1 /* Copyright (c) 2008 The Board of Trustees of The Leland Stanford
4 * We are making the OpenFlow specification and associated documentation
5 * (Software) available for public use and benefit with the expectation
6 * that others will use, modify and enhance the Software and contribute
7 * those enhancements back to the community. However, since we would
8 * like to make the Software available for broadest use, with as few
9 * restrictions as possible permission is hereby granted, free of
10 * charge, to any person obtaining a copy of this Software to deal in
11 * the Software under the copyrights without restriction, including
12 * without limitation the rights to use, copy, modify, merge, publish,
13 * distribute, sublicense, and/or sell copies of the Software, and to
14 * permit persons to whom the Software is furnished to do so, subject to
15 * the following conditions:
17 * The above copyright notice and this permission notice shall be
18 * included in all copies or substantial portions of the Software.
20 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
24 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
25 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
26 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
29 * The name and trademarks of copyright holder(s) may NOT be used in
30 * advertising or publicity pertaining to the Software or any
31 * derivatives without specific, written prior permission.
46 #include "dynamic-string.h"
47 #include "fatal-signal.h"
48 #include "nicira-ext.h"
51 #include "poll-loop.h"
54 #include "socket-util.h"
58 #define THIS_MODULE VLM_executer
61 #define MAX_CHILDREN 8
64 /* Information about child process. */
65 char *name; /* argv[0] passed to child. */
66 pid_t pid; /* Child's process ID. */
68 /* For sending a reply to the controller when the child dies. */
70 uint32_t xid; /* Transaction ID used by controller. */
72 /* We read up to MAX_OUTPUT bytes of output and send them back to the
73 * controller when the child dies. */
74 #define MAX_OUTPUT 4096
75 int output_fd; /* FD from which to read child's output. */
76 uint8_t *output; /* Output data. */
77 size_t output_size; /* Number of bytes of output data so far. */
81 const struct settings *s;
84 struct child children[MAX_CHILDREN];
87 /* File descriptors. */
88 int wait_fd; /* Pipe FD for wakeup when on SIGCHLD. */
89 int null_fd; /* FD for /dev/null. */
92 /* Returns true if 'cmd' is allowed by 'acl', which is a command-separated
93 * access control list in the format described for --command-acl in
96 executer_is_permitted(const char *acl_, const char *cmd)
98 char *acl, *save_ptr, *pattern;
101 /* Verify that 'cmd' consists only of alphanumerics plus _ or -. */
102 if (cmd[strspn(cmd, "abcdefghijklmnopqrstuvwxyz"
103 "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-")] != '\0') {
104 VLOG_WARN("rejecting command name \"%s\" that contain forbidden "
109 /* Check 'cmd' against 'acl'. */
112 allowed = denied = false;
113 while ((pattern = strsep(&save_ptr, ",")) != NULL && !denied) {
114 if (pattern[0] != '!' && !fnmatch(pattern, cmd, 0)) {
116 } else if (pattern[0] == '!' && !fnmatch(pattern + 1, cmd, 0)) {
122 /* Check the command white/blacklisted state. */
123 if (allowed && !denied) {
124 VLOG_WARN("permitting command execution: \"%s\" is whitelisted", cmd);
125 } else if (allowed && denied) {
126 VLOG_WARN("denying command execution: \"%s\" is both blacklisted "
127 "and whitelisted", cmd);
128 } else if (!allowed) {
129 VLOG_WARN("denying command execution: \"%s\" is not whitelisted", cmd);
131 VLOG_WARN("denying command execution: \"%s\" is blacklisted", cmd);
133 return allowed && !denied;
137 executer_remote_packet_cb(struct relay *r, void *e_)
139 struct executer *e = e_;
140 struct ofpbuf *msg = r->halves[HALF_REMOTE].rxbuf;
141 struct nicira_header *request;
144 char *exec_file = NULL;
153 /* Check for NXT_COMMAND_REQUEST vendor extension. */
154 if (msg->size < sizeof(struct nicira_header)) {
158 if (request->header.type != OFPT_VENDOR
159 || request->vendor != htonl(NX_VENDOR_ID)
160 || request->subtype != htonl(NXT_COMMAND_REQUEST)) {
164 /* Verify limit on children not exceeded.
