2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
19 #include <sys/types.h>
21 #include <sys/socket.h>
41 #include "got_error.h"
42 #include "got_opentemp.h"
44 #include "got_repository.h"
45 #include "got_object.h"
46 #include "got_reference.h"
48 #include "got_lib_delta.h"
49 #include "got_lib_object.h"
50 #include "got_lib_object_cache.h"
51 #include "got_lib_hash.h"
52 #include "got_lib_gitproto.h"
53 #include "got_lib_pack.h"
54 #include "got_lib_repository.h"
61 #include "repo_read.h"
62 #include "repo_write.h"
65 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
68 enum gotd_client_state {
69 GOTD_CLIENT_STATE_NEW,
70 GOTD_CLIENT_STATE_ACCESS_GRANTED,
74 STAILQ_ENTRY(gotd_client) entry;
75 enum gotd_client_state state;
78 struct gotd_imsgev iev;
82 struct gotd_child_proc *repo;
83 struct gotd_child_proc *auth;
84 struct gotd_child_proc *session;
87 STAILQ_HEAD(gotd_clients, gotd_client);
89 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
90 static SIPHASH_KEY clients_hash_key;
91 volatile int client_cnt;
92 static struct timeval auth_timeout = { 5, 0 };
93 static struct gotd gotd;
95 void gotd_sighdlr(int sig, short event, void *arg);
96 static void gotd_shutdown(void);
97 static const struct got_error *start_session_child(struct gotd_client *,
98 struct gotd_repo *, char *, const char *, int, int);
99 static const struct got_error *start_repo_child(struct gotd_client *,
100 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
101 static const struct got_error *start_auth_child(struct gotd_client *, int,
102 struct gotd_repo *, char *, const char *, int, int);
103 static void kill_proc(struct gotd_child_proc *, int);
108 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
113 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
115 struct sockaddr_un sun;
117 mode_t old_umask, mode;
119 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
125 sun.sun_family = AF_UNIX;
126 if (strlcpy(sun.sun_path, unix_socket_path,
127 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
128 log_warnx("%s: name too long", unix_socket_path);
133 if (unlink(unix_socket_path) == -1) {
134 if (errno != ENOENT) {
135 log_warn("unlink %s", unix_socket_path);
141 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
142 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
144 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
145 log_warn("bind: %s", unix_socket_path);
153 if (chmod(unix_socket_path, mode) == -1) {
154 log_warn("chmod %o %s", mode, unix_socket_path);
156 unlink(unix_socket_path);
160 if (chown(unix_socket_path, uid, gid) == -1) {
161 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
163 unlink(unix_socket_path);
167 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
170 unlink(unix_socket_path);
178 client_hash(uint32_t client_id)
180 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
184 add_client(struct gotd_client *client)
186 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
187 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
191 static struct gotd_client *
192 find_client(uint32_t client_id)
195 struct gotd_client *c;
197 slot = client_hash(client_id) % nitems(gotd_clients);
198 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
199 if (c->id == client_id)
206 static struct gotd_client *
207 find_client_by_proc_fd(int fd)
211 for (slot = 0; slot < nitems(gotd_clients); slot++) {
212 struct gotd_client *c;
214 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
215 if (c->repo && c->repo->iev.ibuf.fd == fd)
217 if (c->auth && c->auth->iev.ibuf.fd == fd)
219 if (c->session && c->session->iev.ibuf.fd == fd)
228 client_is_reading(struct gotd_client *client)
230 return (client->required_auth &
231 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
235 client_is_writing(struct gotd_client *client)
237 return (client->required_auth &
238 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
239 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
242 static const struct got_error *
243 ensure_client_is_not_writing(struct gotd_client *client)
245 if (client_is_writing(client)) {
246 return got_error_fmt(GOT_ERR_BAD_PACKET,
247 "uid %d made a read-request but is writing to "
248 "a repository", client->euid);
254 static const struct got_error *
255 ensure_client_is_not_reading(struct gotd_client *client)
257 if (client_is_reading(client)) {
258 return got_error_fmt(GOT_ERR_BAD_PACKET,
259 "uid %d made a write-request but is reading from "
260 "a repository", client->euid);
267 wait_for_child(pid_t child_pid)
272 log_debug("waiting for child PID %ld to terminate",
276 pid = waitpid(child_pid, &status, WNOHANG);
278 if (errno != EINTR && errno != ECHILD)
280 } else if (WIFSIGNALED(status)) {
281 log_warnx("child PID %ld terminated; signal %d",
282 (long)pid, WTERMSIG(status));
284 } while (pid != -1 || (pid == -1 && errno == EINTR));
288 proc_done(struct gotd_child_proc *proc)
290 event_del(&proc->iev.ev);
291 msgbuf_clear(&proc->iev.ibuf.w);
292 close(proc->iev.ibuf.fd);
294 wait_for_child(proc->pid);
299 kill_auth_proc(struct gotd_client *client)
301 struct gotd_child_proc *proc;
303 if (client->auth == NULL)
313 kill_session_proc(struct gotd_client *client)
315 struct gotd_child_proc *proc;
317 if (client->session == NULL)
320 proc = client->session;
321 client->session = NULL;
327 disconnect(struct gotd_client *client)
329 struct gotd_imsg_disconnect idisconnect;
330 struct gotd_child_proc *proc = client->repo;
