2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_sha1.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
63 #include "repo_read.h"
64 #include "repo_write.h"
67 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
70 enum gotd_client_state {
71 GOTD_CLIENT_STATE_NEW,
72 GOTD_CLIENT_STATE_ACCESS_GRANTED,
76 STAILQ_ENTRY(gotd_client) entry;
77 enum gotd_client_state state;
80 struct gotd_imsgev iev;
84 struct gotd_child_proc *repo;
85 struct gotd_child_proc *auth;
86 struct gotd_child_proc *session;
89 STAILQ_HEAD(gotd_clients, gotd_client);
91 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
92 static SIPHASH_KEY clients_hash_key;
93 volatile int client_cnt;
94 static struct timeval auth_timeout = { 5, 0 };
95 static struct gotd gotd;
97 void gotd_sighdlr(int sig, short event, void *arg);
98 static void gotd_shutdown(void);
99 static const struct got_error *start_session_child(struct gotd_client *,
100 struct gotd_repo *, char *, const char *, int, int);
101 static const struct got_error *start_repo_child(struct gotd_client *,
102 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
103 static const struct got_error *start_auth_child(struct gotd_client *, int,
104 struct gotd_repo *, char *, const char *, int, int);
105 static void kill_proc(struct gotd_child_proc *, int);
110 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
115 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
117 struct sockaddr_un sun;
119 mode_t old_umask, mode;
121 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
127 sun.sun_family = AF_UNIX;
128 if (strlcpy(sun.sun_path, unix_socket_path,
129 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
130 log_warnx("%s: name too long", unix_socket_path);
135 if (unlink(unix_socket_path) == -1) {
136 if (errno != ENOENT) {
137 log_warn("unlink %s", unix_socket_path);
143 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
144 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
146 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
147 log_warn("bind: %s", unix_socket_path);
155 if (chmod(unix_socket_path, mode) == -1) {
156 log_warn("chmod %o %s", mode, unix_socket_path);
158 unlink(unix_socket_path);
162 if (chown(unix_socket_path, uid, gid) == -1) {
163 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
165 unlink(unix_socket_path);
169 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
172 unlink(unix_socket_path);
180 client_hash(uint32_t client_id)
182 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
186 add_client(struct gotd_client *client)
188 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
189 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
193 static struct gotd_client *
194 find_client(uint32_t client_id)
197 struct gotd_client *c;
199 slot = client_hash(client_id) % nitems(gotd_clients);
200 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
201 if (c->id == client_id)
208 static struct gotd_client *
209 find_client_by_proc_fd(int fd)
213 for (slot = 0; slot < nitems(gotd_clients); slot++) {
214 struct gotd_client *c;
216 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
217 if (c->repo && c->repo->iev.ibuf.fd == fd)
219 if (c->auth && c->auth->iev.ibuf.fd == fd)
221 if (c->session && c->session->iev.ibuf.fd == fd)
230 client_is_reading(struct gotd_client *client)
232 return (client->required_auth &
233 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
237 client_is_writing(struct gotd_client *client)
239 return (client->required_auth &
240 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
241 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
244 static const struct got_error *
245 ensure_client_is_not_writing(struct gotd_client *client)
247 if (client_is_writing(client)) {
248 return got_error_fmt(GOT_ERR_BAD_PACKET,
249 "uid %d made a read-request but is writing to "
250 "a repository", client->euid);
256 static const struct got_error *
257 ensure_client_is_not_reading(struct gotd_client *client)
259 if (client_is_reading(client)) {
260 return got_error_fmt(GOT_ERR_BAD_PACKET,
261 "uid %d made a write-request but is reading from "
262 "a repository", client->euid);
269 wait_for_child(pid_t child_pid)
274 log_debug("waiting for child PID %ld to terminate",
278 pid = waitpid(child_pid, &status, WNOHANG);
280 if (errno != EINTR && errno != ECHILD)
282 } else if (WIFSIGNALED(status)) {
283 log_warnx("child PID %ld terminated; signal %d",
284 (long)pid, WTERMSIG(status));
286 } while (pid != -1 || (pid == -1 && errno == EINTR));
290 proc_done(struct gotd_child_proc *proc)
292 event_del(&proc->iev.ev);
293 msgbuf_clear(&proc->iev.ibuf.w);
294 close(proc->iev.ibuf.fd);
296 wait_for_child(proc->pid);
301 kill_auth_proc(struct gotd_client *client)
303 struct gotd_child_proc *proc;
305 if (client->auth == NULL)
315 kill_session_proc(struct gotd_client *client)
317 struct gotd_child_proc *proc;
319 if (client->session == NULL)
322 proc = client->session;
323 client->session = NULL;
329 disconnect(struct gotd_client *client)
331 struct gotd_imsg_disconnect idisconnect;
332 struct gotd_child_proc *proc = client->repo;
333 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
336 log_debug("uid %d: disconnecting", client->euid);
338 kill_auth_proc(client);
339 kill_session_proc(client);
341 idisconnect.client_id = client->id;
343 if (gotd_imsg_compose_event(&proc->iev,
