2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
19 #include <sys/types.h>
21 #include <sys/socket.h>
41 #include "got_error.h"
42 #include "got_opentemp.h"
44 #include "got_repository.h"
45 #include "got_object.h"
46 #include "got_reference.h"
48 #include "got_lib_delta.h"
49 #include "got_lib_object.h"
50 #include "got_lib_object_cache.h"
51 #include "got_lib_hash.h"
52 #include "got_lib_gitproto.h"
53 #include "got_lib_pack.h"
54 #include "got_lib_repository.h"
61 #include "repo_read.h"
62 #include "repo_write.h"
65 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
68 enum gotd_client_state {
69 GOTD_CLIENT_STATE_NEW,
70 GOTD_CLIENT_STATE_ACCESS_GRANTED,
74 STAILQ_ENTRY(gotd_client) entry;
75 enum gotd_client_state state;
78 struct gotd_imsgev iev;
82 struct gotd_child_proc *repo;
83 struct gotd_child_proc *auth;
84 struct gotd_child_proc *session;
87 STAILQ_HEAD(gotd_clients, gotd_client);
89 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
90 static SIPHASH_KEY clients_hash_key;
91 volatile int client_cnt;
92 static struct timeval auth_timeout = { 5, 0 };
93 static struct gotd gotd;
95 void gotd_sighdlr(int sig, short event, void *arg);
96 static void gotd_shutdown(void);
97 static const struct got_error *start_session_child(struct gotd_client *,
98 struct gotd_repo *, char *, const char *, int, int);
99 static const struct got_error *start_repo_child(struct gotd_client *,
100 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
101 static const struct got_error *start_auth_child(struct gotd_client *, int,
102 struct gotd_repo *, char *, const char *, int, int);
103 static void kill_proc(struct gotd_child_proc *, int);
108 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
113 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
115 struct sockaddr_un sun;
117 mode_t old_umask, mode;
119 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
125 sun.sun_family = AF_UNIX;
126 if (strlcpy(sun.sun_path, unix_socket_path,
127 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
128 log_warnx("%s: name too long", unix_socket_path);
133 if (unlink(unix_socket_path) == -1) {
134 if (errno != ENOENT) {
135 log_warn("unlink %s", unix_socket_path);
141 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
142 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
144 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
145 log_warn("bind: %s", unix_socket_path);
153 if (chmod(unix_socket_path, mode) == -1) {
154 log_warn("chmod %o %s", mode, unix_socket_path);
156 unlink(unix_socket_path);
160 if (chown(unix_socket_path, uid, gid) == -1) {
161 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
163 unlink(unix_socket_path);
167 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
170 unlink(unix_socket_path);
178 client_hash(uint32_t client_id)
180 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
184 add_client(struct gotd_client *client)
186 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
187 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
191 static struct gotd_client *
192 find_client(uint32_t client_id)
195 struct gotd_client *c;
197 slot = client_hash(client_id) % nitems(gotd_clients);
198 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
199 if (c->id == client_id)
206 static struct gotd_client *
207 find_client_by_proc_fd(int fd)
211 for (slot = 0; slot < nitems(gotd_clients); slot++) {
212 struct gotd_client *c;
214 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
215 if (c->repo && c->repo->iev.ibuf.fd == fd)
217 if (c->auth && c->auth->iev.ibuf.fd == fd)
219 if (c->session && c->session->iev.ibuf.fd == fd)
228 client_is_reading(struct gotd_client *client)
230 return (client->required_auth &
231 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
235 client_is_writing(struct gotd_client *client)
237 return (client->required_auth &
238 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
239 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
242 static const struct got_error *
243 ensure_client_is_not_writing(struct gotd_client *client)
245 if (client_is_writing(client)) {
246 return got_error_fmt(GOT_ERR_BAD_PACKET,
247 "uid %d made a read-request but is writing to "
248 "a repository", client->euid);
254 static const struct got_error *
255 ensure_client_is_not_reading(struct gotd_client *client)
257 if (client_is_reading(client)) {
258 return got_error_fmt(GOT_ERR_BAD_PACKET,
259 "uid %d made a write-request but is reading from "
260 "a repository", client->euid);
267 wait_for_child(pid_t child_pid)
272 log_debug("waiting for child PID %ld to terminate",
276 pid = waitpid(child_pid, &status, WNOHANG);
278 if (errno != EINTR && errno != ECHILD)
280 } else if (WIFSIGNALED(status)) {
281 log_warnx("child PID %ld terminated; signal %d",
282 (long)pid, WTERMSIG(status));
284 } while (pid != -1 || (pid == -1 && errno == EINTR));
288 proc_done(struct gotd_child_proc *proc)
290 event_del(&proc->iev.ev);
291 msgbuf_clear(&proc->iev.ibuf.w);
292 close(proc->iev.ibuf.fd);
294 wait_for_child(proc->pid);
299 kill_auth_proc(struct gotd_client *client)
301 struct gotd_child_proc *proc;
303 if (client->auth == NULL)
313 kill_session_proc(struct gotd_client *client)
315 struct gotd_child_proc *proc;
317 if (client->session == NULL)
320 proc = client->session;
321 client->session = NULL;