331 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
334 log_debug("uid %d: disconnecting", client->euid);
336 kill_auth_proc(client);
337 kill_session_proc(client);
340 event_del(&proc->iev.ev);
341 msgbuf_clear(&proc->iev.ibuf.w);
342 close(proc->iev.ibuf.fd);
344 wait_for_child(proc->pid);
349 idisconnect.client_id = client->id;
350 if (gotd_imsg_compose_event(&listen_proc->iev,
351 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
352 &idisconnect, sizeof(idisconnect)) == -1)
353 log_warn("imsg compose DISCONNECT");
355 slot = client_hash(client->id) % nitems(gotd_clients);
356 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
357 imsg_clear(&client->iev.ibuf);
358 event_del(&client->iev.ev);
359 evtimer_del(&client->tmo);
360 if (client->fd != -1)
362 else if (client->iev.ibuf.fd != -1)
363 close(client->iev.ibuf.fd);
369 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
373 log_warnx("uid %d: %s", client->euid, err->msg);
374 if (err->code != GOT_ERR_EOF && client->fd != -1) {
375 imsg_init(&ibuf, client->fd);
376 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
382 static const struct got_error *
383 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
385 const struct got_error *err = NULL;
386 struct gotd_imsg_info_repo irepo;
388 memset(&irepo, 0, sizeof(irepo));
390 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
391 >= sizeof(irepo.repo_name))
392 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
393 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
394 >= sizeof(irepo.repo_path))
395 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
397 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
398 &irepo, sizeof(irepo)) == -1) {
399 err = got_error_from_errno("imsg compose INFO_REPO");
407 static const struct got_error *
408 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
410 const struct got_error *err = NULL;
411 struct gotd_imsg_info_client iclient;
412 struct gotd_child_proc *proc;
414 memset(&iclient, 0, sizeof(iclient));
415 iclient.euid = client->euid;
416 iclient.egid = client->egid;
420 if (strlcpy(iclient.repo_name, proc->repo_path,
421 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
422 return got_error_msg(GOT_ERR_NO_SPACE,
423 "repo name too long");
425 if (client_is_writing(client))
426 iclient.is_writing = 1;
428 iclient.repo_child_pid = proc->pid;
432 iclient.session_child_pid = client->session->pid;
434 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
435 &iclient, sizeof(iclient)) == -1) {
436 err = got_error_from_errno("imsg compose INFO_CLIENT");
444 static const struct got_error *
445 send_info(struct gotd_client *client)
447 const struct got_error *err = NULL;
448 struct gotd_imsg_info info;
450 struct gotd_repo *repo;
452 if (client->euid != 0)
453 return got_error_set_errno(EPERM, "info");
456 info.verbosity = gotd.verbosity;
457 info.nrepos = gotd.nrepos;
458 info.nclients = client_cnt - 1;
460 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
461 &info, sizeof(info)) == -1) {
462 err = got_error_from_errno("imsg compose INFO");
467 TAILQ_FOREACH(repo, &gotd.repos, entry) {
468 err = send_repo_info(&client->iev, repo);
473 for (slot = 0; slot < nitems(gotd_clients); slot++) {
474 struct gotd_client *c;
475 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
476 if (c->id == client->id)
478 err = send_client_info(&client->iev, c);
487 static const struct got_error *
488 stop_gotd(struct gotd_client *client)
491 if (client->euid != 0)
492 return got_error_set_errno(EPERM, "stop");
499 static struct gotd_repo *
500 find_repo_by_name(const char *repo_name)
502 struct gotd_repo *repo;
505 TAILQ_FOREACH(repo, &gotd.repos, entry) {
506 namelen = strlen(repo->name);
507 if (strncmp(repo->name, repo_name, namelen) != 0)
509 if (repo_name[namelen] == '\0' ||
510 strcmp(&repo_name[namelen], ".git") == 0)
517 static const struct got_error *
518 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
520 const struct got_error *err;
521 struct gotd_imsg_list_refs ireq;
522 struct gotd_repo *repo = NULL;
525 log_debug("list-refs request from uid %d", client->euid);
527 if (client->state != GOTD_CLIENT_STATE_NEW)
528 return got_error_msg(GOT_ERR_BAD_REQUEST,
529 "unexpected list-refs request received");
531 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
532 if (datalen != sizeof(ireq))
533 return got_error(GOT_ERR_PRIVSEP_LEN);
535 memcpy(&ireq, imsg->data, datalen);
537 if (ireq.client_is_reading) {
538 err = ensure_client_is_not_writing(client);
541 repo = find_repo_by_name(ireq.repo_name);
543 return got_error(GOT_ERR_NOT_GIT_REPO);
544 err = start_auth_child(client, GOTD_AUTH_READ, repo,
545 gotd.argv0, gotd.confpath, gotd.daemonize,
550 err = ensure_client_is_not_reading(client);
553 repo = find_repo_by_name(ireq.repo_name);
555 return got_error(GOT_ERR_NOT_GIT_REPO);
556 err = start_auth_child(client,
557 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
558 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
564 evtimer_add(&client->tmo, &auth_timeout);
566 /* Flow continues upon authentication successs/failure or timeout. */
571 gotd_request(int fd, short events, void *arg)
573 struct gotd_imsgev *iev = arg;
574 struct imsgbuf *ibuf = &iev->ibuf;
575 struct gotd_client *client = iev->handler_arg;
576 const struct got_error *err = NULL;
580 if (events & EV_WRITE) {
581 while (ibuf->w.queued) {
582 n = msgbuf_write(&ibuf->w);
583 if (n == -1 && errno == EPIPE) {
585 * The client has closed its socket.
