconnect.client_id;
700 client->state = GOTD_CLIENT_STATE_NEW;
701 client->id = iconnect.client_id;
704 /* The auth process will verify UID/GID for us. */
705 client->euid = iconnect.euid;
706 client->egid = iconnect.egid;
708 imsg_init(&client->iev.ibuf, client->fd);
709 client->iev.handler = gotd_request;
710 client->iev.events = EV_READ;
711 client->iev.handler_arg = client;
713 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
715 gotd_imsg_event_add(&client->iev);
717 evtimer_set(&client->tmo, gotd_auth_timeout, client);
720 log_debug("%s: new client uid %d connected on fd %d", __func__,
721 client->euid, client->fd);
724 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
725 struct gotd_imsg_disconnect idisconnect;
727 idisconnect.client_id = client->id;
728 if (gotd_imsg_compose_event(&listen_proc->iev,
729 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
730 &idisconnect, sizeof(idisconnect)) == -1)
731 log_warn("imsg compose DISCONNECT");
740 static const char *gotd_proc_names[PROC_MAX] = {
750 kill_proc(struct gotd_child_proc *proc, int fatal)
753 log_warnx("sending SIGKILL to PID %d", proc->pid);
754 kill(proc->pid, SIGKILL);
756 kill(proc->pid, SIGTERM);
762 struct gotd_child_proc *proc;
765 log_debug("shutting down");
766 for (slot = 0; slot < nitems(gotd_clients); slot++) {
767 struct gotd_client *c, *tmp;
769 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
773 proc = &gotd.listen_proc;
774 msgbuf_clear(&proc->iev.ibuf.w);
775 close(proc->iev.ibuf.fd);
777 wait_for_child(proc->pid);
779 log_info("terminating");
784 gotd_sighdlr(int sig, short event, void *arg)
787 * Normal signal handler rules don't apply because libevent
793 log_info("%s: ignoring SIGHUP", __func__);
796 log_info("%s: ignoring SIGUSR1", __func__);
803 fatalx("unexpected signal");
807 static const struct got_error *
808 ensure_proc_is_reading(struct gotd_client *client,
809 struct gotd_child_proc *proc)
811 if (!client_is_reading(client)) {
813 return got_error_fmt(GOT_ERR_BAD_PACKET,
814 "PID %d handled a read-request for uid %d but this "
815 "user is not reading from a repository", proc->pid,
822 static const struct got_error *
823 ensure_proc_is_writing(struct gotd_client *client,
824 struct gotd_child_proc *proc)
826 if (!client_is_writing(client)) {
828 return got_error_fmt(GOT_ERR_BAD_PACKET,
829 "PID %d handled a write-request for uid %d but this "
830 "user is not writing to a repository", proc->pid,
838 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
841 const struct got_error *err;
844 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
845 if (client->repo == NULL)
846 fatalx("no process found for uid %d", client->euid);
847 if (proc->pid != client->repo->pid) {
849 log_warnx("received message from PID %d for uid %d, "
850 "while PID %d is the process serving this user",
851 proc->pid, client->euid, client->repo->pid);
855 if (proc->type == PROC_SESSION) {
856 if (client->session == NULL) {
857 log_warnx("no session found for uid %d", client->euid);
860 if (proc->pid != client->session->pid) {
862 log_warnx("received message from PID %d for uid %d, "
863 "while PID %d is the process serving this user",
864 proc->pid, client->euid, client->session->pid);
869 switch (imsg->hdr.type) {
870 case GOTD_IMSG_ERROR:
