[thirdparty/cups.git] / scheduler / process.c

/*
 * "$Id$"
 *
 * Process management routines for the CUPS scheduler.
 *
 * Copyright 2007-2014 by Apple Inc.
 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
 *
 * These coded instructions, statements, and computer programs are the
 * property of Apple Inc. and are protected by Federal copyright
 * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
 * which should have been included with this file.  If this file is
 * file is missing or damaged, see the license at "http://www.cups.org/".
 */

/*
 * Include necessary headers...
 */

#include "cupsd.h"
#include <grp.h>
#ifdef __APPLE__
#  include <libgen.h>
#endif /* __APPLE__ */


/*
 * Process structure...
 */

typedef struct
{
  int	pid,				/* Process ID */
	job_id;				/* Job associated with process */
  char	name[1];			/* Name of process */
} cupsd_proc_t;


/*
 * Local globals...
 */

static cups_array_t	*process_array = NULL;


/*
 * Local functions...
 */

static int	compare_procs(cupsd_proc_t *a, cupsd_proc_t *b);
#ifdef HAVE_SANDBOX_H
static char	*cupsd_requote(char *dst, const char *src, size_t dstsize);
#endif /* HAVE_SANDBOX_H */


/*
 * 'cupsdCreateProfile()' - Create an execution profile for a subprocess.
 */

void *					/* O - Profile or NULL on error */
cupsdCreateProfile(int job_id)		/* I - Job ID or 0 for none */
{
#ifdef HAVE_SANDBOX_H
  cups_file_t	*fp;			/* File pointer */
  char		profile[1024],		/* File containing the profile */
		cache[1024],		/* Quoted CacheDir */
		request[1024],		/* Quoted RequestRoot */
		root[1024],		/* Quoted ServerRoot */
		temp[1024];		/* Quoted TempDir */
  const char	*nodebug;		/* " (with no-log)" for no debug */


  if (!UseProfiles)
  {
   /*
    * Only use sandbox profiles as root...
    */

    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                    job_id);

    return (NULL);
  }

  if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                    job_id);
    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
                    strerror(errno));
    return (NULL);
  }

  fchown(cupsFileNumber(fp), RunUser, Group);
  fchmod(cupsFileNumber(fp), 0640);

  cupsd_requote(cache, CacheDir, sizeof(cache));
  cupsd_requote(request, RequestRoot, sizeof(request));
  cupsd_requote(root, ServerRoot, sizeof(root));
  cupsd_requote(temp, TempDir, sizeof(temp));

  nodebug = LogLevel < CUPSD_LOG_DEBUG ? " (with no-log)" : "";

  cupsFilePuts(fp, "(version 1)\n");
  cupsFilePuts(fp, "(allow default)\n");
  cupsFilePrintf(fp,
                 "(deny file-write* file-read-data file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* RequestRoot */
		 " #\"^%s/\""		/* RequestRoot/... */
		 ")%s)\n",
		 request, request, nodebug);
  if (!RunUser)
    cupsFilePrintf(fp,
		   "(deny file-write* file-read-data file-read-metadata\n"
		   "  (regex"
		   " #\"^/Users$\""
		   " #\"^/Users/\""
		   ")%s)\n", nodebug);
  cupsFilePrintf(fp,
                 "(deny file-write*\n"
                 "  (regex"
		 " #\"^%s$\""		/* ServerRoot */
		 " #\"^%s/\""		/* ServerRoot/... */
		 " #\"^/private/etc$\""
		 " #\"^/private/etc/\""
		 " #\"^/usr/local/etc$\""
		 " #\"^/usr/local/etc/\""
		 " #\"^/Library$\""
		 " #\"^/Library/\""
		 " #\"^/System$\""
		 " #\"^/System/\""
		 ")%s)\n",
		 root, root, nodebug);
  /* Specifically allow applications to stat RequestRoot */
  cupsFilePrintf(fp,
                 "(allow file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* RequestRoot */
		 "))\n",
		 request);
  cupsFilePrintf(fp,
                 "(allow file-write* file-read-data file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* TempDir */
		 " #\"^%s/\""		/* TempDir/... */
		 " #\"^%s$\""		/* CacheDir */
		 " #\"^%s/\""		/* CacheDir/... */
		 " #\"^%s/Library$\""	/* RequestRoot/Library */
		 " #\"^%s/Library/\""	/* RequestRoot/Library/... */
		 " #\"^/Library/Application Support/\""
		 " #\"^/Library/Caches/\""
		 " #\"^/Library/Preferences/\""
		 " #\"^/Library/Printers/.*/\""
		 " #\"^/Users/Shared/\""
		 "))\n",
		 temp, temp, cache, cache, request, request);
  cupsFilePrintf(fp,
		 "(deny file-write*\n"
		 "  (regex"
		 " #\"^/Library/Printers/PPDs$\""
		 " #\"^/Library/Printers/PPDs/\""
		 " #\"^/Library/Printers/PPD Plugins$\""
		 " #\"^/Library/Printers/PPD Plugins/\""
		 ")%s)\n", nodebug);
  if (job_id)
  {
   /*
    * Allow job filters to read the spool file(s)...
    */