344 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
345 &idisconnect, sizeof(idisconnect)) == -1)
346 log_warn("imsg compose DISCONNECT");
348 msgbuf_clear(&proc->iev.ibuf.w);
349 close(proc->iev.ibuf.fd);
351 wait_for_child(proc->pid);
356 if (gotd_imsg_compose_event(&listen_proc->iev,
357 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
358 &idisconnect, sizeof(idisconnect)) == -1)
359 log_warn("imsg compose DISCONNECT");
361 slot = client_hash(client->id) % nitems(gotd_clients);
362 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
363 imsg_clear(&client->iev.ibuf);
364 event_del(&client->iev.ev);
365 evtimer_del(&client->tmo);
366 if (client->fd != -1)
368 else if (client->iev.ibuf.fd != -1)
369 close(client->iev.ibuf.fd);
375 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
379 log_warnx("uid %d: %s", client->euid, err->msg);
380 if (err->code != GOT_ERR_EOF && client->fd != -1) {
381 imsg_init(&ibuf, client->fd);
382 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
388 static const struct got_error *
389 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
391 const struct got_error *err = NULL;
392 struct gotd_imsg_info_repo irepo;
394 memset(&irepo, 0, sizeof(irepo));
396 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
397 >= sizeof(irepo.repo_name))
398 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
399 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
400 >= sizeof(irepo.repo_path))
401 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
403 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
404 &irepo, sizeof(irepo)) == -1) {
405 err = got_error_from_errno("imsg compose INFO_REPO");
413 static const struct got_error *
414 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
416 const struct got_error *err = NULL;
417 struct gotd_imsg_info_client iclient;
418 struct gotd_child_proc *proc;
420 memset(&iclient, 0, sizeof(iclient));
421 iclient.euid = client->euid;
422 iclient.egid = client->egid;
426 if (strlcpy(iclient.repo_name, proc->repo_path,
427 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
428 return got_error_msg(GOT_ERR_NO_SPACE,
429 "repo name too long");
431 if (client_is_writing(client))
432 iclient.is_writing = 1;
434 iclient.repo_child_pid = proc->pid;
438 iclient.session_child_pid = client->session->pid;
440 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
441 &iclient, sizeof(iclient)) == -1) {
442 err = got_error_from_errno("imsg compose INFO_CLIENT");
450 static const struct got_error *
451 send_info(struct gotd_client *client)
453 const struct got_error *err = NULL;
454 struct gotd_imsg_info info;
456 struct gotd_repo *repo;
458 if (client->euid != 0)
459 return got_error_set_errno(EPERM, "info");
462 info.verbosity = gotd.verbosity;
463 info.nrepos = gotd.nrepos;
464 info.nclients = client_cnt - 1;
466 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
467 &info, sizeof(info)) == -1) {
468 err = got_error_from_errno("imsg compose INFO");
473 TAILQ_FOREACH(repo, &gotd.repos, entry) {
474 err = send_repo_info(&client->iev, repo);
479 for (slot = 0; slot < nitems(gotd_clients); slot++) {
480 struct gotd_client *c;
481 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
482 if (c->id == client->id)
484 err = send_client_info(&client->iev, c);
493 static const struct got_error *
494 stop_gotd(struct gotd_client *client)
497 if (client->euid != 0)
498 return got_error_set_errno(EPERM, "stop");
505 static struct gotd_repo *
506 find_repo_by_name(const char *repo_name)
508 struct gotd_repo *repo;
511 TAILQ_FOREACH(repo, &gotd.repos, entry) {
512 namelen = strlen(repo->name);
513 if (strncmp(repo->name, repo_name, namelen) != 0)
515 if (repo_name[namelen] == '\0' ||
516 strcmp(&repo_name[namelen], ".git") == 0)
523 static const struct got_error *
524 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
526 const struct got_error *err;
527 struct gotd_imsg_list_refs ireq;
528 struct gotd_repo *repo = NULL;
531 log_debug("list-refs request from uid %d", client->euid);
533 if (client->state != GOTD_CLIENT_STATE_NEW)
534 return got_error_msg(GOT_ERR_BAD_REQUEST,
535 "unexpected list-refs request received");
537 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
538 if (datalen != sizeof(ireq))
539 return got_error(GOT_ERR_PRIVSEP_LEN);
541 memcpy(&ireq, imsg->data, datalen);
543 if (ireq.client_is_reading) {
544 err = ensure_client_is_not_writing(client);
547 repo = find_repo_by_name(ireq.repo_name);
549 return got_error(GOT_ERR_NOT_GIT_REPO);
550 err = start_auth_child(client, GOTD_AUTH_READ, repo,
551 gotd.argv0, gotd.confpath, gotd.daemonize,
556 err = ensure_client_is_not_reading(client);
559 repo = find_repo_by_name(ireq.repo_name);
561 return got_error(GOT_ERR_NOT_GIT_REPO);
562 err = start_auth_child(client,
563 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
564 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
570 evtimer_add(&client->tmo, &auth_timeout);
572 /* Flow continues upon authentication successs/failure or timeout. */
577 gotd_request(int fd, short events, void *arg)
579 struct gotd_imsgev *iev = arg;
580 struct imsgbuf *ibuf = &iev->ibuf;
581 struct gotd_client *client = iev->handler_arg;
582 const struct got_error *err = NULL;
586 if (events & EV_WRITE) {
587 while (ibuf->w.queued) {
588 n = msgbuf_write(&ibuf->w);
589 if (n == -1 && errno == EPIPE) {
591 * The client has closed its socket.