873 case GOTD_IMSG_CONNECT:
874 if (proc->type != PROC_LISTEN) {
875 err = got_error_fmt(GOT_ERR_BAD_PACKET,
876 "new connection for uid %d from PID %d "
877 "which is not the listen process",
878 proc->pid, client->euid);
882 case GOTD_IMSG_ACCESS_GRANTED:
883 if (proc->type != PROC_AUTH) {
884 err = got_error_fmt(GOT_ERR_BAD_PACKET,
885 "authentication of uid %d from PID %d "
886 "which is not the auth process",
887 proc->pid, client->euid);
891 case GOTD_IMSG_CLIENT_SESSION_READY:
892 if (proc->type != PROC_SESSION) {
893 err = got_error_fmt(GOT_ERR_BAD_PACKET,
894 "unexpected \"ready\" signal from PID %d",
899 case GOTD_IMSG_REPO_CHILD_READY:
900 if (proc->type != PROC_REPO_READ &&
901 proc->type != PROC_REPO_WRITE) {
902 err = got_error_fmt(GOT_ERR_BAD_PACKET,
903 "unexpected \"ready\" signal from PID %d",
908 case GOTD_IMSG_PACKFILE_DONE:
909 err = ensure_proc_is_reading(client, proc);
911 log_warnx("uid %d: %s", client->euid, err->msg);
915 case GOTD_IMSG_PACKFILE_INSTALL:
916 case GOTD_IMSG_REF_UPDATES_START:
917 case GOTD_IMSG_REF_UPDATE:
918 err = ensure_proc_is_writing(client, proc);
920 log_warnx("uid %d: %s", client->euid, err->msg);
925 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
932 static const struct got_error *
933 connect_repo_child(struct gotd_client *client,
934 struct gotd_child_proc *repo_proc)
936 static const struct got_error *err;
937 struct gotd_imsgev *session_iev = &client->session->iev;
938 struct gotd_imsg_connect_repo_child ireq;
941 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
942 return got_error_msg(GOT_ERR_BAD_REQUEST,
943 "unexpected repo child ready signal received");
945 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
946 PF_UNSPEC, pipe) == -1)
949 memset(&ireq, 0, sizeof(ireq));
950 ireq.client_id = client->id;
951 ireq.proc_id = repo_proc->type;
953 /* Pass repo child pipe to session child process. */
954 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
955 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
956 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
962 /* Pass session child pipe to repo child process. */
963 if (gotd_imsg_compose_event(&repo_proc->iev,
964 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
965 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
974 gotd_dispatch_listener(int fd, short event, void *arg)
976 struct gotd_imsgev *iev = arg;
977 struct imsgbuf *ibuf = &iev->ibuf;
978 struct gotd_child_proc *proc = &gotd.listen_proc;
983 if (proc->iev.ibuf.fd != fd)
984 fatalx("%s: unexpected fd %d", __func__, fd);
986 if (event & EV_READ) {
987 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
988 fatal("imsg_read error");
990 /* Connection closed. */
996 if (event & EV_WRITE) {
997 n = msgbuf_write(&ibuf->w);
998 if (n == -1 && errno != EAGAIN)
999 fatal("msgbuf_write");
1001 /* Connection closed. */
1008 const struct got_error *err = NULL;
1009 struct gotd_client *client = NULL;
1010 uint32_t client_id = 0;
1011 int do_disconnect = 0;
1013 if ((n = imsg_get(ibuf, &imsg)) == -1)
1014 fatal("%s: imsg_get error", __func__);
1015 if (n == 0) /* No more messages. */
1018 switch (imsg.hdr.type) {
1019 case GOTD_IMSG_ERROR:
1021 err = gotd_imsg_recv_error(&client_id, &imsg);
1023 case GOTD_IMSG_CONNECT:
1024 err = recv_connect(&client_id, &imsg);