586 * This can happen when Git clients are
587 * done sending pack file data.
589 msgbuf_clear(&ibuf->w);
591 } else if (n == -1 && errno != EAGAIN) {
592 err = got_error_from_errno("imsg_flush");
593 disconnect_on_error(client, err);
597 /* Connection closed. */
598 err = got_error(GOT_ERR_EOF);
599 disconnect_on_error(client, err);
604 /* Disconnect gotctl(8) now that messages have been sent. */
605 if (!client_is_reading(client) && !client_is_writing(client)) {
611 if ((events & EV_READ) == 0)
614 memset(&imsg, 0, sizeof(imsg));
616 while (err == NULL) {
617 err = gotd_imsg_recv(&imsg, ibuf, 0);
619 if (err->code == GOT_ERR_PRIVSEP_READ)
624 evtimer_del(&client->tmo);
626 switch (imsg.hdr.type) {
628 err = send_info(client);
631 err = stop_gotd(client);
633 case GOTD_IMSG_LIST_REFS:
634 err = start_client_authentication(client, &imsg);
637 log_debug("unexpected imsg %d", imsg.hdr.type);
638 err = got_error(GOT_ERR_PRIVSEP_MSG);
646 disconnect_on_error(client, err);
648 gotd_imsg_event_add(&client->iev);
653 gotd_auth_timeout(int fd, short events, void *arg)
655 struct gotd_client *client = arg;
657 log_debug("disconnecting uid %d due to authentication timeout",
662 static const struct got_error *
663 recv_connect(uint32_t *client_id, struct imsg *imsg)
665 const struct got_error *err = NULL;
666 struct gotd_imsg_connect iconnect;
669 struct gotd_client *client = NULL;
673 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
674 if (datalen != sizeof(iconnect))
675 return got_error(GOT_ERR_PRIVSEP_LEN);
676 memcpy(&iconnect, imsg->data, sizeof(iconnect));
680 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
684 if (find_client(iconnect.client_id)) {
685 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
689 client = calloc(1, sizeof(*client));
690 if (client == NULL) {
691 err = got_error_from_errno("calloc");
695 *client_id = iconnect.client_id;
697 client->state = GOTD_CLIENT_STATE_NEW;
698 client->id = iconnect.client_id;
701 /* The auth process will verify UID/GID for us. */
702 client->euid = iconnect.euid;
703 client->egid = iconnect.egid;
705 imsg_init(&client->iev.ibuf, client->fd);
706 client->iev.handler = gotd_request;
707 client->iev.events = EV_READ;
708 client->iev.handler_arg = client;
710 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
712 gotd_imsg_event_add(&client->iev);
714 evtimer_set(&client->tmo, gotd_auth_timeout, client);
717 log_debug("%s: new client uid %d connected on fd %d", __func__,
718 client->euid, client->fd);
721 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
722 struct gotd_imsg_disconnect idisconnect;
724 idisconnect.client_id = client->id;
725 if (gotd_imsg_compose_event(&listen_proc->iev,
726 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
727 &idisconnect, sizeof(idisconnect)) == -1)
728 log_warn("imsg compose DISCONNECT");
737 static const char *gotd_proc_names[PROC_MAX] = {
747 kill_proc(struct gotd_child_proc *proc, int fatal)
750 log_warnx("sending SIGKILL to PID %d", proc->pid);
751 kill(proc->pid, SIGKILL);
753 kill(proc->pid, SIGTERM);
759 struct gotd_child_proc *proc;
762 log_debug("shutting down");
763 for (slot = 0; slot < nitems(gotd_clients); slot++) {
764 struct gotd_client *c, *tmp;
766 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
770 proc = &gotd.listen_proc;
771 msgbuf_clear(&proc->iev.ibuf.w);
772 close(proc->iev.ibuf.fd);
774 wait_for_child(proc->pid);
776 log_info("terminating");
781 gotd_sighdlr(int sig, short event, void *arg)
784 * Normal signal handler rules don't apply because libevent
790 log_info("%s: ignoring SIGHUP", __func__);
793 log_info("%s: ignoring SIGUSR1", __func__);
800 fatalx("unexpected signal");
804 static const struct got_error *
805 ensure_proc_is_reading(struct gotd_client *client,
806 struct gotd_child_proc *proc)
808 if (!client_is_reading(client)) {
810 return got_error_fmt(GOT_ERR_BAD_PACKET,
811 "PID %d handled a read-request for uid %d but this "
812 "user is not reading from a repository", proc->pid,
819 static const struct got_error *
820 ensure_proc_is_writing(struct gotd_client *client,
821 struct gotd_child_proc *proc)
823 if (!client_is_writing(client)) {
825 return got_error_fmt(GOT_ERR_BAD_PACKET,
826 "PID %d handled a write-request for uid %d but this "
827 "user is not writing to a repository", proc->pid,
835 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
838 const struct got_error *err;
841 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
842 if (client->repo == NULL)
843 fatalx("no process found for uid %d", client->euid);
844 if (proc->pid != client->repo->pid) {
846 log_warnx("received message from PID %d for uid %d, "