592 * This can happen when Git clients are
593 * done sending pack file data.
595 msgbuf_clear(&ibuf->w);
597 } else if (n == -1 && errno != EAGAIN) {
598 err = got_error_from_errno("imsg_flush");
599 disconnect_on_error(client, err);
603 /* Connection closed. */
604 err = got_error(GOT_ERR_EOF);
605 disconnect_on_error(client, err);
610 /* Disconnect gotctl(8) now that messages have been sent. */
611 if (!client_is_reading(client) && !client_is_writing(client)) {
617 if ((events & EV_READ) == 0)
620 memset(&imsg, 0, sizeof(imsg));
622 while (err == NULL) {
623 err = gotd_imsg_recv(&imsg, ibuf, 0);
625 if (err->code == GOT_ERR_PRIVSEP_READ)
630 evtimer_del(&client->tmo);
632 switch (imsg.hdr.type) {
634 err = send_info(client);
637 err = stop_gotd(client);
639 case GOTD_IMSG_LIST_REFS:
640 err = start_client_authentication(client, &imsg);
643 log_debug("unexpected imsg %d", imsg.hdr.type);
644 err = got_error(GOT_ERR_PRIVSEP_MSG);
652 disconnect_on_error(client, err);
654 gotd_imsg_event_add(&client->iev);
659 gotd_auth_timeout(int fd, short events, void *arg)
661 struct gotd_client *client = arg;
663 log_debug("disconnecting uid %d due to authentication timeout",
668 static const struct got_error *
669 recv_connect(uint32_t *client_id, struct imsg *imsg)
671 const struct got_error *err = NULL;
672 struct gotd_imsg_connect iconnect;
675 struct gotd_client *client = NULL;
679 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
680 if (datalen != sizeof(iconnect))
681 return got_error(GOT_ERR_PRIVSEP_LEN);
682 memcpy(&iconnect, imsg->data, sizeof(iconnect));
686 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
690 if (find_client(iconnect.client_id)) {
691 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
695 client = calloc(1, sizeof(*client));
696 if (client == NULL) {
697 err = got_error_from_errno("calloc");
701 *client_id = iconnect.client_id;
703 client->state = GOTD_CLIENT_STATE_NEW;
704 client->id = iconnect.client_id;
707 /* The auth process will verify UID/GID for us. */
708 client->euid = iconnect.euid;
709 client->egid = iconnect.egid;
711 imsg_init(&client->iev.ibuf, client->fd);
712 client->iev.handler = gotd_request;
713 client->iev.events = EV_READ;
714 client->iev.handler_arg = client;
716 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
718 gotd_imsg_event_add(&client->iev);
720 evtimer_set(&client->tmo, gotd_auth_timeout, client);
723 log_debug("%s: new client uid %d connected on fd %d", __func__,
724 client->euid, client->fd);
727 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
728 struct gotd_imsg_disconnect idisconnect;
730 idisconnect.client_id = client->id;
731 if (gotd_imsg_compose_event(&listen_proc->iev,
732 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
733 &idisconnect, sizeof(idisconnect)) == -1)
734 log_warn("imsg compose DISCONNECT");
743 static const char *gotd_proc_names[PROC_MAX] = {
753 kill_proc(struct gotd_child_proc *proc, int fatal)
756 log_warnx("sending SIGKILL to PID %d", proc->pid);
757 kill(proc->pid, SIGKILL);
759 kill(proc->pid, SIGTERM);
765 struct gotd_child_proc *proc;
768 log_debug("shutting down");
769 for (slot = 0; slot < nitems(gotd_clients); slot++) {
770 struct gotd_client *c, *tmp;
772 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
776 proc = &gotd.listen_proc;
777 msgbuf_clear(&proc->iev.ibuf.w);
778 close(proc->iev.ibuf.fd);
780 wait_for_child(proc->pid);
782 log_info("terminating");
787 gotd_sighdlr(int sig, short event, void *arg)
790 * Normal signal handler rules don't apply because libevent
796 log_info("%s: ignoring SIGHUP", __func__);
799 log_info("%s: ignoring SIGUSR1", __func__);
806 fatalx("unexpected signal");
810 static const struct got_error *
811 ensure_proc_is_reading(struct gotd_client *client,
812 struct gotd_child_proc *proc)
814 if (!client_is_reading(client)) {
816 return got_error_fmt(GOT_ERR_BAD_PACKET,
817 "PID %d handled a read-request for uid %d but this "
818 "user is not reading from a repository", proc->pid,
825 static const struct got_error *
826 ensure_proc_is_writing(struct gotd_client *client,
827 struct gotd_child_proc *proc)
829 if (!client_is_writing(client)) {
831 return got_error_fmt(GOT_ERR_BAD_PACKET,
832 "PID %d handled a write-request for uid %d but this "
833 "user is not writing to a repository", proc->pid,
841 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
844 const struct got_error *err;
847 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
848 if (client->repo == NULL)
849 fatalx("no process found for uid %d", client->euid);
850 if (proc->pid != client->repo->pid) {
852 log_warnx("received message from PID %d for uid %d, "