    cupsFilePrintf(fp,
                   "(allow file-read-data file-read-metadata\n"
                   "  (regex #\"^%s/([ac]%05d|d%05d-[0-9][0-9][0-9])$\"))\n",
		   request, job_id, job_id);
  }
  else
  {
   /*
    * Allow email notifications from notifiers...
    */

    cupsFilePuts(fp,
		 "(allow process-exec\n"
		 "  (literal \"/usr/sbin/sendmail\")\n"
		 "  (with no-sandbox)\n"
		 ")\n");
  }

  cupsFileClose(fp);

  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"",
                  job_id, profile);
  return ((void *)strdup(profile));

#else
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                  job_id);

  return (NULL);
#endif /* HAVE_SANDBOX_H */
}


/*
 * 'cupsdDestroyProfile()' - Delete an execution profile.
 */

void
cupsdDestroyProfile(void *profile)	/* I - Profile */
{
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")",
		  profile ? (char *)profile : "(null)");

#ifdef HAVE_SANDBOX_H
  if (profile)
  {
    unlink((char *)profile);
    free(profile);
  }
#endif /* HAVE_SANDBOX_H */
}


/*
 * 'cupsdEndProcess()' - End a process.
 */

int					/* O - 0 on success, -1 on failure */
cupsdEndProcess(int pid,		/* I - Process ID */
                int force)		/* I - Force child to die */
{
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdEndProcess(pid=%d, force=%d)", pid,
                  force);

  if (!pid)
    return (0);

  if (!RunUser)
  {
   /*
    * When running as root, cupsd puts child processes in their own process
    * group.  Using "-pid" sends a signal to all processes in the group.
    */

    pid = -pid;
  }

  if (force)
    return (kill(pid, SIGKILL));
  else
    return (kill(pid, SIGTERM));
}


/*
 * 'cupsdFinishProcess()' - Finish a process and get its name.
 */

const char *				/* O - Process name */
cupsdFinishProcess(int  pid,		/* I - Process ID */
                   char *name,		/* I - Name buffer */
		   int  namelen,	/* I - Size of name buffer */
		   int  *job_id)	/* O - Job ID pointer or NULL */
{
  cupsd_proc_t	key,			/* Search key */
		*proc;			/* Matching process */


  key.pid = pid;

  if ((proc = (cupsd_proc_t *)cupsArrayFind(process_array, &key)) != NULL)
  {
    if (job_id)
      *job_id = proc->job_id;

    strlcpy(name, proc->name, namelen);
    cupsArrayRemove(process_array, proc);
    free(proc);
  }
  else
  {
    if (job_id)
      *job_id = 0;

    strlcpy(name, "unknown", namelen);
  }

  cupsdLogMessage(CUPSD_LOG_DEBUG2,
		  "cupsdFinishProcess(pid=%d, name=%p, namelen=%d, "
		  "job_id=%p(%d)) = \"%s\"", pid, name, namelen, job_id,
		  job_id ? *job_id : 0, name);