327 disconnect(struct gotd_client *client)
329 struct gotd_imsg_disconnect idisconnect;
330 struct gotd_child_proc *proc = client->repo;
331 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
334 log_debug("uid %d: disconnecting", client->euid);
336 kill_auth_proc(client);
337 kill_session_proc(client);
340 event_del(&proc->iev.ev);
341 msgbuf_clear(&proc->iev.ibuf.w);
342 close(proc->iev.ibuf.fd);
344 wait_for_child(proc->pid);
349 idisconnect.client_id = client->id;
350 if (gotd_imsg_compose_event(&listen_proc->iev,
351 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
352 &idisconnect, sizeof(idisconnect)) == -1)
353 log_warn("imsg compose DISCONNECT");
355 slot = client_hash(client->id) % nitems(gotd_clients);
356 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
357 imsg_clear(&client->iev.ibuf);
358 event_del(&client->iev.ev);
359 evtimer_del(&client->tmo);
360 if (client->fd != -1)
362 else if (client->iev.ibuf.fd != -1)
363 close(client->iev.ibuf.fd);
369 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
373 log_warnx("uid %d: %s", client->euid, err->msg);
374 if (err->code != GOT_ERR_EOF && client->fd != -1) {
375 imsg_init(&ibuf, client->fd);
376 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
382 static const struct got_error *
383 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
385 const struct got_error *err = NULL;
386 struct gotd_imsg_info_repo irepo;
388 memset(&irepo, 0, sizeof(irepo));
390 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
391 >= sizeof(irepo.repo_name))
392 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
393 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
394 >= sizeof(irepo.repo_path))
395 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
397 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
398 &irepo, sizeof(irepo)) == -1) {
399 err = got_error_from_errno("imsg compose INFO_REPO");
407 static const struct got_error *
408 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
410 const struct got_error *err = NULL;
411 struct gotd_imsg_info_client iclient;
412 struct gotd_child_proc *proc;
414 memset(&iclient, 0, sizeof(iclient));
415 iclient.euid = client->euid;
416 iclient.egid = client->egid;
420 if (strlcpy(iclient.repo_name, proc->repo_path,
421 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
422 return got_error_msg(GOT_ERR_NO_SPACE,
423 "repo name too long");
425 if (client_is_writing(client))
426 iclient.is_writing = 1;
428 iclient.repo_child_pid = proc->pid;
432 iclient.session_child_pid = client->session->pid;
434 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
435 &iclient, sizeof(iclient)) == -1) {
436 err = got_error_from_errno("imsg compose INFO_CLIENT");
444 static const struct got_error *
445 send_info(struct gotd_client *client)
447 const struct got_error *err = NULL;
448 struct gotd_imsg_info info;
450 struct gotd_repo *repo;
452 if (client->euid != 0)
453 return got_error_set_errno(EPERM, "info");
456 info.verbosity = gotd.verbosity;
457 info.nrepos = gotd.nrepos;
458 info.nclients = client_cnt - 1;
460 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
461 &info, sizeof(info)) == -1) {
462 err = got_error_from_errno("imsg compose INFO");
467 TAILQ_FOREACH(repo, &gotd.repos, entry) {
468 err = send_repo_info(&client->iev, repo);
473 for (slot = 0; slot < nitems(gotd_clients); slot++) {
474 struct gotd_client *c;
475 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
476 if (c->id == client->id)
478 err = send_client_info(&client->iev, c);
487 static const struct got_error *
488 stop_gotd(struct gotd_client *client)
491 if (client->euid != 0)
492 return got_error_set_errno(EPERM, "stop");
499 static const struct got_error *
500 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
502 const struct got_error *err;
503 struct gotd_imsg_list_refs ireq;
504 struct gotd_repo *repo = NULL;
507 log_debug("list-refs request from uid %d", client->euid);
509 if (client->state != GOTD_CLIENT_STATE_NEW)
510 return got_error_msg(GOT_ERR_BAD_REQUEST,
511 "unexpected list-refs request received");
513 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
514 if (datalen != sizeof(ireq))
515 return got_error(GOT_ERR_PRIVSEP_LEN);
517 memcpy(&ireq, imsg->data, datalen);
519 if (ireq.client_is_reading) {
520 err = ensure_client_is_not_writing(client);
523 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
525 return got_error(GOT_ERR_NOT_GIT_REPO);
526 err = start_auth_child(client, GOTD_AUTH_READ, repo,
527 gotd.argv0, gotd.confpath, gotd.daemonize,
532 err = ensure_client_is_not_reading(client);
535 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
537 return got_error(GOT_ERR_NOT_GIT_REPO);
538 err = start_auth_child(client,
539 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
540 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
546 evtimer_add(&client->tmo, &auth_timeout);
548 /* Flow continues upon authentication successs/failure or timeout. */
553 gotd_request(int fd, short events, void *arg)
555 struct gotd_imsgev *iev = arg;
556 struct imsgbuf *ibuf = &iev->ibuf;
557 struct gotd_client *client = iev->handler_arg;
558 const struct got_error *err = NULL;
562 if (events & EV_WRITE) {
563 while (ibuf->w.queued) {
564 n = msgbuf_write(&ibuf->w);
565 if (n == -1 && errno == EPIPE) {
567 * The client has closed its socket.