853 "while PID %d is the process serving this user",
854 proc->pid, client->euid, client->repo->pid);
858 if (proc->type == PROC_SESSION) {
859 if (client->session == NULL) {
860 log_warnx("no session found for uid %d", client->euid);
863 if (proc->pid != client->session->pid) {
865 log_warnx("received message from PID %d for uid %d, "
866 "while PID %d is the process serving this user",
867 proc->pid, client->euid, client->session->pid);
872 switch (imsg->hdr.type) {
873 case GOTD_IMSG_ERROR:
876 case GOTD_IMSG_CONNECT:
877 if (proc->type != PROC_LISTEN) {
878 err = got_error_fmt(GOT_ERR_BAD_PACKET,
879 "new connection for uid %d from PID %d "
880 "which is not the listen process",
881 proc->pid, client->euid);
885 case GOTD_IMSG_ACCESS_GRANTED:
886 if (proc->type != PROC_AUTH) {
887 err = got_error_fmt(GOT_ERR_BAD_PACKET,
888 "authentication of uid %d from PID %d "
889 "which is not the auth process",
890 proc->pid, client->euid);
894 case GOTD_IMSG_CLIENT_SESSION_READY:
895 if (proc->type != PROC_SESSION) {
896 err = got_error_fmt(GOT_ERR_BAD_PACKET,
897 "unexpected \"ready\" signal from PID %d",
902 case GOTD_IMSG_REPO_CHILD_READY:
903 if (proc->type != PROC_REPO_READ &&
904 proc->type != PROC_REPO_WRITE) {
905 err = got_error_fmt(GOT_ERR_BAD_PACKET,
906 "unexpected \"ready\" signal from PID %d",
911 case GOTD_IMSG_PACKFILE_DONE:
912 err = ensure_proc_is_reading(client, proc);
914 log_warnx("uid %d: %s", client->euid, err->msg);
918 case GOTD_IMSG_PACKFILE_INSTALL:
919 case GOTD_IMSG_REF_UPDATES_START:
920 case GOTD_IMSG_REF_UPDATE:
921 err = ensure_proc_is_writing(client, proc);
923 log_warnx("uid %d: %s", client->euid, err->msg);
928 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
935 static const struct got_error *
936 connect_repo_child(struct gotd_client *client,
937 struct gotd_child_proc *repo_proc)
939 static const struct got_error *err;
940 struct gotd_imsgev *session_iev = &client->session->iev;
941 struct gotd_imsg_connect_repo_child ireq;
944 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
945 return got_error_msg(GOT_ERR_BAD_REQUEST,
946 "unexpected repo child ready signal received");
948 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
949 PF_UNSPEC, pipe) == -1)
952 memset(&ireq, 0, sizeof(ireq));
953 ireq.client_id = client->id;
954 ireq.proc_id = repo_proc->type;
956 /* Pass repo child pipe to session child process. */
957 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
958 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
959 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
965 /* Pass session child pipe to repo child process. */
966 if (gotd_imsg_compose_event(&repo_proc->iev,
967 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
968 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
977 gotd_dispatch_listener(int fd, short event, void *arg)
979 struct gotd_imsgev *iev = arg;
980 struct imsgbuf *ibuf = &iev->ibuf;
981 struct gotd_child_proc *proc = &gotd.listen_proc;
986 if (proc->iev.ibuf.fd != fd)
987 fatalx("%s: unexpected fd %d", __func__, fd);
989 if (event & EV_READ) {
990 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
991 fatal("imsg_read error");
993 /* Connection closed. */
999 if (event & EV_WRITE) {
1000 n = msgbuf_write(&ibuf->w);
1001 if (n == -1 && errno != EAGAIN)
1002 fatal("msgbuf_write");
1004 /* Connection closed. */
1011 const struct got_error *err = NULL;
1012 struct gotd_client *client = NULL;
1013 uint32_t client_id = 0;
1014 int do_disconnect = 0;
1016 if ((n = imsg_get(ibuf, &imsg)) == -1)
1017 fatal("%s: imsg_get error", __func__);
1018 if (n == 0) /* No more messages. */
1021 switch (imsg.hdr.type) {
1022 case GOTD_IMSG_ERROR:
1024 err = gotd_imsg_recv_error(&client_id, &imsg);
1026 case GOTD_IMSG_CONNECT:
1027 err = recv_connect(&client_id, &imsg);
1030 log_debug("unexpected imsg %d", imsg.hdr.type);
1034 client = find_client(client_id);
1035 if (client == NULL) {
1036 log_warnx("%s: client not found", __func__);
1042 log_warnx("uid %d: %s", client->euid, err->msg);
1044 if (do_disconnect) {
1046 disconnect_on_error(client, err);
1055 gotd_imsg_event_add(iev);
1057 /* This pipe is dead. Remove its event handler */
1058 event_del(&iev->ev);
1059 event_loopexit(NULL);
1064 gotd_dispatch_auth_child(int fd, short event, void *arg)
1066 const struct got_error *err = NULL;
1067 struct gotd_imsgev *iev = arg;
1068 struct imsgbuf *ibuf = &iev->ibuf;
1069 struct gotd_client *client;
1070 struct gotd_repo *repo = NULL;
1074 uint32_t client_id = 0;
1075 int do_disconnect = 0;
1077 client = find_client_by_proc_fd(fd);
1079 fatalx("cannot find client for fd %d", fd);