  return (name);
}


/*
 * 'cupsdStartProcess()' - Start a process.
 */

int					/* O - Process ID or 0 */
cupsdStartProcess(
    const char  *command,		/* I - Full path to command */
    char        *argv[],		/* I - Command-line arguments */
    char        *envp[],		/* I - Environment */
    int         infd,			/* I - Standard input file descriptor */
    int         outfd,			/* I - Standard output file descriptor */
    int         errfd,			/* I - Standard error file descriptor */
    int         backfd,			/* I - Backchannel file descriptor */
    int         sidefd,			/* I - Sidechannel file descriptor */
    int         root,			/* I - Run as root? */
    void        *profile,		/* I - Security profile to use */
    cupsd_job_t *job,			/* I - Job associated with process */
    int         *pid)			/* O - Process ID */
{
  int		i;			/* Looping var */
  const char	*exec_path = command;	/* Command to be exec'd */
  char		*real_argv[103],	/* Real command-line arguments */
		cups_exec[1024];	/* Path to "cups-exec" program */
  uid_t		user;			/* Command UID */
  cupsd_proc_t	*proc;			/* New process record */
#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
  struct sigaction action;		/* POSIX signal handler */
#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
#if defined(__APPLE__)
  char		processPath[1024],	/* CFProcessPath environment variable */
		linkpath[1024];		/* Link path for symlinks... */
  int		linkbytes;		/* Bytes for link path */
#endif /* __APPLE__ */


  *pid = 0;

 /*
  * Figure out the UID for the child process...
  */

  if (RunUser)
    user = RunUser;
  else if (root)
    user = 0;
  else
    user = User;

 /*
  * Check the permissions of the command we are running...
  */

  if (_cupsFileCheck(command, _CUPS_FILE_CHECK_PROGRAM, !RunUser,
                     cupsdLogFCMessage, job ? job->printer : NULL))
    return (0);

#if defined(__APPLE__)
  if (envp)
  {
   /*
    * Add special voodoo magic for OS X - this allows OS X programs to access
    * their bundle resources properly...
    */

    if ((linkbytes = readlink(command, linkpath, sizeof(linkpath) - 1)) > 0)
    {
     /*
      * Yes, this is a symlink to the actual program, nul-terminate and
      * use it...
      */

      linkpath[linkbytes] = '\0';

      if (linkpath[0] == '/')
	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s",
		 linkpath);
      else
	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s/%s",
		 dirname((char *)command), linkpath);
    }
    else
      snprintf(processPath, sizeof(processPath), "CFProcessPath=%s", command);

    envp[0] = processPath;		/* Replace <CFProcessPath> string */
  }
#endif	/* __APPLE__ */

 /*
  * Use helper program when we have a sandbox profile...
  */

  if (profile)
  {
    snprintf(cups_exec, sizeof(cups_exec), "%s/daemon/cups-exec", ServerBin);

    real_argv[0] = cups_exec;
    real_argv[1] = profile;
    real_argv[2] = (char *)command;

    for (i = 0;
         i < (int)(sizeof(real_argv) / sizeof(real_argv[0]) - 4) && argv[i];
	 i ++)
      real_argv[i + 3] = argv[i];

    real_argv[i + 3] = NULL;

    argv      = real_argv;
    exec_path = cups_exec;
  }

 /*
  * Block signals before forking...
  */

  cupsdHoldSignals();

  if ((*pid = fork()) == 0)
  {
   /*
    * Child process goes here; update stderr as needed...
    */

    if (errfd != 2)
    {
      if (errfd < 0)
        errfd = open("/dev/null", O_WRONLY);

      if (errfd != 2)
      {
        dup2(errfd, 2);
	close(errfd);
      }
    }

   /*
    * Put this process in its own process group so that we can kill any child
    * processes it creates.
    */

#ifdef HAVE_SETPGID
    if (!RunUser && setpgid(0, 0))
      exit(errno + 100);
#else
    if (!RunUser && setpgrp())
      exit(errno + 100);
#endif /* HAVE_SETPGID */