568 * This can happen when Git clients are
569 * done sending pack file data.
571 msgbuf_clear(&ibuf->w);
573 } else if (n == -1 && errno != EAGAIN) {
574 err = got_error_from_errno("imsg_flush");
575 disconnect_on_error(client, err);
579 /* Connection closed. */
580 err = got_error(GOT_ERR_EOF);
581 disconnect_on_error(client, err);
586 /* Disconnect gotctl(8) now that messages have been sent. */
587 if (!client_is_reading(client) && !client_is_writing(client)) {
593 if ((events & EV_READ) == 0)
596 memset(&imsg, 0, sizeof(imsg));
598 while (err == NULL) {
599 err = gotd_imsg_recv(&imsg, ibuf, 0);
601 if (err->code == GOT_ERR_PRIVSEP_READ)
606 evtimer_del(&client->tmo);
608 switch (imsg.hdr.type) {
610 err = send_info(client);
613 err = stop_gotd(client);
615 case GOTD_IMSG_LIST_REFS:
616 err = start_client_authentication(client, &imsg);
619 log_debug("unexpected imsg %d", imsg.hdr.type);
620 err = got_error(GOT_ERR_PRIVSEP_MSG);
628 disconnect_on_error(client, err);
630 gotd_imsg_event_add(&client->iev);
635 gotd_auth_timeout(int fd, short events, void *arg)
637 struct gotd_client *client = arg;
639 log_debug("disconnecting uid %d due to authentication timeout",
644 static const struct got_error *
645 recv_connect(uint32_t *client_id, struct imsg *imsg)
647 const struct got_error *err = NULL;
648 struct gotd_imsg_connect iconnect;
651 struct gotd_client *client = NULL;
655 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
656 if (datalen != sizeof(iconnect))
657 return got_error(GOT_ERR_PRIVSEP_LEN);
658 memcpy(&iconnect, imsg->data, sizeof(iconnect));
662 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
666 if (find_client(iconnect.client_id)) {
667 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
671 client = calloc(1, sizeof(*client));
672 if (client == NULL) {
673 err = got_error_from_errno("calloc");
677 *client_id = iconnect.client_id;
679 client->state = GOTD_CLIENT_STATE_NEW;
680 client->id = iconnect.client_id;
683 /* The auth process will verify UID/GID for us. */
684 client->euid = iconnect.euid;
685 client->egid = iconnect.egid;
687 imsg_init(&client->iev.ibuf, client->fd);
688 client->iev.handler = gotd_request;
689 client->iev.events = EV_READ;
690 client->iev.handler_arg = client;
692 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
694 gotd_imsg_event_add(&client->iev);
696 evtimer_set(&client->tmo, gotd_auth_timeout, client);
699 log_debug("%s: new client uid %d connected on fd %d", __func__,
700 client->euid, client->fd);
703 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
704 struct gotd_imsg_disconnect idisconnect;
706 idisconnect.client_id = client->id;
707 if (gotd_imsg_compose_event(&listen_proc->iev,
708 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
709 &idisconnect, sizeof(idisconnect)) == -1)
710 log_warn("imsg compose DISCONNECT");
719 static const char *gotd_proc_names[PROC_MAX] = {
729 kill_proc(struct gotd_child_proc *proc, int fatal)
732 log_warnx("sending SIGKILL to PID %d", proc->pid);
733 kill(proc->pid, SIGKILL);
735 kill(proc->pid, SIGTERM);
741 struct gotd_child_proc *proc;
744 log_debug("shutting down");
745 for (slot = 0; slot < nitems(gotd_clients); slot++) {
746 struct gotd_client *c, *tmp;
748 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
752 proc = &gotd.listen_proc;
753 msgbuf_clear(&proc->iev.ibuf.w);
754 close(proc->iev.ibuf.fd);
756 wait_for_child(proc->pid);
758 log_info("terminating");
763 gotd_sighdlr(int sig, short event, void *arg)
766 * Normal signal handler rules don't apply because libevent
772 log_info("%s: ignoring SIGHUP", __func__);
775 log_info("%s: ignoring SIGUSR1", __func__);
782 fatalx("unexpected signal");
786 static const struct got_error *
787 ensure_proc_is_reading(struct gotd_client *client,
788 struct gotd_child_proc *proc)
790 if (!client_is_reading(client)) {
792 return got_error_fmt(GOT_ERR_BAD_PACKET,
793 "PID %d handled a read-request for uid %d but this "
794 "user is not reading from a repository", proc->pid,
801 static const struct got_error *
802 ensure_proc_is_writing(struct gotd_client *client,
803 struct gotd_child_proc *proc)
805 if (!client_is_writing(client)) {
807 return got_error_fmt(GOT_ERR_BAD_PACKET,
808 "PID %d handled a write-request for uid %d but this "
809 "user is not writing to a repository", proc->pid,
817 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
820 const struct got_error *err;
823 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
824 if (client->repo == NULL)
825 fatalx("no process found for uid %d", client->euid);
826 if (proc->pid != client->repo->pid) {
828 log_warnx("received message from PID %d for uid %d, "
829 "while PID %d is the process serving this user",