165 * XXX should probably kill children when the connection drops? */
166 if (e->n_children >= MAX_CHILDREN) {
167 VLOG_WARN("limit of %d child processes reached, dropping request",
172 /* Copy argument buffer, adding a null terminator at the end. Now every
173 * argument is null-terminated, instead of being merely null-delimited. */
174 args_size = msg->size - sizeof *request;
175 args = xmemdup0((const void *) (request + 1), args_size);
177 /* Count arguments. */
179 for (i = 0; i <= args_size; i++) {
180 argc += args[i] == '\0';
183 /* Set argv[*] to point to each argument. */
184 argv = xmalloc((argc + 1) * sizeof *argv);
186 for (i = 1; i < argc; i++) {
187 argv[i] = strchr(argv[i - 1], '\0') + 1;
191 /* Check permissions. */
192 if (!executer_is_permitted(e->s->command_acl, argv[0])) {
196 /* Find the executable. */
197 exec_file = xasprintf("%s/%s", e->s->command_dir, argv[0]);
198 if (stat(exec_file, &s)) {
199 VLOG_WARN("failed to stat \"%s\": %s", exec_file, strerror(errno));
202 if (!S_ISREG(s.st_mode)) {
203 VLOG_WARN("\"%s\" is not a regular file", exec_file);
208 /* Arrange to capture output. */
209 if (pipe(output_fds)) {
210 VLOG_WARN("pipe failed: %s", strerror(errno));
217 * XXX should run in new process group so that we can signal all
218 * subprocesses at once? Would also want to catch fatal signals and
219 * kill them at the same time though. */
222 dup2(output_fds[1], 1);
224 max_fds = get_max_fds();
225 for (i = 3; i < max_fds; i++) {
228 if (chdir(e->s->command_dir)) {
229 printf("could not change directory to \"%s\": %s",
230 e->s->command_dir, strerror(errno));
233 execv(argv[0], argv);
234 printf("failed to start \"%s\": %s\n", argv[0], strerror(errno));
236 } else if (pid > 0) {
237 /* Running in parent. */
240 VLOG_WARN("started \"%s\" subprocess", argv[0]);
241 child = &e->children[e->n_children++];
242 child->name = xstrdup(argv[0]);
245 child->xid = request->header.xid;
246 child->output_fd = output_fds[0];
247 child->output = xmalloc(MAX_OUTPUT);
248 child->output_size = 0;
249 set_nonblocking(output_fds[0]);
250 close(output_fds[1]);
252 VLOG_WARN("fork failed: %s", strerror(errno));
253 close(output_fds[0]);
254 close(output_fds[1]);
264 /* 'child' died with 'status' as its return code. Deal with it. */
266 child_terminated(struct child *child, int status)
268 /* Log how it terminated. */
269 struct ds ds = DS_EMPTY_INITIALIZER;
270 if (WIFEXITED(status)) {
271 ds_put_format(&ds, "normally with status %d", WEXITSTATUS(status));
272 } else if (WIFSIGNALED(status)) {
273 #ifdef HAVE_STRSIGNAL
274 ds_put_format(&ds, "by signal %s", strsignal(WTERMSIG(status)));
276 ds_put_format(&ds, "by signal %d", WTERMSIG(status));
279 if (WCOREDUMP(status)) {
280 ds_put_cstr(&ds, " (core dumped)");
282 VLOG_WARN("child process \"%s\" with pid %ld terminated %s",
283 child->name, (long int) child->pid, ds_cstr(&ds));
286 /* Send a status message back to the controller that requested the
289 struct nx_command_reply *r;
290 struct ofpbuf *buffer;
292 r = make_openflow_xid(sizeof *r, OFPT_VENDOR, child->xid, &buffer);
293 r->nxh.vendor = htonl(NX_VENDOR_ID);
294 r->nxh.subtype = htonl(NXT_COMMAND_REPLY);
295 if (WIFEXITED(status)) {
296 r->status = htonl(WEXITSTATUS(status) | NXT_STATUS_EXITED);
297 } else if (WIFSIGNALED(status)) {
298 r->status = htonl(WTERMSIG(status) | NXT_STATUS_SIGNALED);