1081 if (client->auth == NULL)
1082 fatalx("cannot find auth child process for fd %d", fd);
1084 if (event & EV_READ) {
1085 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1086 fatal("imsg_read error");
1088 /* Connection closed. */
1094 if (event & EV_WRITE) {
1095 n = msgbuf_write(&ibuf->w);
1096 if (n == -1 && errno != EAGAIN)
1097 fatal("msgbuf_write");
1099 /* Connection closed. */
1105 if (client->auth->iev.ibuf.fd != fd)
1106 fatalx("%s: unexpected fd %d", __func__, fd);
1108 if ((n = imsg_get(ibuf, &imsg)) == -1)
1109 fatal("%s: imsg_get error", __func__);
1110 if (n == 0) /* No more messages. */
1113 evtimer_del(&client->tmo);
1115 switch (imsg.hdr.type) {
1116 case GOTD_IMSG_ERROR:
1118 err = gotd_imsg_recv_error(&client_id, &imsg);
1120 case GOTD_IMSG_ACCESS_GRANTED:
1121 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1125 log_debug("unexpected imsg %d", imsg.hdr.type);
1129 if (!verify_imsg_src(client, client->auth, &imsg)) {
1131 log_debug("dropping imsg type %d from PID %d",
1132 imsg.hdr.type, client->auth->pid);
1136 if (do_disconnect) {
1138 disconnect_on_error(client, err);
1144 repo = find_repo_by_name(client->auth->repo_name);
1146 err = got_error(GOT_ERR_NOT_GIT_REPO);
1149 kill_auth_proc(client);
1151 log_info("authenticated uid %d for repository %s",
1152 client->euid, repo->name);
1154 err = start_session_child(client, repo, gotd.argv0,
1155 gotd.confpath, gotd.daemonize, gotd.verbosity);
1160 log_warnx("uid %d: %s", client->euid, err->msg);
1162 /* We might have killed the auth process by now. */
1163 if (client->auth != NULL) {
1165 gotd_imsg_event_add(iev);
1167 /* This pipe is dead. Remove its event handler */
1168 event_del(&iev->ev);
1173 static const struct got_error *
1174 connect_session(struct gotd_client *client)
1176 const struct got_error *err = NULL;
1177 struct gotd_imsg_connect iconnect;
1180 memset(&iconnect, 0, sizeof(iconnect));
1182 s = dup(client->fd);
1184 return got_error_from_errno("dup");
1186 iconnect.client_id = client->id;
1187 iconnect.euid = client->euid;
1188 iconnect.egid = client->egid;
1190 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1191 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1192 err = got_error_from_errno("imsg compose CONNECT");
1198 * We are no longer interested in messages from this client.
1199 * Further client requests will be handled by the session process.
1201 msgbuf_clear(&client->iev.ibuf.w);
1202 imsg_clear(&client->iev.ibuf);
1203 event_del(&client->iev.ev);
1204 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1210 gotd_dispatch_client_session(int fd, short event, void *arg)
1212 struct gotd_imsgev *iev = arg;
1213 struct imsgbuf *ibuf = &iev->ibuf;
1214 struct gotd_child_proc *proc = NULL;
1215 struct gotd_client *client = NULL;
1220 client = find_client_by_proc_fd(fd);
1222 fatalx("cannot find client for fd %d", fd);
1224 if (event & EV_READ) {
1225 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1226 fatal("imsg_read error");
1228 /* Connection closed. */
1234 if (event & EV_WRITE) {
1235 n = msgbuf_write(&ibuf->w);
1236 if (n == -1 && errno != EAGAIN)
1237 fatal("msgbuf_write");
1239 /* Connection closed. */
1245 proc = client->session;
1247 fatalx("cannot find session child process for fd %d", fd);
1250 const struct got_error *err = NULL;
1251 uint32_t client_id = 0;
1252 int do_disconnect = 0, do_start_repo_child = 0;
1254 if ((n = imsg_get(ibuf, &imsg)) == -1)
1255 fatal("%s: imsg_get error", __func__);
1256 if (n == 0) /* No more messages. */
1259 switch (imsg.hdr.type) {
1260 case GOTD_IMSG_ERROR:
1262 err = gotd_imsg_recv_error(&client_id, &imsg);
1264 case GOTD_IMSG_CLIENT_SESSION_READY:
1265 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1266 err = got_error(GOT_ERR_PRIVSEP_MSG);
1269 do_start_repo_child = 1;
1271 case GOTD_IMSG_DISCONNECT:
1275 log_debug("unexpected imsg %d", imsg.hdr.type);
1279 if (!verify_imsg_src(client, proc, &imsg)) {
1280 log_debug("dropping imsg type %d from PID %d",
1281 imsg.hdr.type, proc->pid);
1286 log_warnx("uid %d: %s", client->euid, err->msg);
1288 if (do_start_repo_child) {
1289 struct gotd_repo *repo;
1291 repo = find_repo_by_name(client->session->repo_name);
1293 enum gotd_procid proc_type;
1295 if (client->required_auth & GOTD_AUTH_WRITE)
1296 proc_type = PROC_REPO_WRITE;
1298 proc_type = PROC_REPO_READ;
1300 err = start_repo_child(client, proc_type, repo,
1301 gotd.argv0, gotd.confpath, gotd.daemonize,
1304 err = got_error(GOT_ERR_NOT_GIT_REPO);
1307 log_warnx("uid %d: %s", client->euid, err->msg);
1312 if (do_disconnect) {
1314 disconnect_on_error(client, err);