847 "while PID %d is the process serving this user",
848 proc->pid, client->euid, client->repo->pid);
852 if (proc->type == PROC_SESSION) {
853 if (client->session == NULL) {
854 log_warnx("no session found for uid %d", client->euid);
857 if (proc->pid != client->session->pid) {
859 log_warnx("received message from PID %d for uid %d, "
860 "while PID %d is the process serving this user",
861 proc->pid, client->euid, client->session->pid);
866 switch (imsg->hdr.type) {
867 case GOTD_IMSG_ERROR:
870 case GOTD_IMSG_CONNECT:
871 if (proc->type != PROC_LISTEN) {
872 err = got_error_fmt(GOT_ERR_BAD_PACKET,
873 "new connection for uid %d from PID %d "
874 "which is not the listen process",
875 proc->pid, client->euid);
879 case GOTD_IMSG_ACCESS_GRANTED:
880 if (proc->type != PROC_AUTH) {
881 err = got_error_fmt(GOT_ERR_BAD_PACKET,
882 "authentication of uid %d from PID %d "
883 "which is not the auth process",
884 proc->pid, client->euid);
888 case GOTD_IMSG_CLIENT_SESSION_READY:
889 if (proc->type != PROC_SESSION) {
890 err = got_error_fmt(GOT_ERR_BAD_PACKET,
891 "unexpected \"ready\" signal from PID %d",
896 case GOTD_IMSG_REPO_CHILD_READY:
897 if (proc->type != PROC_REPO_READ &&
898 proc->type != PROC_REPO_WRITE) {
899 err = got_error_fmt(GOT_ERR_BAD_PACKET,
900 "unexpected \"ready\" signal from PID %d",
905 case GOTD_IMSG_PACKFILE_DONE:
906 err = ensure_proc_is_reading(client, proc);
908 log_warnx("uid %d: %s", client->euid, err->msg);
912 case GOTD_IMSG_PACKFILE_INSTALL:
913 case GOTD_IMSG_REF_UPDATES_START:
914 case GOTD_IMSG_REF_UPDATE:
915 err = ensure_proc_is_writing(client, proc);
917 log_warnx("uid %d: %s", client->euid, err->msg);
922 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
929 static const struct got_error *
930 connect_repo_child(struct gotd_client *client,
931 struct gotd_child_proc *repo_proc)
933 static const struct got_error *err;
934 struct gotd_imsgev *session_iev = &client->session->iev;
935 struct gotd_imsg_connect_repo_child ireq;
938 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
939 return got_error_msg(GOT_ERR_BAD_REQUEST,
940 "unexpected repo child ready signal received");
942 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
943 PF_UNSPEC, pipe) == -1)
946 memset(&ireq, 0, sizeof(ireq));
947 ireq.client_id = client->id;
948 ireq.proc_id = repo_proc->type;
950 /* Pass repo child pipe to session child process. */
951 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
952 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
953 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
959 /* Pass session child pipe to repo child process. */
960 if (gotd_imsg_compose_event(&repo_proc->iev,
961 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
962 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
971 gotd_dispatch_listener(int fd, short event, void *arg)
973 struct gotd_imsgev *iev = arg;
974 struct imsgbuf *ibuf = &iev->ibuf;
975 struct gotd_child_proc *proc = &gotd.listen_proc;
980 if (proc->iev.ibuf.fd != fd)
981 fatalx("%s: unexpected fd %d", __func__, fd);
983 if (event & EV_READ) {
984 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
985 fatal("imsg_read error");
987 /* Connection closed. */
993 if (event & EV_WRITE) {
994 n = msgbuf_write(&ibuf->w);
995 if (n == -1 && errno != EAGAIN)
996 fatal("msgbuf_write");
998 /* Connection closed. */
1005 const struct got_error *err = NULL;
1006 struct gotd_client *client = NULL;
1007 uint32_t client_id = 0;
1008 int do_disconnect = 0;
1010 if ((n = imsg_get(ibuf, &imsg)) == -1)
1011 fatal("%s: imsg_get error", __func__);
1012 if (n == 0) /* No more messages. */
1015 switch (imsg.hdr.type) {
1016 case GOTD_IMSG_ERROR:
1018 err = gotd_imsg_recv_error(&client_id, &imsg);
1020 case GOTD_IMSG_CONNECT:
1021 err = recv_connect(&client_id, &imsg);
1024 log_debug("unexpected imsg %d", imsg.hdr.type);
1028 client = find_client(client_id);
1029 if (client == NULL) {
1030 log_warnx("%s: client not found", __func__);
1036 log_warnx("uid %d: %s", client->euid, err->msg);
1038 if (do_disconnect) {
1040 disconnect_on_error(client, err);
1049 gotd_imsg_event_add(iev);
1051 /* This pipe is dead. Remove its event handler */
1052 event_del(&iev->ev);
1053 event_loopexit(NULL);
1058 gotd_dispatch_auth_child(int fd, short event, void *arg)
1060 const struct got_error *err = NULL;
1061 struct gotd_imsgev *iev = arg;
1062 struct imsgbuf *ibuf = &iev->ibuf;
1063 struct gotd_client *client;
1064 struct gotd_repo *repo = NULL;
1068 uint32_t client_id = 0;
1069 int do_disconnect = 0;
1071 client = find_client_by_proc_fd(fd);
1072 if (client == NULL) {
1073 /* Can happen during process teardown. */
1074 warnx("cannot find client for fd %d", fd);