1027 log_debug("unexpected imsg %d", imsg.hdr.type);
1031 client = find_client(client_id);
1032 if (client == NULL) {
1033 log_warnx("%s: client not found", __func__);
1039 log_warnx("uid %d: %s", client->euid, err->msg);
1041 if (do_disconnect) {
1043 disconnect_on_error(client, err);
1052 gotd_imsg_event_add(iev);
1054 /* This pipe is dead. Remove its event handler */
1055 event_del(&iev->ev);
1056 event_loopexit(NULL);
1061 gotd_dispatch_auth_child(int fd, short event, void *arg)
1063 const struct got_error *err = NULL;
1064 struct gotd_imsgev *iev = arg;
1065 struct imsgbuf *ibuf = &iev->ibuf;
1066 struct gotd_client *client;
1067 struct gotd_repo *repo = NULL;
1071 uint32_t client_id = 0;
1072 int do_disconnect = 0;
1074 client = find_client_by_proc_fd(fd);
1075 if (client == NULL) {
1076 /* Can happen during process teardown. */
1077 warnx("cannot find client for fd %d", fd);
1082 if (client->auth == NULL)
1083 fatalx("cannot find auth child process for fd %d", fd);
1085 if (event & EV_READ) {
1086 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1087 fatal("imsg_read error");
1089 /* Connection closed. */
1095 if (event & EV_WRITE) {
1096 n = msgbuf_write(&ibuf->w);
1097 if (n == -1 && errno != EAGAIN)
1098 fatal("msgbuf_write");
1100 /* Connection closed. */
1106 if (client->auth->iev.ibuf.fd != fd)
1107 fatalx("%s: unexpected fd %d", __func__, fd);
1109 if ((n = imsg_get(ibuf, &imsg)) == -1)
1110 fatal("%s: imsg_get error", __func__);
1111 if (n == 0) /* No more messages. */
1114 evtimer_del(&client->tmo);
1116 switch (imsg.hdr.type) {
1117 case GOTD_IMSG_ERROR:
1119 err = gotd_imsg_recv_error(&client_id, &imsg);
1121 case GOTD_IMSG_ACCESS_GRANTED:
1122 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1126 log_debug("unexpected imsg %d", imsg.hdr.type);
1130 if (!verify_imsg_src(client, client->auth, &imsg)) {
1132 log_debug("dropping imsg type %d from PID %d",
1133 imsg.hdr.type, client->auth->pid);
1137 if (do_disconnect) {
1139 disconnect_on_error(client, err);
1145 repo = find_repo_by_name(client->auth->repo_name);
1147 err = got_error(GOT_ERR_NOT_GIT_REPO);
1150 kill_auth_proc(client);
1152 log_info("authenticated uid %d for repository %s",
1153 client->euid, repo->name);
1155 err = start_session_child(client, repo, gotd.argv0,
1156 gotd.confpath, gotd.daemonize, gotd.verbosity);
1161 log_warnx("uid %d: %s", client->euid, err->msg);
1163 /* We might have killed the auth process by now. */
1164 if (client->auth != NULL) {
1166 gotd_imsg_event_add(iev);
1168 /* This pipe is dead. Remove its event handler */
1169 event_del(&iev->ev);
1174 static const struct got_error *
1175 connect_session(struct gotd_client *client)
1177 const struct got_error *err = NULL;
1178 struct gotd_imsg_connect iconnect;
1181 memset(&iconnect, 0, sizeof(iconnect));
1183 s = dup(client->fd);
1185 return got_error_from_errno("dup");
1187 iconnect.client_id = client->id;
1188 iconnect.euid = client->euid;
1189 iconnect.egid = client->egid;
1191 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1192 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1193 err = got_error_from_errno("imsg compose CONNECT");
1199 * We are no longer interested in messages from this client.
1200 * Further client requests will be handled by the session process.