1323 gotd_imsg_event_add(iev);
1325 /* This pipe is dead. Remove its event handler */
1326 event_del(&iev->ev);
1332 gotd_dispatch_repo_child(int fd, short event, void *arg)
1334 struct gotd_imsgev *iev = arg;
1335 struct imsgbuf *ibuf = &iev->ibuf;
1336 struct gotd_child_proc *proc = NULL;
1337 struct gotd_client *client;
1342 client = find_client_by_proc_fd(fd);
1344 fatalx("cannot find client for fd %d", fd);
1346 if (event & EV_READ) {
1347 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1348 fatal("imsg_read error");
1350 /* Connection closed. */
1356 if (event & EV_WRITE) {
1357 n = msgbuf_write(&ibuf->w);
1358 if (n == -1 && errno != EAGAIN)
1359 fatal("msgbuf_write");
1361 /* Connection closed. */
1367 proc = client->repo;
1369 fatalx("cannot find child process for fd %d", fd);
1372 const struct got_error *err = NULL;
1373 uint32_t client_id = 0;
1374 int do_disconnect = 0;
1376 if ((n = imsg_get(ibuf, &imsg)) == -1)
1377 fatal("%s: imsg_get error", __func__);
1378 if (n == 0) /* No more messages. */
1381 switch (imsg.hdr.type) {
1382 case GOTD_IMSG_ERROR:
1384 err = gotd_imsg_recv_error(&client_id, &imsg);
1386 case GOTD_IMSG_REPO_CHILD_READY:
1387 err = connect_session(client);
1390 err = connect_repo_child(client, proc);
1393 log_debug("unexpected imsg %d", imsg.hdr.type);
1397 if (!verify_imsg_src(client, proc, &imsg)) {
1398 log_debug("dropping imsg type %d from PID %d",
1399 imsg.hdr.type, proc->pid);
1404 log_warnx("uid %d: %s", client->euid, err->msg);
1406 if (do_disconnect) {
1408 disconnect_on_error(client, err);
1417 gotd_imsg_event_add(iev);
1419 /* This pipe is dead. Remove its event handler */
1420 event_del(&iev->ev);
1426 start_child(enum gotd_procid proc_id, const char *repo_path,
1427 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1433 switch (pid = fork()) {
1435 fatal("cannot fork");
1443 if (fd != GOTD_FILENO_MSG_PIPE) {
1444 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1445 fatal("cannot setup imsg fd");
1446 } else if (fcntl(fd, F_SETFD, 0) == -1)
1447 fatal("cannot setup imsg fd");
1449 argv[argc++] = argv0;
1452 argv[argc++] = (char *)"-L";
1455 argv[argc++] = (char *)"-A";
1458 argv[argc++] = (char *)"-S";
1460 case PROC_REPO_READ:
1461 argv[argc++] = (char *)"-R";
1463 case PROC_REPO_WRITE:
1464 argv[argc++] = (char *)"-W";
1467 fatalx("invalid process id %d", proc_id);
1470 argv[argc++] = (char *)"-f";
1471 argv[argc++] = (char *)confpath;
1474 argv[argc++] = (char *)"-P";
1475 argv[argc++] = (char *)repo_path;
1479 argv[argc++] = (char *)"-d";
1481 argv[argc++] = (char *)"-v";
1483 argv[argc++] = (char *)"-v";
1484 argv[argc++] = NULL;
1486 execvp(argv0, argv);
1491 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1493 struct gotd_child_proc *proc = &gotd.listen_proc;
1495 proc->type = PROC_LISTEN;
1497 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1498 PF_UNSPEC, proc->pipe) == -1)
1499 fatal("socketpair");
1501 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1502 proc->pipe[1], daemonize, verbosity);
1503 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1504 proc->iev.handler = gotd_dispatch_listener;
1505 proc->iev.events = EV_READ;
1506 proc->iev.handler_arg = NULL;
1509 static const struct got_error *
1510 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1511 char *argv0, const char *confpath, int daemonize, int verbosity)
1513 struct gotd_child_proc *proc;
1515 proc = calloc(1, sizeof(*proc));
1517 return got_error_from_errno("calloc");
1519 proc->type = PROC_SESSION;
1520 if (strlcpy(proc->repo_name, repo->name,
1521 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1522 fatalx("repository name too long: %s", repo->name);
1523 log_debug("starting client uid %d session for repository %s",
1524 client->euid, repo->name);
1525 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1526 sizeof(proc->repo_path))
1527 fatalx("repository path too long: %s", repo->path);
1528 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1529 PF_UNSPEC, proc->pipe) == -1)
1530 fatal("socketpair");
1531 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1532 confpath, proc->pipe[1], daemonize, verbosity);
1533 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1534 log_debug("proc %s %s is on fd %d",
1535 gotd_proc_names[proc->type], proc->repo_path,
1537 proc->iev.handler = gotd_dispatch_client_session;
1538 proc->iev.events = EV_READ;
1539 proc->iev.handler_arg = NULL;
1540 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1541 gotd_dispatch_client_session, &proc->iev);
1542 gotd_imsg_event_add(&proc->iev);
1544 client->session = proc;
1548 static const struct got_error *