1079 if (client->auth == NULL)
1080 fatalx("cannot find auth child process for fd %d", fd);
1082 if (event & EV_READ) {
1083 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1084 fatal("imsg_read error");
1086 /* Connection closed. */
1092 if (event & EV_WRITE) {
1093 n = msgbuf_write(&ibuf->w);
1094 if (n == -1 && errno != EAGAIN)
1095 fatal("msgbuf_write");
1097 /* Connection closed. */
1103 if (client->auth->iev.ibuf.fd != fd)
1104 fatalx("%s: unexpected fd %d", __func__, fd);
1106 if ((n = imsg_get(ibuf, &imsg)) == -1)
1107 fatal("%s: imsg_get error", __func__);
1108 if (n == 0) /* No more messages. */
1111 evtimer_del(&client->tmo);
1113 switch (imsg.hdr.type) {
1114 case GOTD_IMSG_ERROR:
1116 err = gotd_imsg_recv_error(&client_id, &imsg);
1118 case GOTD_IMSG_ACCESS_GRANTED:
1119 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1123 log_debug("unexpected imsg %d", imsg.hdr.type);
1127 if (!verify_imsg_src(client, client->auth, &imsg)) {
1129 log_debug("dropping imsg type %d from PID %d",
1130 imsg.hdr.type, client->auth->pid);
1134 if (do_disconnect) {
1136 disconnect_on_error(client, err);
1142 repo = find_repo_by_name(client->auth->repo_name);
1144 err = got_error(GOT_ERR_NOT_GIT_REPO);
1147 kill_auth_proc(client);
1149 log_info("authenticated uid %d for repository %s",
1150 client->euid, repo->name);
1152 err = start_session_child(client, repo, gotd.argv0,
1153 gotd.confpath, gotd.daemonize, gotd.verbosity);
1158 log_warnx("uid %d: %s", client->euid, err->msg);
1160 /* We might have killed the auth process by now. */
1161 if (client->auth != NULL) {
1163 gotd_imsg_event_add(iev);
1165 /* This pipe is dead. Remove its event handler */
1166 event_del(&iev->ev);
1171 static const struct got_error *
1172 connect_session(struct gotd_client *client)
1174 const struct got_error *err = NULL;
1175 struct gotd_imsg_connect iconnect;
1178 memset(&iconnect, 0, sizeof(iconnect));
1180 s = dup(client->fd);
1182 return got_error_from_errno("dup");
1184 iconnect.client_id = client->id;
1185 iconnect.euid = client->euid;
1186 iconnect.egid = client->egid;
1188 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1189 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1190 err = got_error_from_errno("imsg compose CONNECT");
1196 * We are no longer interested in messages from this client.
1197 * Further client requests will be handled by the session process.
1199 msgbuf_clear(&client->iev.ibuf.w);
1200 imsg_clear(&client->iev.ibuf);
1201 event_del(&client->iev.ev);
1202 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1208 gotd_dispatch_client_session(int fd, short event, void *arg)
1210 struct gotd_imsgev *iev = arg;
1211 struct imsgbuf *ibuf = &iev->ibuf;
1212 struct gotd_child_proc *proc = NULL;
1213 struct gotd_client *client = NULL;
1218 client = find_client_by_proc_fd(fd);
1219 if (client == NULL) {
1220 /* Can happen during process teardown. */
1221 warnx("cannot find client for fd %d", fd);
1226 if (event & EV_READ) {
1227 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1228 fatal("imsg_read error");
1230 /* Connection closed. */
1236 if (event & EV_WRITE) {
1237 n = msgbuf_write(&ibuf->w);
1238 if (n == -1 && errno != EAGAIN)
1239 fatal("msgbuf_write");
1241 /* Connection closed. */
1247 proc = client->session;
1249 fatalx("cannot find session child process for fd %d", fd);
1252 const struct got_error *err = NULL;
1253 uint32_t client_id = 0;
1254 int do_disconnect = 0, do_start_repo_child = 0;
1256 if ((n = imsg_get(ibuf, &imsg)) == -1)
1257 fatal("%s: imsg_get error", __func__);
1258 if (n == 0) /* No more messages. */
1261 switch (imsg.hdr.type) {
1262 case GOTD_IMSG_ERROR:
1264 err = gotd_imsg_recv_error(&client_id, &imsg);
1266 case GOTD_IMSG_CLIENT_SESSION_READY:
1267 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1268 err = got_error(GOT_ERR_PRIVSEP_MSG);
1271 do_start_repo_child = 1;
1273 case GOTD_IMSG_DISCONNECT:
1277 log_debug("unexpected imsg %d", imsg.hdr.type);
1281 if (!verify_imsg_src(client, proc, &imsg)) {
1282 log_debug("dropping imsg type %d from PID %d",
1283 imsg.hdr.type, proc->pid);
1288 log_warnx("uid %d: %s", client->euid, err->msg);
1290 if (do_start_repo_child) {
1291 struct gotd_repo *repo;
1293 repo = find_repo_by_name(client->session->repo_name);
1295 enum gotd_procid proc_type;
1297 if (client->required_auth & GOTD_AUTH_WRITE)
1298 proc_type = PROC_REPO_WRITE;
1300 proc_type = PROC_REPO_READ;
1302 err = start_repo_child(client, proc_type, repo,
1303 gotd.argv0, gotd.confpath, gotd.daemonize,
1306 err = got_error(GOT_ERR_NOT_GIT_REPO);
1309 log_warnx("uid %d: %s", client->euid, err->msg);
1314 if (do_disconnect) {