1202 msgbuf_clear(&client->iev.ibuf.w);
1203 imsg_clear(&client->iev.ibuf);
1204 event_del(&client->iev.ev);
1205 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1211 gotd_dispatch_client_session(int fd, short event, void *arg)
1213 struct gotd_imsgev *iev = arg;
1214 struct imsgbuf *ibuf = &iev->ibuf;
1215 struct gotd_child_proc *proc = NULL;
1216 struct gotd_client *client = NULL;
1221 client = find_client_by_proc_fd(fd);
1222 if (client == NULL) {
1223 /* Can happen during process teardown. */
1224 warnx("cannot find client for fd %d", fd);
1229 if (event & EV_READ) {
1230 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1231 fatal("imsg_read error");
1233 /* Connection closed. */
1239 if (event & EV_WRITE) {
1240 n = msgbuf_write(&ibuf->w);
1241 if (n == -1 && errno != EAGAIN)
1242 fatal("msgbuf_write");
1244 /* Connection closed. */
1250 proc = client->session;
1252 fatalx("cannot find session child process for fd %d", fd);
1255 const struct got_error *err = NULL;
1256 uint32_t client_id = 0;
1257 int do_disconnect = 0, do_start_repo_child = 0;
1259 if ((n = imsg_get(ibuf, &imsg)) == -1)
1260 fatal("%s: imsg_get error", __func__);
1261 if (n == 0) /* No more messages. */
1264 switch (imsg.hdr.type) {
1265 case GOTD_IMSG_ERROR:
1267 err = gotd_imsg_recv_error(&client_id, &imsg);
1269 case GOTD_IMSG_CLIENT_SESSION_READY:
1270 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1271 err = got_error(GOT_ERR_PRIVSEP_MSG);
1274 do_start_repo_child = 1;
1276 case GOTD_IMSG_DISCONNECT:
1280 log_debug("unexpected imsg %d", imsg.hdr.type);
1284 if (!verify_imsg_src(client, proc, &imsg)) {
1285 log_debug("dropping imsg type %d from PID %d",
1286 imsg.hdr.type, proc->pid);
1291 log_warnx("uid %d: %s", client->euid, err->msg);
1293 if (do_start_repo_child) {
1294 struct gotd_repo *repo;
1296 repo = find_repo_by_name(client->session->repo_name);
1298 enum gotd_procid proc_type;
1300 if (client->required_auth & GOTD_AUTH_WRITE)
1301 proc_type = PROC_REPO_WRITE;
1303 proc_type = PROC_REPO_READ;
1305 err = start_repo_child(client, proc_type, repo,
1306 gotd.argv0, gotd.confpath, gotd.daemonize,
1309 err = got_error(GOT_ERR_NOT_GIT_REPO);
1312 log_warnx("uid %d: %s", client->euid, err->msg);
1317 if (do_disconnect) {
1319 disconnect_on_error(client, err);
1328 gotd_imsg_event_add(iev);
1330 /* This pipe is dead. Remove its event handler */
1331 event_del(&iev->ev);
1337 gotd_dispatch_repo_child(int fd, short event, void *arg)
1339 struct gotd_imsgev *iev = arg;
1340 struct imsgbuf *ibuf = &iev->ibuf;
1341 struct gotd_child_proc *proc = NULL;
1342 struct gotd_client *client;
1347 client = find_client_by_proc_fd(fd);
1348 if (client == NULL) {
1349 /* Can happen during process teardown. */
1350 warnx("cannot find client for fd %d", fd);
1355 if (event & EV_READ) {
1356 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1357 fatal("imsg_read error");
1359 /* Connection closed. */
1365 if (event & EV_WRITE) {
1366 n = msgbuf_write(&ibuf->w);
1367 if (n == -1 && errno != EAGAIN)
1368 fatal("msgbuf_write");
1370 /* Connection closed. */
1376 proc = client->repo;
1378 fatalx("cannot find child process for fd %d", fd);
1381 const struct got_error *err = NULL;
1382 uint32_t client_id = 0;
1383 int do_disconnect = 0;
1385 if ((n = imsg_get(ibuf, &imsg)) == -1)
1386 fatal("%s: imsg_get error", __func__);
1387 if (n == 0) /* No more messages. */
1390 switch (imsg.hdr.type) {
1391 case GOTD_IMSG_ERROR:
1393 err = gotd_imsg_recv_error(&client_id, &imsg);
1395 case GOTD_IMSG_REPO_CHILD_READY:
1396 err = connect_session(client);
1399 err = connect_repo_child(client, proc);
1402 log_debug("unexpected imsg %d", imsg.hdr.type);
1406 if (!verify_imsg_src(client, proc, &imsg)) {
1407 log_debug("dropping imsg type %d from PID %d",
1408 imsg.hdr.type, proc->pid);
1413 log_warnx("uid %d: %s", client->euid, err->msg);
1415 if (do_disconnect) {
1417 disconnect_on_error(client, err);
1426 gotd_imsg_event_add(iev);
1428 /* This pipe is dead. Remove its event handler */
1429 event_del(&iev->ev);