830 proc->pid, client->euid, client->repo->pid);
834 if (proc->type == PROC_SESSION) {
835 if (client->session == NULL) {
836 log_warnx("no session found for uid %d", client->euid);
839 if (proc->pid != client->session->pid) {
841 log_warnx("received message from PID %d for uid %d, "
842 "while PID %d is the process serving this user",
843 proc->pid, client->euid, client->session->pid);
848 switch (imsg->hdr.type) {
849 case GOTD_IMSG_ERROR:
852 case GOTD_IMSG_CONNECT:
853 if (proc->type != PROC_LISTEN) {
854 err = got_error_fmt(GOT_ERR_BAD_PACKET,
855 "new connection for uid %d from PID %d "
856 "which is not the listen process",
857 proc->pid, client->euid);
861 case GOTD_IMSG_ACCESS_GRANTED:
862 if (proc->type != PROC_AUTH) {
863 err = got_error_fmt(GOT_ERR_BAD_PACKET,
864 "authentication of uid %d from PID %d "
865 "which is not the auth process",
866 proc->pid, client->euid);
870 case GOTD_IMSG_CLIENT_SESSION_READY:
871 if (proc->type != PROC_SESSION) {
872 err = got_error_fmt(GOT_ERR_BAD_PACKET,
873 "unexpected \"ready\" signal from PID %d",
878 case GOTD_IMSG_REPO_CHILD_READY:
879 if (proc->type != PROC_REPO_READ &&
880 proc->type != PROC_REPO_WRITE) {
881 err = got_error_fmt(GOT_ERR_BAD_PACKET,
882 "unexpected \"ready\" signal from PID %d",
887 case GOTD_IMSG_PACKFILE_DONE:
888 err = ensure_proc_is_reading(client, proc);
890 log_warnx("uid %d: %s", client->euid, err->msg);
894 case GOTD_IMSG_PACKFILE_INSTALL:
895 case GOTD_IMSG_REF_UPDATES_START:
896 case GOTD_IMSG_REF_UPDATE:
897 err = ensure_proc_is_writing(client, proc);
899 log_warnx("uid %d: %s", client->euid, err->msg);
904 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
911 static const struct got_error *
912 connect_repo_child(struct gotd_client *client,
913 struct gotd_child_proc *repo_proc)
915 static const struct got_error *err;
916 struct gotd_imsgev *session_iev = &client->session->iev;
917 struct gotd_imsg_connect_repo_child ireq;
920 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
921 return got_error_msg(GOT_ERR_BAD_REQUEST,
922 "unexpected repo child ready signal received");
924 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
925 PF_UNSPEC, pipe) == -1)
928 memset(&ireq, 0, sizeof(ireq));
929 ireq.client_id = client->id;
930 ireq.proc_id = repo_proc->type;
932 /* Pass repo child pipe to session child process. */
933 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
934 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
935 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
941 /* Pass session child pipe to repo child process. */
942 if (gotd_imsg_compose_event(&repo_proc->iev,
943 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
944 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
953 gotd_dispatch_listener(int fd, short event, void *arg)
955 struct gotd_imsgev *iev = arg;
956 struct imsgbuf *ibuf = &iev->ibuf;
957 struct gotd_child_proc *proc = &gotd.listen_proc;
962 if (proc->iev.ibuf.fd != fd)
963 fatalx("%s: unexpected fd %d", __func__, fd);
965 if (event & EV_READ) {
966 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
967 fatal("imsg_read error");
969 /* Connection closed. */
975 if (event & EV_WRITE) {
976 n = msgbuf_write(&ibuf->w);
977 if (n == -1 && errno != EAGAIN)
978 fatal("msgbuf_write");
980 /* Connection closed. */
987 const struct got_error *err = NULL;
988 struct gotd_client *client = NULL;
989 uint32_t client_id = 0;
990 int do_disconnect = 0;
992 if ((n = imsg_get(ibuf, &imsg)) == -1)
993 fatal("%s: imsg_get error", __func__);
994 if (n == 0) /* No more messages. */
997 switch (imsg.hdr.type) {
998 case GOTD_IMSG_ERROR:
1000 err = gotd_imsg_recv_error(&client_id, &imsg);
1002 case GOTD_IMSG_CONNECT:
1003 err = recv_connect(&client_id, &imsg);
1006 log_debug("unexpected imsg %d", imsg.hdr.type);
1010 client = find_client(client_id);
1011 if (client == NULL) {
1012 log_warnx("%s: client not found", __func__);
1018 log_warnx("uid %d: %s", client->euid, err->msg);
1020 if (do_disconnect) {
1022 disconnect_on_error(client, err);
1031 gotd_imsg_event_add(iev);
1033 /* This pipe is dead. Remove its event handler */
1034 event_del(&iev->ev);
1035 event_loopexit(NULL);
1040 gotd_dispatch_auth_child(int fd, short event, void *arg)
1042 const struct got_error *err = NULL;
1043 struct gotd_imsgev *iev = arg;
1044 struct imsgbuf *ibuf = &iev->ibuf;
1045 struct gotd_client *client;
1046 struct gotd_repo *repo = NULL;
1050 uint32_t client_id = 0;
1051 int do_disconnect = 0;
1053 client = find_client_by_proc_fd(fd);
1054 if (client == NULL) {
1055 /* Can happen during process teardown. */
1056 warnx("cannot find client for fd %d", fd);
1061 if (client->auth == NULL)
1062 fatalx("cannot find auth child process for fd %d", fd);