1316 disconnect_on_error(client, err);
1325 gotd_imsg_event_add(iev);
1327 /* This pipe is dead. Remove its event handler */
1328 event_del(&iev->ev);
1334 gotd_dispatch_repo_child(int fd, short event, void *arg)
1336 struct gotd_imsgev *iev = arg;
1337 struct imsgbuf *ibuf = &iev->ibuf;
1338 struct gotd_child_proc *proc = NULL;
1339 struct gotd_client *client;
1344 client = find_client_by_proc_fd(fd);
1345 if (client == NULL) {
1346 /* Can happen during process teardown. */
1347 warnx("cannot find client for fd %d", fd);
1352 if (event & EV_READ) {
1353 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1354 fatal("imsg_read error");
1356 /* Connection closed. */
1362 if (event & EV_WRITE) {
1363 n = msgbuf_write(&ibuf->w);
1364 if (n == -1 && errno != EAGAIN)
1365 fatal("msgbuf_write");
1367 /* Connection closed. */
1373 proc = client->repo;
1375 fatalx("cannot find child process for fd %d", fd);
1378 const struct got_error *err = NULL;
1379 uint32_t client_id = 0;
1380 int do_disconnect = 0;
1382 if ((n = imsg_get(ibuf, &imsg)) == -1)
1383 fatal("%s: imsg_get error", __func__);
1384 if (n == 0) /* No more messages. */
1387 switch (imsg.hdr.type) {
1388 case GOTD_IMSG_ERROR:
1390 err = gotd_imsg_recv_error(&client_id, &imsg);
1392 case GOTD_IMSG_REPO_CHILD_READY:
1393 err = connect_session(client);
1396 err = connect_repo_child(client, proc);
1399 log_debug("unexpected imsg %d", imsg.hdr.type);
1403 if (!verify_imsg_src(client, proc, &imsg)) {
1404 log_debug("dropping imsg type %d from PID %d",
1405 imsg.hdr.type, proc->pid);
1410 log_warnx("uid %d: %s", client->euid, err->msg);
1412 if (do_disconnect) {
1414 disconnect_on_error(client, err);
1423 gotd_imsg_event_add(iev);
1425 /* This pipe is dead. Remove its event handler */
1426 event_del(&iev->ev);
1432 start_child(enum gotd_procid proc_id, const char *repo_path,
1433 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1439 switch (pid = fork()) {
1441 fatal("cannot fork");
1449 if (fd != GOTD_FILENO_MSG_PIPE) {
1450 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1451 fatal("cannot setup imsg fd");
1452 } else if (fcntl(fd, F_SETFD, 0) == -1)
1453 fatal("cannot setup imsg fd");
1455 argv[argc++] = argv0;
1458 argv[argc++] = (char *)"-L";
1461 argv[argc++] = (char *)"-A";
1464 argv[argc++] = (char *)"-S";
1466 case PROC_REPO_READ:
1467 argv[argc++] = (char *)"-R";
1469 case PROC_REPO_WRITE:
1470 argv[argc++] = (char *)"-W";
1473 fatalx("invalid process id %d", proc_id);
1476 argv[argc++] = (char *)"-f";
1477 argv[argc++] = (char *)confpath;
1480 argv[argc++] = (char *)"-P";
1481 argv[argc++] = (char *)repo_path;
1485 argv[argc++] = (char *)"-d";
1487 argv[argc++] = (char *)"-v";
1489 argv[argc++] = (char *)"-v";
1490 argv[argc++] = NULL;
1492 execvp(argv0, argv);
1497 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1499 struct gotd_child_proc *proc = &gotd.listen_proc;
1501 proc->type = PROC_LISTEN;
1503 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1504 PF_UNSPEC, proc->pipe) == -1)
1505 fatal("socketpair");
1507 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1508 proc->pipe[1], daemonize, verbosity);
1509 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1510 proc->iev.handler = gotd_dispatch_listener;
1511 proc->iev.events = EV_READ;
1512 proc->iev.handler_arg = NULL;
1515 static const struct got_error *
1516 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1517 char *argv0, const char *confpath, int daemonize, int verbosity)
1519 struct gotd_child_proc *proc;
1521 proc = calloc(1, sizeof(*proc));
1523 return got_error_from_errno("calloc");
1525 proc->type = PROC_SESSION;
1526 if (strlcpy(proc->repo_name, repo->name,
1527 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1528 fatalx("repository name too long: %s", repo->name);
1529 log_debug("starting client uid %d session for repository %s",
1530 client->euid, repo->name);
1531 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1532 sizeof(proc->repo_path))
1533 fatalx("repository path too long: %s", repo->path);
1534 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1535 PF_UNSPEC, proc->pipe) == -1)
1536 fatal("socketpair");
1537 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1538 confpath, proc->pipe[1], daemonize, verbosity);
1539 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1540 log_debug("proc %s %s is on fd %d",
1541 gotd_proc_names[proc->type], proc->repo_path,
1543 proc->iev.handler = gotd_dispatch_client_session;
1544 proc->iev.events = EV_READ;
1545 proc->iev.handler_arg = NULL;
1546 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1547 gotd_dispatch_client_session, &proc->iev);
1548 gotd_imsg_event_add(&proc->iev);