1435 start_child(enum gotd_procid proc_id, const char *repo_path,
1436 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1442 switch (pid = fork()) {
1444 fatal("cannot fork");
1452 if (fd != GOTD_FILENO_MSG_PIPE) {
1453 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1454 fatal("cannot setup imsg fd");
1455 } else if (fcntl(fd, F_SETFD, 0) == -1)
1456 fatal("cannot setup imsg fd");
1458 argv[argc++] = argv0;
1461 argv[argc++] = (char *)"-L";
1464 argv[argc++] = (char *)"-A";
1467 argv[argc++] = (char *)"-S";
1469 case PROC_REPO_READ:
1470 argv[argc++] = (char *)"-R";
1472 case PROC_REPO_WRITE:
1473 argv[argc++] = (char *)"-W";
1476 fatalx("invalid process id %d", proc_id);
1479 argv[argc++] = (char *)"-f";
1480 argv[argc++] = (char *)confpath;
1483 argv[argc++] = (char *)"-P";
1484 argv[argc++] = (char *)repo_path;
1488 argv[argc++] = (char *)"-d";
1490 argv[argc++] = (char *)"-v";
1492 argv[argc++] = (char *)"-v";
1493 argv[argc++] = NULL;
1495 execvp(argv0, argv);
1500 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1502 struct gotd_child_proc *proc = &gotd.listen_proc;
1504 proc->type = PROC_LISTEN;
1506 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1507 PF_UNSPEC, proc->pipe) == -1)
1508 fatal("socketpair");
1510 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1511 proc->pipe[1], daemonize, verbosity);
1512 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1513 proc->iev.handler = gotd_dispatch_listener;
1514 proc->iev.events = EV_READ;
1515 proc->iev.handler_arg = NULL;
1518 static const struct got_error *
1519 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1520 char *argv0, const char *confpath, int daemonize, int verbosity)
1522 struct gotd_child_proc *proc;
1524 proc = calloc(1, sizeof(*proc));
1526 return got_error_from_errno("calloc");
1528 proc->type = PROC_SESSION;
1529 if (strlcpy(proc->repo_name, repo->name,
1530 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1531 fatalx("repository name too long: %s", repo->name);
1532 log_debug("starting client uid %d session for repository %s",
1533 client->euid, repo->name);
1534 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1535 sizeof(proc->repo_path))
1536 fatalx("repository path too long: %s", repo->path);
1537 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1538 PF_UNSPEC, proc->pipe) == -1)
1539 fatal("socketpair");
1540 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1541 confpath, proc->pipe[1], daemonize, verbosity);
1542 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1543 log_debug("proc %s %s is on fd %d",
1544 gotd_proc_names[proc->type], proc->repo_path,
1546 proc->iev.handler = gotd_dispatch_client_session;
1547 proc->iev.events = EV_READ;
1548 proc->iev.handler_arg = NULL;
1549 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1550 gotd_dispatch_client_session, &proc->iev);
1551 gotd_imsg_event_add(&proc->iev);
1553 client->session = proc;
1557 static const struct got_error *
1558 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1559 struct gotd_repo *repo, char *argv0, const char *confpath,
1560 int daemonize, int verbosity)
1562 struct gotd_child_proc *proc;
1564 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1565 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1567 proc = calloc(1, sizeof(*proc));
1569 return got_error_from_errno("calloc");
1571 proc->type = proc_type;
1572 if (strlcpy(proc->repo_name, repo->name,
1573 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1574 fatalx("repository name too long: %s", repo->name);
1575 log_debug("starting %s for repository %s",
1576 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1577 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1578 sizeof(proc->repo_path))
1579 fatalx("repository path too long: %s", repo->path);
1580 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1581 PF_UNSPEC, proc->pipe) == -1)
1582 fatal("socketpair");
1583 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1584 confpath, proc->pipe[1], daemonize, verbosity);
1585 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1586 log_debug("proc %s %s is on fd %d",