300 r->status = htonl(NXT_STATUS_UNKNOWN);
302 if (WCOREDUMP(status)) {
303 r->status |= htonl(NXT_STATUS_COREDUMP);
305 ofpbuf_put(buffer, child->output, child->output_size);
306 update_openflow_length(buffer);
307 if (rconn_send(child->relay->halves[HALF_REMOTE].rconn, buffer,
309 ofpbuf_delete(buffer);
314 /* Read output from 'child' and append it to its output buffer. */
316 poll_child(struct child *child)
320 if (child->output_fd < 0) {
325 n = read(child->output_fd, child->output + child->output_size,
326 MAX_OUTPUT - child->output_size);
327 } while (n < 0 && errno == EINTR);
329 child->output_size += n;
330 if (child->output_size < MAX_OUTPUT) {
333 } else if (n < 0 && errno == EAGAIN) {
336 close(child->output_fd);
337 child->output_fd = -1;
341 executer_periodic_cb(void *e_)
343 struct executer *e = e_;
344 char buffer[MAX_CHILDREN];
347 if (!e->n_children) {
351 /* Read output from children. */
352 for (i = 0; i < e->n_children; i++) {
353 struct child *child = &e->children[i];
357 /* If SIGCHLD was received, reap dead children. */
358 if (read(e->wait_fd, buffer, sizeof buffer) <= 0) {
365 /* Get dead child in 'pid' and its return code in 'status'. */
366 pid = waitpid(WAIT_ANY, &status, WNOHANG);
367 if (pid < 0 && errno == EINTR) {
369 } else if (pid <= 0) {
373 /* Find child with given 'pid' and drop it from the list. */
374 for (i = 0; i < e->n_children; i++) {
375 struct child *child = &e->children[i];
376 if (child->pid == pid) {
378 child_terminated(child, status);
381 *child = e->children[--e->n_children];
385 VLOG_WARN("child with unknown pid %ld terminated", (long int) pid);
392 executer_wait_cb(void *e_)
394 struct executer *e = e_;
398 /* Wake up on SIGCHLD. */
399 poll_fd_wait(e->wait_fd, POLLIN);
401 /* Wake up when we get output from a child. */
402 for (i = 0; i < e->n_children; i++) {
403 struct child *child = &e->children[i];
404 if (child->output_fd >= 0) {
405 poll_fd_wait(e->wait_fd, POLLIN);
412 executer_closing_cb(struct relay *r, void *e_)
414 struct executer *e = e_;
417 /* If any of our children was connected to 'r', then disconnect it so we
418 * don't try to reference a dead connection when the process terminates
420 * XXX kill the children started by 'r'? */
421 for (i = 0; i < e->n_children; i++) {
422 if (e->children[i].relay == r) {
423 e->children[i].relay = NULL;
431 sigchld_handler(int signr UNUSED)
433 write(child_fd, "", 1);
436 static struct hook_class executer_hook_class = {
437 NULL, /* local_packet_cb */
438 executer_remote_packet_cb, /* remote_packet_cb */
439 executer_periodic_cb, /* periodic_cb */
440 executer_wait_cb, /* wait_cb */
441 executer_closing_cb, /* closing_cb */
445 executer_start(struct secchan *secchan, const struct settings *settings)
451 /* Create pipe for notifying us that SIGCHLD was invoked. */
453 ofp_fatal(errno, "pipe failed");
455 set_nonblocking(fds[0]);
456 set_nonblocking(fds[1]);
459 /* Open /dev/null. */
460 null_fd = open("/dev/null", O_RDWR);
462 ofp_fatal(errno, "could not open /dev/null");
465 /* Set up signal handler. */
466 memset(&sa, 0, sizeof sa);
467 sa.sa_handler = sigchld_handler;
468 sigemptyset(&sa.sa_mask);
469 sa.sa_flags = SA_NOCLDSTOP | SA_RESTART;
470 if (sigaction(SIGCHLD, &sa, NULL)) {
471 ofp_fatal(errno, "sigaction(SIGCHLD) faile");
475 e = xcalloc(1, sizeof *e);
479 e->null_fd = null_fd;
480 add_hook(secchan, &executer_hook_class, e);