1064 if (event & EV_READ) {
1065 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1066 fatal("imsg_read error");
1068 /* Connection closed. */
1074 if (event & EV_WRITE) {
1075 n = msgbuf_write(&ibuf->w);
1076 if (n == -1 && errno != EAGAIN)
1077 fatal("msgbuf_write");
1079 /* Connection closed. */
1085 if (client->auth->iev.ibuf.fd != fd)
1086 fatalx("%s: unexpected fd %d", __func__, fd);
1088 if ((n = imsg_get(ibuf, &imsg)) == -1)
1089 fatal("%s: imsg_get error", __func__);
1090 if (n == 0) /* No more messages. */
1093 evtimer_del(&client->tmo);
1095 switch (imsg.hdr.type) {
1096 case GOTD_IMSG_ERROR:
1098 err = gotd_imsg_recv_error(&client_id, &imsg);
1100 case GOTD_IMSG_ACCESS_GRANTED:
1101 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1105 log_debug("unexpected imsg %d", imsg.hdr.type);
1109 if (!verify_imsg_src(client, client->auth, &imsg)) {
1111 log_debug("dropping imsg type %d from PID %d",
1112 imsg.hdr.type, client->auth->pid);
1116 if (do_disconnect) {
1118 disconnect_on_error(client, err);
1124 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1126 err = got_error(GOT_ERR_NOT_GIT_REPO);
1129 kill_auth_proc(client);
1131 log_info("authenticated uid %d for repository %s",
1132 client->euid, repo->name);
1134 err = start_session_child(client, repo, gotd.argv0,
1135 gotd.confpath, gotd.daemonize, gotd.verbosity);
1140 log_warnx("uid %d: %s", client->euid, err->msg);
1142 /* We might have killed the auth process by now. */
1143 if (client->auth != NULL) {
1145 gotd_imsg_event_add(iev);
1147 /* This pipe is dead. Remove its event handler */
1148 event_del(&iev->ev);
1153 static const struct got_error *
1154 connect_session(struct gotd_client *client)
1156 const struct got_error *err = NULL;
1157 struct gotd_imsg_connect iconnect;
1160 memset(&iconnect, 0, sizeof(iconnect));
1162 s = dup(client->fd);
1164 return got_error_from_errno("dup");
1166 iconnect.client_id = client->id;
1167 iconnect.euid = client->euid;
1168 iconnect.egid = client->egid;
1170 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1171 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1172 err = got_error_from_errno("imsg compose CONNECT");
1178 * We are no longer interested in messages from this client.
1179 * Further client requests will be handled by the session process.
1181 msgbuf_clear(&client->iev.ibuf.w);
1182 imsg_clear(&client->iev.ibuf);
1183 event_del(&client->iev.ev);
1184 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1190 gotd_dispatch_client_session(int fd, short event, void *arg)
1192 struct gotd_imsgev *iev = arg;
1193 struct imsgbuf *ibuf = &iev->ibuf;
1194 struct gotd_child_proc *proc = NULL;
1195 struct gotd_client *client = NULL;
1200 client = find_client_by_proc_fd(fd);
1201 if (client == NULL) {
1202 /* Can happen during process teardown. */
1203 warnx("cannot find client for fd %d", fd);
1208 if (event & EV_READ) {
1209 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1210 fatal("imsg_read error");
1212 /* Connection closed. */
1218 if (event & EV_WRITE) {
1219 n = msgbuf_write(&ibuf->w);
1220 if (n == -1 && errno != EAGAIN)
1221 fatal("msgbuf_write");
1223 /* Connection closed. */
1229 proc = client->session;
1231 fatalx("cannot find session child process for fd %d", fd);
1234 const struct got_error *err = NULL;
1235 uint32_t client_id = 0;
1236 int do_disconnect = 0, do_start_repo_child = 0;
1238 if ((n = imsg_get(ibuf, &imsg)) == -1)
1239 fatal("%s: imsg_get error", __func__);
1240 if (n == 0) /* No more messages. */
1243 switch (imsg.hdr.type) {
1244 case GOTD_IMSG_ERROR:
1246 err = gotd_imsg_recv_error(&client_id, &imsg);
1248 case GOTD_IMSG_CLIENT_SESSION_READY:
1249 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1250 err = got_error(GOT_ERR_PRIVSEP_MSG);
1253 do_start_repo_child = 1;
1255 case GOTD_IMSG_DISCONNECT:
1259 log_debug("unexpected imsg %d", imsg.hdr.type);
1263 if (!verify_imsg_src(client, proc, &imsg)) {
1264 log_debug("dropping imsg type %d from PID %d",
1265 imsg.hdr.type, proc->pid);
1270 log_warnx("uid %d: %s", client->euid, err->msg);
1272 if (do_start_repo_child) {
1273 struct gotd_repo *repo;
1274 const char *name = client->session->repo_name;
1276 repo = gotd_find_repo_by_name(name, &gotd);
1278 enum gotd_procid proc_type;
1280 if (client->required_auth & GOTD_AUTH_WRITE)
1281 proc_type = PROC_REPO_WRITE;
1283 proc_type = PROC_REPO_READ;
1285 err = start_repo_child(client, proc_type, repo,
1286 gotd.argv0, gotd.confpath, gotd.daemonize,
1289 err = got_error(GOT_ERR_NOT_GIT_REPO);
1292 log_warnx("uid %d: %s", client->euid, err->msg);
1297 if (do_disconnect) {
1299 disconnect_on_error(client, err);
1308 gotd_imsg_event_add(iev);
1310 /* This pipe is dead. Remove its event handler */