1587 gotd_proc_names[proc->type], proc->repo_path,
1589 proc->iev.handler = gotd_dispatch_repo_child;
1590 proc->iev.events = EV_READ;
1591 proc->iev.handler_arg = NULL;
1592 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1593 gotd_dispatch_repo_child, &proc->iev);
1594 gotd_imsg_event_add(&proc->iev);
1596 client->repo = proc;
1600 static const struct got_error *
1601 start_auth_child(struct gotd_client *client, int required_auth,
1602 struct gotd_repo *repo, char *argv0, const char *confpath,
1603 int daemonize, int verbosity)
1605 const struct got_error *err = NULL;
1606 struct gotd_child_proc *proc;
1607 struct gotd_imsg_auth iauth;
1610 memset(&iauth, 0, sizeof(iauth));
1612 fd = dup(client->fd);
1614 return got_error_from_errno("dup");
1616 proc = calloc(1, sizeof(*proc));
1618 err = got_error_from_errno("calloc");
1623 proc->type = PROC_AUTH;
1624 if (strlcpy(proc->repo_name, repo->name,
1625 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1626 fatalx("repository name too long: %s", repo->name);
1627 log_debug("starting auth for uid %d repository %s",
1628 client->euid, repo->name);
1629 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1630 sizeof(proc->repo_path))
1631 fatalx("repository path too long: %s", repo->path);
1632 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1633 PF_UNSPEC, proc->pipe) == -1)
1634 fatal("socketpair");
1635 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1636 confpath, proc->pipe[1], daemonize, verbosity);
1637 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1638 log_debug("proc %s %s is on fd %d",
1639 gotd_proc_names[proc->type], proc->repo_path,
1641 proc->iev.handler = gotd_dispatch_auth_child;
1642 proc->iev.events = EV_READ;
1643 proc->iev.handler_arg = NULL;
1644 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1645 gotd_dispatch_auth_child, &proc->iev);
1646 gotd_imsg_event_add(&proc->iev);
1648 iauth.euid = client->euid;
1649 iauth.egid = client->egid;
1650 iauth.required_auth = required_auth;
1651 iauth.client_id = client->id;
1652 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1653 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1654 log_warn("imsg compose AUTHENTICATE");
1656 /* Let the auth_timeout handler tidy up. */
1659 client->auth = proc;
1660 client->required_auth = required_auth;
1665 apply_unveil_repo_readonly(const char *repo_path)
1667 if (unveil(repo_path, "r") == -1)
1668 fatal("unveil %s", repo_path);
1670 if (unveil(NULL, NULL) == -1)
1675 apply_unveil_repo_readwrite(const char *repo_path)
1677 if (unveil(repo_path, "rwc") == -1)
1678 fatal("unveil %s", repo_path);
1680 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1681 fatal("unveil %s", GOT_TMPDIR_STR);
1683 if (unveil(NULL, NULL) == -1)
1688 apply_unveil_none(void)
1690 if (unveil("/", "") == -1)
1693 if (unveil(NULL, NULL) == -1)
1698 apply_unveil_selfexec(void)
1700 if (unveil(gotd.argv0, "x") == -1)
1701 fatal("unveil %s", gotd.argv0);
1703 if (unveil(NULL, NULL) == -1)
1708 main(int argc, char **argv)
1710 const struct got_error *error = NULL;
1711 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1712 const char *confpath = GOTD_CONF_PATH;
1713 char *argv0 = argv[0];
1715 struct passwd *pw = NULL;
1716 char *repo_path = NULL;
1717 enum gotd_procid proc_id = PROC_GOTD;
1718 struct event evsigint, evsigterm, evsighup, evsigusr1;
1719 int *pack_fds = NULL, *temp_fds = NULL;
1721 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1723 while ((ch = getopt(argc, argv, "Adf:LnP:RSvW")) != -1) {
1726 proc_id = PROC_AUTH;
1735 proc_id = PROC_LISTEN;
1741 repo_path = realpath(optarg, NULL);
1742 if (repo_path == NULL)
1743 fatal("realpath '%s'", optarg);
1746 proc_id = PROC_REPO_READ;
1749 proc_id = PROC_SESSION;
1756 proc_id = PROC_REPO_WRITE;
1769 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1770 fatalx("need root privileges");
1772 if (parse_config(confpath, proc_id, &gotd) != 0)
1775 pw = getpwnam(gotd.user_name);
1777 fatalx("user %s not found", gotd.user_name);
1779 if (pw->pw_uid == 0)