   /*
    * Update the remaining file descriptors as needed...
    */

    if (infd != 0)
    {
      if (infd < 0)
        infd = open("/dev/null", O_RDONLY);

      if (infd != 0)
      {
        dup2(infd, 0);
	close(infd);
      }
    }

    if (outfd != 1)
    {
      if (outfd < 0)
        outfd = open("/dev/null", O_WRONLY);

      if (outfd != 1)
      {
        dup2(outfd, 1);
	close(outfd);
      }
    }

    if (backfd != 3 && backfd >= 0)
    {
      dup2(backfd, 3);
      close(backfd);
      fcntl(3, F_SETFL, O_NDELAY);
    }

    if (sidefd != 4 && sidefd >= 0)
    {
      dup2(sidefd, 4);
      close(sidefd);
      fcntl(4, F_SETFL, O_NDELAY);
    }

   /*
    * Change the priority of the process based on the FilterNice setting.
    * (this is not done for root processes...)
    */

    if (!root)
      nice(FilterNice);

   /*
    * Reset group membership to just the main one we belong to.
    */

    if (!RunUser && setgid(Group))
      exit(errno + 100);

    if (!RunUser && setgroups(1, &Group))
      exit(errno + 100);

   /*
    * Change user to something "safe"...
    */

    if (!RunUser && user && setuid(user))
      exit(errno + 100);

   /*
    * Change umask to restrict permissions on created files...
    */

    umask(077);

   /*
    * Unblock signals before doing the exec...
    */

#ifdef HAVE_SIGSET
    sigset(SIGTERM, SIG_DFL);
    sigset(SIGCHLD, SIG_DFL);
    sigset(SIGPIPE, SIG_DFL);
#elif defined(HAVE_SIGACTION)
    memset(&action, 0, sizeof(action));

    sigemptyset(&action.sa_mask);
    action.sa_handler = SIG_DFL;

    sigaction(SIGTERM, &action, NULL);
    sigaction(SIGCHLD, &action, NULL);
    sigaction(SIGPIPE, &action, NULL);
#else
    signal(SIGTERM, SIG_DFL);
    signal(SIGCHLD, SIG_DFL);
    signal(SIGPIPE, SIG_DFL);
#endif /* HAVE_SIGSET */

    cupsdReleaseSignals();

   /*
    * Execute the command; if for some reason this doesn't work, log an error
    * exit with a non-zero value...
    */

    if (envp)
      execve(exec_path, argv, envp);
    else
      execv(exec_path, argv);

    exit(errno + 100);
  }
  else if (*pid < 0)
  {
   /*
    * Error - couldn't fork a new process!
    */

    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to fork %s - %s.", command,
                    strerror(errno));

    *pid = 0;
  }
  else
  {
    if (!process_array)
      process_array = cupsArrayNew((cups_array_func_t)compare_procs, NULL);

    if (process_array)
    {
      if ((proc = calloc(1, sizeof(cupsd_proc_t) + strlen(command))) != NULL)
      {
        proc->pid    = *pid;
	proc->job_id = job ? job->id : 0;
	_cups_strcpy(proc->name, command);

	cupsArrayAdd(process_array, proc);
      }
    }
  }

  cupsdReleaseSignals();

  cupsdLogMessage(CUPSD_LOG_DEBUG2,
		  "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
		  "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
		  "profile=%p, job=%p(%d), pid=%p) = %d",
		  command, argv, envp, infd, outfd, errfd, backfd, sidefd,
		  root, profile, job, job ? job->id : 0, pid, *pid);

  return (*pid);
}


/*
 * 'compare_procs()' - Compare two processes.
 */

static int				/* O - Result of comparison */
compare_procs(cupsd_proc_t *a,		/* I - First process */
              cupsd_proc_t *b)		/* I - Second process */
{
  return (a->pid - b->pid);
}


#ifdef HAVE_SANDBOX_H
/*
 * 'cupsd_requote()' - Make a regular-expression version of a string.
 */

static char *				/* O - Quoted string */
cupsd_requote(char       *dst,		/* I - Destination buffer */
              const char *src,		/* I - Source string */
	      size_t     dstsize)	/* I - Size of destination buffer */
{
  int	ch;				/* Current character */
  char	*dstptr,			/* Current position in buffer */
	*dstend;			/* End of destination buffer */


  dstptr = dst;
  dstend = dst + dstsize - 2;

  while (*src && dstptr < dstend)
  {
    ch = *src++;

    if (ch == '/' && !*src)
      break;				/* Don't add trailing slash */

    if (strchr(".?*()[]^$\\", ch))
      *dstptr++ = '\\';