1549 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1550 struct gotd_repo *repo, char *argv0, const char *confpath,
1551 int daemonize, int verbosity)
1553 struct gotd_child_proc *proc;
1555 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1556 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1558 proc = calloc(1, sizeof(*proc));
1560 return got_error_from_errno("calloc");
1562 proc->type = proc_type;
1563 if (strlcpy(proc->repo_name, repo->name,
1564 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1565 fatalx("repository name too long: %s", repo->name);
1566 log_debug("starting %s for repository %s",
1567 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1568 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1569 sizeof(proc->repo_path))
1570 fatalx("repository path too long: %s", repo->path);
1571 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1572 PF_UNSPEC, proc->pipe) == -1)
1573 fatal("socketpair");
1574 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1575 confpath, proc->pipe[1], daemonize, verbosity);
1576 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1577 log_debug("proc %s %s is on fd %d",
1578 gotd_proc_names[proc->type], proc->repo_path,
1580 proc->iev.handler = gotd_dispatch_repo_child;
1581 proc->iev.events = EV_READ;
1582 proc->iev.handler_arg = NULL;
1583 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1584 gotd_dispatch_repo_child, &proc->iev);
1585 gotd_imsg_event_add(&proc->iev);
1587 client->repo = proc;
1591 static const struct got_error *
1592 start_auth_child(struct gotd_client *client, int required_auth,
1593 struct gotd_repo *repo, char *argv0, const char *confpath,
1594 int daemonize, int verbosity)
1596 const struct got_error *err = NULL;
1597 struct gotd_child_proc *proc;
1598 struct gotd_imsg_auth iauth;
1601 memset(&iauth, 0, sizeof(iauth));
1603 fd = dup(client->fd);
1605 return got_error_from_errno("dup");
1607 proc = calloc(1, sizeof(*proc));
1609 err = got_error_from_errno("calloc");
1614 proc->type = PROC_AUTH;
1615 if (strlcpy(proc->repo_name, repo->name,
1616 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1617 fatalx("repository name too long: %s", repo->name);
1618 log_debug("starting auth for uid %d repository %s",
1619 client->euid, repo->name);
1620 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1621 sizeof(proc->repo_path))
1622 fatalx("repository path too long: %s", repo->path);
1623 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1624 PF_UNSPEC, proc->pipe) == -1)
1625 fatal("socketpair");
1626 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1627 confpath, proc->pipe[1], daemonize, verbosity);
1628 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1629 log_debug("proc %s %s is on fd %d",
1630 gotd_proc_names[proc->type], proc->repo_path,
1632 proc->iev.handler = gotd_dispatch_auth_child;
1633 proc->iev.events = EV_READ;
1634 proc->iev.handler_arg = NULL;
1635 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1636 gotd_dispatch_auth_child, &proc->iev);
1637 gotd_imsg_event_add(&proc->iev);
1639 iauth.euid = client->euid;
1640 iauth.egid = client->egid;
1641 iauth.required_auth = required_auth;
1642 iauth.client_id = client->id;
1643 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1644 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1645 log_warn("imsg compose AUTHENTICATE");
1647 /* Let the auth_timeout handler tidy up. */
1650 client->auth = proc;
1651 client->required_auth = required_auth;
1656 apply_unveil_repo_readonly(const char *repo_path)
1658 if (unveil(repo_path, "r") == -1)
1659 fatal("unveil %s", repo_path);
1661 if (unveil(NULL, NULL) == -1)
1666 apply_unveil_repo_readwrite(const char *repo_path)
1668 if (unveil(repo_path, "rwc") == -1)
1669 fatal("unveil %s", repo_path);
1671 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1672 fatal("unveil %s", GOT_TMPDIR_STR);
1674 if (unveil(NULL, NULL) == -1)
1679 apply_unveil_none(void)
1681 if (unveil("/", "") == -1)
1684 if (unveil(NULL, NULL) == -1)
1689 apply_unveil_selfexec(void)
1691 if (unveil(gotd.argv0, "x") == -1)
1692 fatal("unveil %s", gotd.argv0);
1694 if (unveil(NULL, NULL) == -1)
1699 main(int argc, char **argv)
1701 const struct got_error *error = NULL;
1702 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1703 const char *confpath = GOTD_CONF_PATH;
1704 char *argv0 = argv[0];
1706 struct passwd *pw = NULL;
1707 char *repo_path = NULL;
1708 enum gotd_procid proc_id = PROC_GOTD;
1709 struct event evsigint, evsigterm, evsighup, evsigusr1;
1710 int *pack_fds = NULL, *temp_fds = NULL;
1712 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1714 while ((ch = getopt(argc, argv, "Adf:LnP:RSvW")) != -1) {