1550 client->session = proc;
1554 static const struct got_error *
1555 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1556 struct gotd_repo *repo, char *argv0, const char *confpath,
1557 int daemonize, int verbosity)
1559 struct gotd_child_proc *proc;
1561 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1562 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1564 proc = calloc(1, sizeof(*proc));
1566 return got_error_from_errno("calloc");
1568 proc->type = proc_type;
1569 if (strlcpy(proc->repo_name, repo->name,
1570 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1571 fatalx("repository name too long: %s", repo->name);
1572 log_debug("starting %s for repository %s",
1573 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1574 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1575 sizeof(proc->repo_path))
1576 fatalx("repository path too long: %s", repo->path);
1577 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1578 PF_UNSPEC, proc->pipe) == -1)
1579 fatal("socketpair");
1580 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1581 confpath, proc->pipe[1], daemonize, verbosity);
1582 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1583 log_debug("proc %s %s is on fd %d",
1584 gotd_proc_names[proc->type], proc->repo_path,
1586 proc->iev.handler = gotd_dispatch_repo_child;
1587 proc->iev.events = EV_READ;
1588 proc->iev.handler_arg = NULL;
1589 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1590 gotd_dispatch_repo_child, &proc->iev);
1591 gotd_imsg_event_add(&proc->iev);
1593 client->repo = proc;
1597 static const struct got_error *
1598 start_auth_child(struct gotd_client *client, int required_auth,
1599 struct gotd_repo *repo, char *argv0, const char *confpath,
1600 int daemonize, int verbosity)
1602 const struct got_error *err = NULL;
1603 struct gotd_child_proc *proc;
1604 struct gotd_imsg_auth iauth;
1607 memset(&iauth, 0, sizeof(iauth));
1609 fd = dup(client->fd);
1611 return got_error_from_errno("dup");
1613 proc = calloc(1, sizeof(*proc));
1615 err = got_error_from_errno("calloc");
1620 proc->type = PROC_AUTH;
1621 if (strlcpy(proc->repo_name, repo->name,
1622 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1623 fatalx("repository name too long: %s", repo->name);
1624 log_debug("starting auth for uid %d repository %s",
1625 client->euid, repo->name);
1626 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1627 sizeof(proc->repo_path))
1628 fatalx("repository path too long: %s", repo->path);
1629 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1630 PF_UNSPEC, proc->pipe) == -1)
1631 fatal("socketpair");
1632 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1633 confpath, proc->pipe[1], daemonize, verbosity);
1634 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1635 log_debug("proc %s %s is on fd %d",
1636 gotd_proc_names[proc->type], proc->repo_path,
1638 proc->iev.handler = gotd_dispatch_auth_child;
1639 proc->iev.events = EV_READ;
1640 proc->iev.handler_arg = NULL;
1641 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1642 gotd_dispatch_auth_child, &proc->iev);
1643 gotd_imsg_event_add(&proc->iev);
1645 iauth.euid = client->euid;
1646 iauth.egid = client->egid;
1647 iauth.required_auth = required_auth;
1648 iauth.client_id = client->id;
1649 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1650 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1651 log_warn("imsg compose AUTHENTICATE");
1653 /* Let the auth_timeout handler tidy up. */
1656 client->auth = proc;
1657 client->required_auth = required_auth;
1662 apply_unveil_repo_readonly(const char *repo_path)
1664 if (unveil(repo_path, "r") == -1)
1665 fatal("unveil %s", repo_path);
1667 if (unveil(NULL, NULL) == -1)
1672 apply_unveil_repo_readwrite(const char *repo_path)
1674 if (unveil(repo_path, "rwc") == -1)
1675 fatal("unveil %s", repo_path);
1677 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1678 fatal("unveil %s", GOT_TMPDIR_STR);
1680 if (unveil(NULL, NULL) == -1)
1685 apply_unveil_none(void)
1687 if (unveil("/", "") == -1)
1690 if (unveil(NULL, NULL) == -1)
1695 apply_unveil_selfexec(void)
1697 if (unveil(gotd.argv0, "x") == -1)
1698 fatal("unveil %s", gotd.argv0);
1700 if (unveil(NULL, NULL) == -1)
1705 main(int argc, char **argv)
1707 const struct got_error *error = NULL;
1708 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1709 const char *confpath = GOTD_CONF_PATH;
1710 char *argv0 = argv[0];
1712 struct passwd *pw = NULL;
1713 char *repo_path = NULL;
1714 enum gotd_procid proc_id = PROC_GOTD;
1715 struct event evsigint, evsigterm, evsighup, evsigusr1;
1716 int *pack_fds = NULL, *temp_fds = NULL;