    *dstptr++ = (char)ch;
  }

  *dstptr = '\0';

  return (dst);
}
#endif /* HAVE_SANDBOX_H */


/*
 * End of "$Id$".
 */
Commit	Line	Data
ef416fc2	1	/*
f2d18633	2	* "$Id$"
ef416fc2	3	*
7e86f2f6	4	* Process management routines for the CUPS scheduler.
ef416fc2	5	*
7e86f2f6 MS	6	* Copyright 2007-2014 by Apple Inc.
7e86f2f6 MS	7	* Copyright 1997-2007 by Easy Software Products, all rights reserved.
ef416fc2	8	*
7e86f2f6 MS	9	* These coded instructions, statements, and computer programs are the
	10	* property of Apple Inc. and are protected by Federal copyright
	11	* law. Distribution and use rights are outlined in the file "LICENSE.txt"
	12	* which should have been included with this file. If this file is
	13	* file is missing or damaged, see the license at "http://www.cups.org/".
ef416fc2	14	*/
	15
	16	/*
	17	* Include necessary headers...
	18	*/
	19
	20	#include "cupsd.h"
	21	#include <grp.h>
a4924f6c	22	#ifdef __APPLE__
4400e98d	23	# include <libgen.h>
6d2f911b	24	#endif /* __APPLE__ */
ef416fc2	25
ef416fc2	26
e00b005a	27	/*
	28	* Process structure...
	29	*/
	30
	31	typedef struct
	32	{
b9faaae1 MS	33	int pid, /* Process ID */
b9faaae1 MS	34	job_id; /* Job associated with process */
e00b005a	35	char name[1]; /* Name of process */
	36	} cupsd_proc_t;
	37
	38
	39	/*
	40	* Local globals...
	41	*/
	42
	43	static cups_array_t *process_array = NULL;
	44
	45
	46	/*
	47	* Local functions...
	48	*/
	49
	50	static int compare_procs(cupsd_proc_t a, cupsd_proc_t b);
a4924f6c MS	51	#ifdef HAVE_SANDBOX_H
	52	static char cupsd_requote(char dst, const char *src, size_t dstsize);
	53	#endif /* HAVE_SANDBOX_H */
	54
	55
	56	/*
	57	* 'cupsdCreateProfile()' - Create an execution profile for a subprocess.
	58	*/
	59
	60	void * /* O - Profile or NULL on error */
	61	cupsdCreateProfile(int job_id) /* I - Job ID or 0 for none */
	62	{
	63	#ifdef HAVE_SANDBOX_H
	64	cups_file_t fp; / File pointer */
	65	char profile[1024], /* File containing the profile */
	66	cache[1024], /* Quoted CacheDir */
	67	request[1024], /* Quoted RequestRoot */
	68	root[1024], /* Quoted ServerRoot */
	69	temp[1024]; /* Quoted TempDir */
88f9aafc	70	const char nodebug; / " (with no-log)" for no debug */
a4924f6c MS	71
a4924f6c MS	72
0268488e	73	if (!UseProfiles)
b9faaae1 MS	74	{
	75	/*
	76	* Only use sandbox profiles as root...
	77	*/
	78
	79	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
	80	job_id);
	81
	82	return (NULL);
	83	}
	84
a4924f6c MS	85	if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
a4924f6c MS	86	{
b9faaae1 MS	87	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
b9faaae1 MS	88	job_id);
a4924f6c MS	89	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
	90	strerror(errno));
	91	return (NULL);
	92	}
	93
0268488e MS	94	fchown(cupsFileNumber(fp), RunUser, Group);
	95	fchmod(cupsFileNumber(fp), 0640);
	96
a4924f6c MS	97	cupsd_requote(cache, CacheDir, sizeof(cache));
	98	cupsd_requote(request, RequestRoot, sizeof(request));
	99	cupsd_requote(root, ServerRoot, sizeof(root));
	100	cupsd_requote(temp, TempDir, sizeof(temp));
	101