1717 proc_id = PROC_AUTH;
1726 proc_id = PROC_LISTEN;
1732 repo_path = realpath(optarg, NULL);
1733 if (repo_path == NULL)
1734 fatal("realpath '%s'", optarg);
1737 proc_id = PROC_REPO_READ;
1740 proc_id = PROC_SESSION;
1747 proc_id = PROC_REPO_WRITE;
1760 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1761 fatalx("need root privileges");
1763 if (parse_config(confpath, proc_id, &gotd) != 0)
1766 pw = getpwnam(gotd.user_name);
1768 fatalx("user %s not found", gotd.user_name);
1770 if (pw->pw_uid == 0)
1771 fatalx("cannot run %s as the superuser", getprogname());
1774 fprintf(stderr, "configuration OK\n");
1779 gotd.daemonize = daemonize;
1780 gotd.verbosity = verbosity;
1781 gotd.confpath = confpath;
1783 /* Require an absolute path in argv[0] for reliable re-exec. */
1784 if (!got_path_is_absolute(argv0))
1785 fatalx("bad path \"%s\": must be an absolute path", argv0);
1787 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1788 log_setverbose(verbosity);
1790 if (proc_id == PROC_GOTD) {
1791 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1792 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1793 if (daemonize && daemon(1, 0) == -1)
1795 gotd.pid = getpid();
1796 start_listener(argv0, confpath, daemonize, verbosity);
1797 } else if (proc_id == PROC_LISTEN) {
1798 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1800 log_info("socket: %s", gotd.unix_socket_path);
1801 log_info("user: %s", pw->pw_name);
1804 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1807 fatal("cannot listen on unix socket %s",
1808 gotd.unix_socket_path);
1810 } else if (proc_id == PROC_AUTH) {
1811 snprintf(title, sizeof(title), "%s %s",
1812 gotd_proc_names[proc_id], repo_path);
1813 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1814 proc_id == PROC_SESSION) {
1815 error = got_repo_pack_fds_open(&pack_fds);
1817 fatalx("cannot open pack tempfiles: %s", error->msg);
1818 error = got_repo_temp_fds_open(&temp_fds);
1820 fatalx("cannot open pack tempfiles: %s", error->msg);
1821 if (repo_path == NULL)
1822 fatalx("repository path not specified");
1823 snprintf(title, sizeof(title), "%s %s",
1824 gotd_proc_names[proc_id], repo_path);
1826 fatal("invalid process id %d", proc_id);
1828 setproctitle("%s", title);
1829 log_procinit(title);
1831 /* Drop root privileges. */
1832 if (setgid(pw->pw_gid) == -1)
1833 fatal("setgid %d failed", pw->pw_gid);
1834 if (setuid(pw->pw_uid) == -1)
1835 fatal("setuid %d failed", pw->pw_uid);
1842 /* "exec" promise will be limited to argv[0] via unveil(2). */
1843 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1849 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1853 * Ensure that AF_UNIX bind(2) cannot be used with any other
1854 * sockets by revoking all filesystem access via unveil(2).
1856 apply_unveil_none();
1858 listen_main(title, fd, gotd.connection_limits,
1859 gotd.nconnection_limits);
1864 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1868 * We need the "unix" pledge promise for getpeername(2) only.
1869 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1870 * filesystem access via unveil(2). Access to password database
1871 * files will still work since "getpw" bypasses unveil(2).
1873 apply_unveil_none();
1875 auth_main(title, &gotd.repos, repo_path);
1881 * The "recvfd" promise is only needed during setup and
1882 * will be removed in a later pledge(2) call.
1884 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1885 "unveil", NULL) == -1)
1888 apply_unveil_repo_readwrite(repo_path);
1889 session_main(title, repo_path, pack_fds, temp_fds,
1890 &gotd.request_timeout);
1893 case PROC_REPO_READ:
1895 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1898 apply_unveil_repo_readonly(repo_path);
1899 repo_read_main(title, repo_path, pack_fds, temp_fds);
1902 case PROC_REPO_WRITE:
1904 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1907 apply_unveil_repo_readonly(repo_path);
1908 repo_write_main(title, repo_path, pack_fds, temp_fds);
1912 fatal("invalid process id %d", proc_id);
1915 if (proc_id != PROC_GOTD)
1916 fatal("invalid process id %d", proc_id);
1918 apply_unveil_selfexec();
1920 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
1921 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
1922 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
1923 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
1924 signal(SIGPIPE, SIG_IGN);
1926 signal_add(&evsigint, NULL);
1927 signal_add(&evsigterm, NULL);
1928 signal_add(&evsighup, NULL);
1929 signal_add(&evsigusr1, NULL);
1931 gotd_imsg_event_add(&gotd.listen_proc.iev);