1718 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1720 while ((ch = getopt(argc, argv, "Adf:LnP:RSvW")) != -1) {
1723 proc_id = PROC_AUTH;
1732 proc_id = PROC_LISTEN;
1738 repo_path = realpath(optarg, NULL);
1739 if (repo_path == NULL)
1740 fatal("realpath '%s'", optarg);
1743 proc_id = PROC_REPO_READ;
1746 proc_id = PROC_SESSION;
1753 proc_id = PROC_REPO_WRITE;
1766 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1767 fatalx("need root privileges");
1769 if (parse_config(confpath, proc_id, &gotd) != 0)
1772 pw = getpwnam(gotd.user_name);
1774 fatalx("user %s not found", gotd.user_name);
1776 if (pw->pw_uid == 0)
1777 fatalx("cannot run %s as the superuser", getprogname());
1780 fprintf(stderr, "configuration OK\n");
1785 gotd.daemonize = daemonize;
1786 gotd.verbosity = verbosity;
1787 gotd.confpath = confpath;
1789 /* Require an absolute path in argv[0] for reliable re-exec. */
1790 if (!got_path_is_absolute(argv0))
1791 fatalx("bad path \"%s\": must be an absolute path", argv0);
1793 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1794 log_setverbose(verbosity);
1796 if (proc_id == PROC_GOTD) {
1797 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1798 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1799 if (daemonize && daemon(1, 0) == -1)
1801 gotd.pid = getpid();
1802 start_listener(argv0, confpath, daemonize, verbosity);
1803 } else if (proc_id == PROC_LISTEN) {
1804 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1806 log_info("socket: %s", gotd.unix_socket_path);
1807 log_info("user: %s", pw->pw_name);
1810 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1813 fatal("cannot listen on unix socket %s",
1814 gotd.unix_socket_path);
1816 } else if (proc_id == PROC_AUTH) {
1817 snprintf(title, sizeof(title), "%s %s",
1818 gotd_proc_names[proc_id], repo_path);
1819 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1820 proc_id == PROC_SESSION) {
1821 error = got_repo_pack_fds_open(&pack_fds);
1823 fatalx("cannot open pack tempfiles: %s", error->msg);
1824 error = got_repo_temp_fds_open(&temp_fds);
1826 fatalx("cannot open pack tempfiles: %s", error->msg);
1827 if (repo_path == NULL)
1828 fatalx("repository path not specified");
1829 snprintf(title, sizeof(title), "%s %s",
1830 gotd_proc_names[proc_id], repo_path);
1832 fatal("invalid process id %d", proc_id);
1834 setproctitle("%s", title);
1835 log_procinit(title);
1837 /* Drop root privileges. */
1838 if (setgid(pw->pw_gid) == -1)
1839 fatal("setgid %d failed", pw->pw_gid);
1840 if (setuid(pw->pw_uid) == -1)
1841 fatal("setuid %d failed", pw->pw_uid);
1848 /* "exec" promise will be limited to argv[0] via unveil(2). */
1849 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1855 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1859 * Ensure that AF_UNIX bind(2) cannot be used with any other
1860 * sockets by revoking all filesystem access via unveil(2).
1862 apply_unveil_none();
1864 listen_main(title, fd, gotd.connection_limits,
1865 gotd.nconnection_limits);
1870 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1874 * We need the "unix" pledge promise for getpeername(2) only.
1875 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1876 * filesystem access via unveil(2). Access to password database
1877 * files will still work since "getpw" bypasses unveil(2).
1879 apply_unveil_none();
1881 auth_main(title, &gotd.repos, repo_path);
1887 * The "recvfd" promise is only needed during setup and
1888 * will be removed in a later pledge(2) call.
1890 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1891 "unveil", NULL) == -1)
1894 apply_unveil_repo_readwrite(repo_path);
1895 session_main(title, repo_path, pack_fds, temp_fds,
1896 &gotd.request_timeout);
1899 case PROC_REPO_READ:
1901 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1904 apply_unveil_repo_readonly(repo_path);
1905 repo_read_main(title, repo_path, pack_fds, temp_fds);
1908 case PROC_REPO_WRITE:
1910 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1913 apply_unveil_repo_readonly(repo_path);
1914 repo_write_main(title, repo_path, pack_fds, temp_fds);
1918 fatal("invalid process id %d", proc_id);
1921 if (proc_id != PROC_GOTD)
1922 fatal("invalid process id %d", proc_id);
1924 apply_unveil_selfexec();
1926 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
1927 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
1928 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
1929 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
1930 signal(SIGPIPE, SIG_IGN);
1932 signal_add(&evsigint, NULL);
1933 signal_add(&evsigterm, NULL);
1934 signal_add(&evsighup, NULL);
1935 signal_add(&evsigusr1, NULL);
1937 gotd_imsg_event_add(&gotd.listen_proc.iev);