88f9aafc MS	102	nodebug = LogLevel < CUPSD_LOG_DEBUG ? " (with no-log)" : "";
88f9aafc MS	103
a4924f6c	104	cupsFilePuts(fp, "(version 1)\n");
a4924f6c MS	105	cupsFilePuts(fp, "(allow default)\n");
	106	cupsFilePrintf(fp,
	107	"(deny file-write* file-read-data file-read-metadata\n"
5a6b583a MS	108	" (regex"
	109	" #\"^%s$\"" /* RequestRoot */
	110	" #\"^%s/\"" /* RequestRoot/... */
88f9aafc MS	111	")%s)\n",
88f9aafc MS	112	request, request, nodebug);
0268488e	113	if (!RunUser)
88f9aafc MS	114	cupsFilePrintf(fp,
	115	"(deny file-write* file-read-data file-read-metadata\n"
	116	" (regex"
	117	" #\"^/Users$\""
	118	" #\"^/Users/\""
	119	")%s)\n", nodebug);
a4924f6c MS	120	cupsFilePrintf(fp,
a4924f6c MS	121	"(deny file-write*\n"
5a6b583a MS	122	" (regex"
	123	" #\"^%s$\"" /* ServerRoot */
	124	" #\"^%s/\"" /* ServerRoot/... */
	125	" #\"^/private/etc$\""
	126	" #\"^/private/etc/\""
	127	" #\"^/usr/local/etc$\""
	128	" #\"^/usr/local/etc/\""
	129	" #\"^/Library$\""
	130	" #\"^/Library/\""
	131	" #\"^/System$\""
	132	" #\"^/System/\""
88f9aafc MS	133	")%s)\n",
88f9aafc MS	134	root, root, nodebug);
7cf5915e MS	135	/* Specifically allow applications to stat RequestRoot */
	136	cupsFilePrintf(fp,
	137	"(allow file-read-metadata\n"
	138	" (regex"
	139	" #\"^%s$\"" /* RequestRoot */
	140	"))\n",
	141	request);
a4924f6c MS	142	cupsFilePrintf(fp,
a4924f6c MS	143	"(allow file-write* file-read-data file-read-metadata\n"
5a6b583a MS	144	" (regex"
	145	" #\"^%s$\"" /* TempDir */
	146	" #\"^%s/\"" /* TempDir/... */
	147	" #\"^%s$\"" /* CacheDir */
	148	" #\"^%s/\"" /* CacheDir/... */
	149	" #\"^%s/Library$\"" /* RequestRoot/Library */
	150	" #\"^%s/Library/\"" /* RequestRoot/Library/... */
ed6e7faf MS	151	" #\"^/Library/Application Support/\""
	152	" #\"^/Library/Caches/\""
	153	" #\"^/Library/Preferences/\""
5a6b583a MS	154	" #\"^/Library/Printers/.*/\""
5a6b583a MS	155	" #\"^/Users/Shared/\""
ed6e7faf	156	"))\n",
5a6b583a	157	temp, temp, cache, cache, request, request);
88f9aafc MS	158	cupsFilePrintf(fp,
	159	"(deny file-write*\n"
	160	" (regex"
	161	" #\"^/Library/Printers/PPDs$\""
	162	" #\"^/Library/Printers/PPDs/\""
	163	" #\"^/Library/Printers/PPD Plugins$\""
	164	" #\"^/Library/Printers/PPD Plugins/\""
	165	")%s)\n", nodebug);
a4924f6c	166	if (job_id)
e60ec91f MS	167	{
	168	/*
	169	* Allow job filters to read the spool file(s)...
	170	*/
	171
a4924f6c MS	172	cupsFilePrintf(fp,
	173	"(allow file-read-data file-read-metadata\n"
	174	" (regex #\"^%s/([ac]%05d\|d%05d-[0-9][0-9][0-9])$\"))\n",
5bd77a73	175	request, job_id, job_id);
e60ec91f MS	176	}
	177	else
	178	{
	179	/*
	180	* Allow email notifications from notifiers...
	181	*/
	182
	183	cupsFilePuts(fp,
	184	"(allow process-exec\n"
	185	" (literal \"/usr/sbin/sendmail\")\n"
	186	" (with no-sandbox)\n"
	187	")\n");
	188	}
a4924f6c MS	189
	190	cupsFileClose(fp);
	191
5bd77a73 MS	192	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"",
5bd77a73 MS	193	job_id, profile);
a4924f6c	194	return ((void *)strdup(profile));
b9faaae1	195
a4924f6c	196	#else
b9faaae1 MS	197	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