1311 event_del(&iev->ev);
1317 gotd_dispatch_repo_child(int fd, short event, void *arg)
1319 struct gotd_imsgev *iev = arg;
1320 struct imsgbuf *ibuf = &iev->ibuf;
1321 struct gotd_child_proc *proc = NULL;
1322 struct gotd_client *client;
1327 client = find_client_by_proc_fd(fd);
1328 if (client == NULL) {
1329 /* Can happen during process teardown. */
1330 warnx("cannot find client for fd %d", fd);
1335 if (event & EV_READ) {
1336 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1337 fatal("imsg_read error");
1339 /* Connection closed. */
1345 if (event & EV_WRITE) {
1346 n = msgbuf_write(&ibuf->w);
1347 if (n == -1 && errno != EAGAIN)
1348 fatal("msgbuf_write");
1350 /* Connection closed. */
1356 proc = client->repo;
1358 fatalx("cannot find child process for fd %d", fd);
1361 const struct got_error *err = NULL;
1362 uint32_t client_id = 0;
1363 int do_disconnect = 0;
1365 if ((n = imsg_get(ibuf, &imsg)) == -1)
1366 fatal("%s: imsg_get error", __func__);
1367 if (n == 0) /* No more messages. */
1370 switch (imsg.hdr.type) {
1371 case GOTD_IMSG_ERROR:
1373 err = gotd_imsg_recv_error(&client_id, &imsg);
1375 case GOTD_IMSG_REPO_CHILD_READY:
1376 err = connect_session(client);
1379 err = connect_repo_child(client, proc);
1382 log_debug("unexpected imsg %d", imsg.hdr.type);
1386 if (!verify_imsg_src(client, proc, &imsg)) {
1387 log_debug("dropping imsg type %d from PID %d",
1388 imsg.hdr.type, proc->pid);
1393 log_warnx("uid %d: %s", client->euid, err->msg);
1395 if (do_disconnect) {
1397 disconnect_on_error(client, err);
1406 gotd_imsg_event_add(iev);
1408 /* This pipe is dead. Remove its event handler */
1409 event_del(&iev->ev);
1415 start_child(enum gotd_procid proc_id, const char *repo_path,
1416 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1422 switch (pid = fork()) {
1424 fatal("cannot fork");
1432 if (fd != GOTD_FILENO_MSG_PIPE) {
1433 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1434 fatal("cannot setup imsg fd");
1435 } else if (fcntl(fd, F_SETFD, 0) == -1)
1436 fatal("cannot setup imsg fd");
1438 argv[argc++] = argv0;
1441 argv[argc++] = (char *)"-L";
1444 argv[argc++] = (char *)"-A";
1447 argv[argc++] = (char *)"-S";
1449 case PROC_REPO_READ:
1450 argv[argc++] = (char *)"-R";
1452 case PROC_REPO_WRITE:
1453 argv[argc++] = (char *)"-W";
1456 fatalx("invalid process id %d", proc_id);
1459 argv[argc++] = (char *)"-f";
1460 argv[argc++] = (char *)confpath;
1463 argv[argc++] = (char *)"-P";
1464 argv[argc++] = (char *)repo_path;
1468 argv[argc++] = (char *)"-d";
1470 argv[argc++] = (char *)"-v";
1472 argv[argc++] = (char *)"-v";
1473 argv[argc++] = NULL;
1475 execvp(argv0, argv);
1480 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1482 struct gotd_child_proc *proc = &gotd.listen_proc;
1484 proc->type = PROC_LISTEN;
1486 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1487 PF_UNSPEC, proc->pipe) == -1)
1488 fatal("socketpair");
1490 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1491 proc->pipe[1], daemonize, verbosity);
1492 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1493 proc->iev.handler = gotd_dispatch_listener;
1494 proc->iev.events = EV_READ;
1495 proc->iev.handler_arg = NULL;
1498 static const struct got_error *
1499 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1500 char *argv0, const char *confpath, int daemonize, int verbosity)
1502 struct gotd_child_proc *proc;
1504 proc = calloc(1, sizeof(*proc));
1506 return got_error_from_errno("calloc");
1508 proc->type = PROC_SESSION;
1509 if (strlcpy(proc->repo_name, repo->name,
1510 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1511 fatalx("repository name too long: %s", repo->name);
1512 log_debug("starting client uid %d session for repository %s",
1513 client->euid, repo->name);
1514 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1515 sizeof(proc->repo_path))
1516 fatalx("repository path too long: %s", repo->path);
1517 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1518 PF_UNSPEC, proc->pipe) == -1)
1519 fatal("socketpair");
1520 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1521 confpath, proc->pipe[1], daemonize, verbosity);
1522 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1523 log_debug("proc %s %s is on fd %d",
1524 gotd_proc_names[proc->type], proc->repo_path,
1526 proc->iev.handler = gotd_dispatch_client_session;
1527 proc->iev.events = EV_READ;
1528 proc->iev.handler_arg = NULL;
1529 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1530 gotd_dispatch_client_session, &proc->iev);
1531 gotd_imsg_event_add(&proc->iev);
1533 client->session = proc;
1537 static const struct got_error *
1538 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1539 struct gotd_repo *repo, char *argv0, const char *confpath,
