/*
- * "$Id: process.c 12034 2014-07-16 19:37:34Z msweet $"
+ * "$Id: process.c 12522 2015-02-17 20:01:33Z msweet $"
*
* Process management routines for the CUPS scheduler.
*
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2015 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
# include <spawn.h>
extern char **environ;
#endif /* HAVE_POSIX_SPAWN */
+#ifdef HAVE_POSIX_SPAWN
+# if !defined(__OpenBSD__) || OpenBSD >= 201505
+# define USE_POSIX_SPAWN 1
+# else
+# define USE_POSIX_SPAWN 0
+# endif /* !__OpenBSD__ || */
+#else
+# define USE_POSIX_SPAWN 0
+#endif /* HAVE_POSIX_SPAWN */
/*
" #\"^/private/var/mysql$\""
" #\"^/private/var/run$\""
" #\"^/private/var/spool$\""
+ " #\"^/private/var/tmp$\""
+ " #\"^/private/var/tmp/\""
" #\"^/usr/bin$\"" /* /usr/bin */
" #\"^/usr/bin/\"" /* /usr/bin/... */
" #\"^/usr/libexec/cups$\"" /* /usr/libexec/cups */
" #\"^/usr/libexec/fax/\"" /* /usr/libexec/fax/... */
" #\"^/usr/sbin$\"" /* /usr/sbin */
" #\"^/usr/sbin/\"" /* /usr/sbin/... */
- " #\"^/Library/Application Support$\""
- " #\"^/Library/Application Support/\""
- " #\"^/Library/Caches$\""
- " #\"^/Library/ColorSync$\""
- " #\"^/Library/ColorSync/Profiles$\""
- " #\"^/Library/ColorSync/Profiles/\""
- " #\"^/Library/Fonts$\""
- " #\"^/Library/Fonts/\""
- " #\"^/Library/Frameworks$\""
- " #\"^/Library/Frameworks/\""
- " #\"^/Library/Keychains$\""
- " #\"^/Library/Keychains/\""
- " #\"^/Library/Logs$\""
- " #\"^/Library/Printers$\""
- " #\"^/Library/Printers/\""
- " #\"^/Library/Security$\""
- " #\"^/Library/Security/\""
- " #\"^/Library/WebServer$\""
- " #\"^/System/Library/ColorSync$\""
- " #\"^/System/Library/ColorSync/Profiles$\""
- " #\"^/System/Library/ColorSync/Profiles/\""
+ " #\"^/Library$\"" /* /Library */
+ " #\"^/Library/\"" /* /Library/... */
+ " #\"^/System$\"" /* /System */
+ " #\"^/System/\"" /* /System/... */
" #\"^%s/Library$\"" /* RequestRoot/Library */
" #\"^%s/Library/\"" /* RequestRoot/Library/... */
" #\"^%s$\"" /* ServerBin */
" #\"^%s/\"" /* CUPS_TESTROOT/... */
"))\n",
testroot);
+ cupsFilePrintf(fp, "(allow sysctl*)\n");
}
if (job_id)
{
cupsFilePuts(fp, "(allow distributed-notification-post)\n");
/* Allow outbound networking to local services */
cupsFilePuts(fp, "(allow network-outbound"
- "\n (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
+ "\n (regex #\"^/private/var/run/\" #\"^/private/tmp/\" #\"^/private/var/tmp/\")");
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
/* Also allow access to device files... */
cupsFilePuts(fp, "(allow file-write* file-read-data file-read-metadata file-ioctl\n"
" (regex #\"^/dev/\"))\n");
+
+ /* And allow kernel extensions to be loaded, e.g., SMB */
+ cupsFilePuts(fp, "(allow system-kext-load)\n");
}
else
{
int i; /* Looping var */
const char *exec_path = command; /* Command to be exec'd */
char *real_argv[110], /* Real command-line arguments */
- cups_exec[1024]; /* Path to "cups-exec" program */
+ cups_exec[1024], /* Path to "cups-exec" program */
+ user_str[16], /* User string */
+ group_str[16], /* Group string */
+ nice_str[16]; /* FilterNice string */
uid_t user; /* Command UID */
cupsd_proc_t *proc; /* New process record */
-#ifdef HAVE_POSIX_SPAWN
+#if USE_POSIX_SPAWN
posix_spawn_file_actions_t actions; /* Spawn file actions */
posix_spawnattr_t attrs; /* Spawn attributes */
- char user_str[16], /* User string */
- group_str[16], /* Group string */
- nice_str[16]; /* FilterNice string */
+ sigset_t defsignals; /* Default signals */
#elif defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
struct sigaction action; /* POSIX signal handler */
-#endif /* HAVE_POSIX_SPAWN */
+#endif /* USE_POSIX_SPAWN */
#if defined(__APPLE__)
char processPath[1024], /* CFProcessPath environment variable */
linkpath[1024]; /* Link path for symlinks... */
* Use helper program when we have a sandbox profile...
*/
-#ifndef HAVE_POSIX_SPAWN
+#if !USE_POSIX_SPAWN
if (profile)
-#endif /* !HAVE_POSIX_SPAWN */
+#endif /* !USE_POSIX_SPAWN */
{
snprintf(cups_exec, sizeof(cups_exec), "%s/daemon/cups-exec", ServerBin);
snprintf(user_str, sizeof(user_str), "%d", user);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: argv[%d] = \"%s\"", i, argv[i]);
}
-#ifdef HAVE_POSIX_SPAWN
+#if USE_POSIX_SPAWN
/*
* Setup attributes and file actions for the spawn...
*/
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting spawn attributes.");
+ sigemptyset(&defsignals);
+ sigaddset(&defsignals, SIGTERM);
+ sigaddset(&defsignals, SIGCHLD);
+ sigaddset(&defsignals, SIGPIPE);
+
posix_spawnattr_init(&attrs);
posix_spawnattr_setflags(&attrs, POSIX_SPAWN_SETPGROUP | POSIX_SPAWN_SETSIGDEF);
+ posix_spawnattr_setpgroup(&attrs, 0);
+ posix_spawnattr_setsigdefault(&attrs, &defsignals);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting file actions.");
posix_spawn_file_actions_init(&actions);
if (infd != 0)
{
if (infd < 0)
- posix_spawn_file_actions_addopen(&actions, 0, "/dev/null", O_WRONLY, 0);
+ posix_spawn_file_actions_addopen(&actions, 0, "/dev/null", O_RDONLY, 0);
else
posix_spawn_file_actions_adddup2(&actions, infd, 0);
}
}
cupsdReleaseSignals();
-#endif /* HAVE_POSIX_SPAWN */
+#endif /* USE_POSIX_SPAWN */
if (*pid)
{
/*
- * End of "$Id: process.c 12034 2014-07-16 19:37:34Z msweet $".
+ * End of "$Id: process.c 12522 2015-02-17 20:01:33Z msweet $".
*/