1780 fatalx("cannot run %s as the superuser", getprogname());
1783 fprintf(stderr, "configuration OK\n");
1788 gotd.daemonize = daemonize;
1789 gotd.verbosity = verbosity;
1790 gotd.confpath = confpath;
1792 /* Require an absolute path in argv[0] for reliable re-exec. */
1793 if (!got_path_is_absolute(argv0))
1794 fatalx("bad path \"%s\": must be an absolute path", argv0);
1796 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1797 log_setverbose(verbosity);
1799 if (proc_id == PROC_GOTD) {
1800 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1801 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1802 if (daemonize && daemon(1, 0) == -1)
1804 gotd.pid = getpid();
1805 start_listener(argv0, confpath, daemonize, verbosity);
1806 } else if (proc_id == PROC_LISTEN) {
1807 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1809 log_info("socket: %s", gotd.unix_socket_path);
1810 log_info("user: %s", pw->pw_name);
1813 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1816 fatal("cannot listen on unix socket %s",
1817 gotd.unix_socket_path);
1819 } else if (proc_id == PROC_AUTH) {
1820 snprintf(title, sizeof(title), "%s %s",
1821 gotd_proc_names[proc_id], repo_path);
1822 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1823 proc_id == PROC_SESSION) {
1824 error = got_repo_pack_fds_open(&pack_fds);
1826 fatalx("cannot open pack tempfiles: %s", error->msg);
1827 error = got_repo_temp_fds_open(&temp_fds);
1829 fatalx("cannot open pack tempfiles: %s", error->msg);
1830 if (repo_path == NULL)
1831 fatalx("repository path not specified");
1832 snprintf(title, sizeof(title), "%s %s",
1833 gotd_proc_names[proc_id], repo_path);
1835 fatal("invalid process id %d", proc_id);
1837 setproctitle("%s", title);
1838 log_procinit(title);
1840 /* Drop root privileges. */
1841 if (setgid(pw->pw_gid) == -1)
1842 fatal("setgid %d failed", pw->pw_gid);
1843 if (setuid(pw->pw_uid) == -1)
1844 fatal("setuid %d failed", pw->pw_uid);
1851 /* "exec" promise will be limited to argv[0] via unveil(2). */
1852 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1858 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1862 * Ensure that AF_UNIX bind(2) cannot be used with any other
1863 * sockets by revoking all filesystem access via unveil(2).
1865 apply_unveil_none();
1867 listen_main(title, fd, gotd.connection_limits,
1868 gotd.nconnection_limits);
1873 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1877 * We need the "unix" pledge promise for getpeername(2) only.
1878 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1879 * filesystem access via unveil(2). Access to password database
1880 * files will still work since "getpw" bypasses unveil(2).
1882 apply_unveil_none();
1884 auth_main(title, &gotd.repos, repo_path);
1890 * The "recvfd" promise is only needed during setup and
1891 * will be removed in a later pledge(2) call.
1893 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1894 "unveil", NULL) == -1)
1897 apply_unveil_repo_readwrite(repo_path);
1898 session_main(title, repo_path, pack_fds, temp_fds,
1899 &gotd.request_timeout);
1902 case PROC_REPO_READ:
1904 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1907 apply_unveil_repo_readonly(repo_path);
1908 repo_read_main(title, repo_path, pack_fds, temp_fds);
1911 case PROC_REPO_WRITE:
1913 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1916 apply_unveil_repo_readonly(repo_path);
1917 repo_write_main(title, repo_path, pack_fds, temp_fds);
1921 fatal("invalid process id %d", proc_id);
1924 if (proc_id != PROC_GOTD)
1925 fatal("invalid process id %d", proc_id);
1927 apply_unveil_selfexec();
1929 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
1930 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
1931 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
1932 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
1933 signal(SIGPIPE, SIG_IGN);
1935 signal_add(&evsigint, NULL);
1936 signal_add(&evsigterm, NULL);
1937 signal_add(&evsighup, NULL);
1938 signal_add(&evsigusr1, NULL);
1940 gotd_imsg_event_add(&gotd.listen_proc.iev);