1540 int daemonize, int verbosity)
1542 struct gotd_child_proc *proc;
1544 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1545 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1547 proc = calloc(1, sizeof(*proc));
1549 return got_error_from_errno("calloc");
1551 proc->type = proc_type;
1552 if (strlcpy(proc->repo_name, repo->name,
1553 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1554 fatalx("repository name too long: %s", repo->name);
1555 log_debug("starting %s for repository %s",
1556 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1557 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1558 sizeof(proc->repo_path))
1559 fatalx("repository path too long: %s", repo->path);
1560 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1561 PF_UNSPEC, proc->pipe) == -1)
1562 fatal("socketpair");
1563 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1564 confpath, proc->pipe[1], daemonize, verbosity);
1565 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1566 log_debug("proc %s %s is on fd %d",
1567 gotd_proc_names[proc->type], proc->repo_path,
1569 proc->iev.handler = gotd_dispatch_repo_child;
1570 proc->iev.events = EV_READ;
1571 proc->iev.handler_arg = NULL;
1572 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1573 gotd_dispatch_repo_child, &proc->iev);
1574 gotd_imsg_event_add(&proc->iev);
1576 client->repo = proc;
1580 static const struct got_error *
1581 start_auth_child(struct gotd_client *client, int required_auth,
1582 struct gotd_repo *repo, char *argv0, const char *confpath,
1583 int daemonize, int verbosity)
1585 const struct got_error *err = NULL;
1586 struct gotd_child_proc *proc;
1587 struct gotd_imsg_auth iauth;
1590 memset(&iauth, 0, sizeof(iauth));
1592 fd = dup(client->fd);
1594 return got_error_from_errno("dup");
1596 proc = calloc(1, sizeof(*proc));
1598 err = got_error_from_errno("calloc");
1603 proc->type = PROC_AUTH;
1604 if (strlcpy(proc->repo_name, repo->name,
1605 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1606 fatalx("repository name too long: %s", repo->name);
1607 log_debug("starting auth for uid %d repository %s",
1608 client->euid, repo->name);
1609 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1610 sizeof(proc->repo_path))
1611 fatalx("repository path too long: %s", repo->path);
1612 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1613 PF_UNSPEC, proc->pipe) == -1)
1614 fatal("socketpair");
1615 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1616 confpath, proc->pipe[1], daemonize, verbosity);
1617 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1618 log_debug("proc %s %s is on fd %d",
1619 gotd_proc_names[proc->type], proc->repo_path,
1621 proc->iev.handler = gotd_dispatch_auth_child;
1622 proc->iev.events = EV_READ;
1623 proc->iev.handler_arg = NULL;
1624 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1625 gotd_dispatch_auth_child, &proc->iev);
1626 gotd_imsg_event_add(&proc->iev);
1628 iauth.euid = client->euid;
1629 iauth.egid = client->egid;
1630 iauth.required_auth = required_auth;
1631 iauth.client_id = client->id;
1632 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1633 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1634 log_warn("imsg compose AUTHENTICATE");
1636 /* Let the auth_timeout handler tidy up. */
1639 client->auth = proc;
1640 client->required_auth = required_auth;
1645 apply_unveil_repo_readonly(const char *repo_path)
1647 if (unveil(repo_path, "r") == -1)
1648 fatal("unveil %s", repo_path);
1650 if (unveil(NULL, NULL) == -1)
1655 apply_unveil_repo_readwrite(const char *repo_path)
1657 if (unveil(repo_path, "rwc") == -1)
1658 fatal("unveil %s", repo_path);
1660 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1661 fatal("unveil %s", GOT_TMPDIR_STR);
1663 if (unveil(NULL, NULL) == -1)
1668 apply_unveil_none(void)
1670 if (unveil("/", "") == -1)
1673 if (unveil(NULL, NULL) == -1)
1678 apply_unveil_selfexec(void)
1680 if (unveil(gotd.argv0, "x") == -1)
1681 fatal("unveil %s", gotd.argv0);
1683 if (unveil(NULL, NULL) == -1)
1688 main(int argc, char **argv)
1690 const struct got_error *error = NULL;
1691 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1692 const char *confpath = GOTD_CONF_PATH;
1693 char *argv0 = argv[0];
1695 struct passwd *pw = NULL;
1696 char *repo_path = NULL;
1697 enum gotd_procid proc_id = PROC_GOTD;
1698 struct event evsigint, evsigterm, evsighup, evsigusr1;
1699 int *pack_fds = NULL, *temp_fds = NULL;
1700 struct gotd_repo *repo = NULL;
1702 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1704 while ((ch = getopt(argc, argv, "Adf:LnP:RSvW")) != -1) {
1707 proc_id = PROC_AUTH;
1716 proc_id = PROC_LISTEN;
1722 repo_path = realpath(optarg, NULL);
1723 if (repo_path == NULL)
1724 fatal("realpath '%s'", optarg);
1727 proc_id = PROC_REPO_READ;
1730 proc_id = PROC_SESSION;
1737 proc_id = PROC_REPO_WRITE;
1750 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1751 fatalx("need root privileges");
1753 if (parse_config(confpath, proc_id, &gotd, 1) != 0)
1756 pw = getpwnam(gotd.user_name);
1758 fatalx("user %s not found", gotd.user_name);
1760 if (pw->pw_uid == 0)
1761 fatalx("cannot run %s as the superuser", getprogname());
1764 fprintf(stderr, "configuration OK\n");
1769 gotd.daemonize = daemonize;
1770 gotd.verbosity = verbosity;
1771 gotd.confpath = confpath;
1773 /* Require an absolute path in argv[0] for reliable re-exec. */
1774 if (!got_path_is_absolute(argv0))
1775 fatalx("bad path \"%s\": must be an absolute path", argv0);
1777 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1778 log_setverbose(verbosity);
1780 if (proc_id == PROC_GOTD) {
1781 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1782 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1783 if (daemonize && daemon(1, 0) == -1)
1785 gotd.pid = getpid();
1786 start_listener(argv0, confpath, daemonize, verbosity);
1787 } else if (proc_id == PROC_LISTEN) {
1788 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1790 log_info("socket: %s", gotd.unix_socket_path);
1791 log_info("user: %s", pw->pw_name);
1794 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1797 fatal("cannot listen on unix socket %s",
1798 gotd.unix_socket_path);
1800 } else if (proc_id == PROC_AUTH) {
1801 snprintf(title, sizeof(title), "%s %s",
1802 gotd_proc_names[proc_id], repo_path);
1803 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1804 proc_id == PROC_SESSION) {
1805 error = got_repo_pack_fds_open(&pack_fds);
1807 fatalx("cannot open pack tempfiles: %s", error->msg);
1808 error = got_repo_temp_fds_open(&temp_fds);
1810 fatalx("cannot open pack tempfiles: %s", error->msg);
1811 if (repo_path == NULL)
1812 fatalx("repository path not specified");
1813 snprintf(title, sizeof(title), "%s %s",
1814 gotd_proc_names[proc_id], repo_path);
1816 fatal("invalid process id %d", proc_id);
1818 setproctitle("%s", title);
1819 log_procinit(title);
1821 /* Drop root privileges. */
1822 if (setgid(pw->pw_gid) == -1)
1823 fatal("setgid %d failed", pw->pw_gid);
1824 if (setuid(pw->pw_uid) == -1)
1825 fatal("setuid %d failed", pw->pw_uid);
1832 /* "exec" promise will be limited to argv[0] via unveil(2). */
1833 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1839 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1843 * Ensure that AF_UNIX bind(2) cannot be used with any other
1844 * sockets by revoking all filesystem access via unveil(2).
1846 apply_unveil_none();
1848 listen_main(title, fd, gotd.connection_limits,
1849 gotd.nconnection_limits);
1854 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1858 * We need the "unix" pledge promise for getpeername(2) only.
1859 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1860 * filesystem access via unveil(2). Access to password database
1861 * files will still work since "getpw" bypasses unveil(2).
1863 apply_unveil_none();
1865 auth_main(title, &gotd.repos, repo_path);
1871 * The "recvfd" promise is only needed during setup and
1872 * will be removed in a later pledge(2) call.
1874 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1875 "unveil", NULL) == -1)
1878 apply_unveil_repo_readwrite(repo_path);
1879 session_main(title, repo_path, pack_fds, temp_fds,
1880 &gotd.request_timeout);
1883 case PROC_REPO_READ:
1885 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1888 apply_unveil_repo_readonly(repo_path);
1889 repo_read_main(title, repo_path, pack_fds, temp_fds);
1892 case PROC_REPO_WRITE:
1894 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1897 apply_unveil_repo_readonly(repo_path);
1898 repo = gotd_find_repo_by_path(repo_path, &gotd);
1900 fatalx("no repository for path %s", repo_path);
1901 repo_write_main(title, repo_path, pack_fds, temp_fds,
1902 &repo->protected_tag_namespaces,
1903 &repo->protected_branch_namespaces,
1904 &repo->protected_branches);
1908 fatal("invalid process id %d", proc_id);
1911 if (proc_id != PROC_GOTD)
1912 fatal("invalid process id %d", proc_id);
1914 apply_unveil_selfexec();
1916 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
1917 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
1918 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
1919 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
1920 signal(SIGPIPE, SIG_IGN);
1922 signal_add(&evsigint, NULL);
1923 signal_add(&evsigterm, NULL);
1924 signal_add(&evsighup, NULL);
1925 signal_add(&evsigusr1, NULL);
1927 gotd_imsg_event_add(&gotd.listen_proc.iev);