b9faaae1 MS	198	job_id);
a4924f6c MS	199
	200	return (NULL);
	201	#endif /* HAVE_SANDBOX_H */
	202	}
	203
	204
	205	/*
	206	* 'cupsdDestroyProfile()' - Delete an execution profile.
	207	*/
	208
	209	void
	210	cupsdDestroyProfile(void profile) / I - Profile */
	211	{
b9faaae1 MS	212	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")",
	213	profile ? (char *)profile : "(null)");
	214
a4924f6c MS	215	#ifdef HAVE_SANDBOX_H
	216	if (profile)
	217	{
	218	unlink((char *)profile);
	219	free(profile);
	220	}
	221	#endif /* HAVE_SANDBOX_H */
	222	}
e00b005a	223
e00b005a	224
ef416fc2	225	/*
	226	* 'cupsdEndProcess()' - End a process.
	227	*/
	228
	229	int /* O - 0 on success, -1 on failure */
	230	cupsdEndProcess(int pid, /* I - Process ID */
	231	int force) /* I - Force child to die */
	232	{
b9faaae1 MS	233	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdEndProcess(pid=%d, force=%d)", pid,
	234	force);
	235
ef55b745 MS	236	if (!pid)
ef55b745 MS	237	return (0);
88f9aafc MS	238
	239	if (!RunUser)
	240	{
	241	/*
	242	* When running as root, cupsd puts child processes in their own process
	243	* group. Using "-pid" sends a signal to all processes in the group.
	244	*/
	245
	246	pid = -pid;
	247	}
	248
	249	if (force)
ef416fc2	250	return (kill(pid, SIGKILL));
	251	else
	252	return (kill(pid, SIGTERM));
	253	}
	254
	255
e00b005a	256	/*
	257	* 'cupsdFinishProcess()' - Finish a process and get its name.
	258	*/
	259
	260	const char * /* O - Process name */
	261	cupsdFinishProcess(int pid, /* I - Process ID */
	262	char name, / I - Name buffer */
b9faaae1 MS	263	int namelen, /* I - Size of name buffer */
b9faaae1 MS	264	int job_id) / O - Job ID pointer or NULL */
e00b005a	265	{
	266	cupsd_proc_t key, /* Search key */
	267	proc; / Matching process */
	268
	269
	270	key.pid = pid;
	271
	272	if ((proc = (cupsd_proc_t *)cupsArrayFind(process_array, &key)) != NULL)
	273	{
b9faaae1 MS	274	if (job_id)
	275	*job_id = proc->job_id;
	276
e00b005a	277	strlcpy(name, proc->name, namelen);
	278	cupsArrayRemove(process_array, proc);
	279	free(proc);
e00b005a	280	}
e00b005a	281	else
b9faaae1 MS	282	{
	283	if (job_id)
	284	*job_id = 0;
	285
	286	strlcpy(name, "unknown", namelen);
	287	}
	288
	289	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	290	"cupsdFinishProcess(pid=%d, name=%p, namelen=%d, "
	291	"job_id=%p(%d)) = \"%s\"", pid, name, namelen, job_id,
	292	job_id ? *job_id : 0, name);
	293
	294	return (name);
e00b005a	295	}
	296
	297
ef416fc2	298	/*
	299	* 'cupsdStartProcess()' - Start a process.
	300	*/
	301
	302	int /* O - Process ID or 0 */
	303	cupsdStartProcess(
b9faaae1 MS	304	const char command, / I - Full path to command */
	305	char argv[], / I - Command-line arguments */
	306	char envp[], / I - Environment */
	307	int infd, /* I - Standard input file descriptor */
	308	int outfd, /* I - Standard output file descriptor */
	309	int errfd, /* I - Standard error file descriptor */
	310	int backfd, /* I - Backchannel file descriptor */
	311	int sidefd, /* I - Sidechannel file descriptor */
	312	int root, /* I - Run as root? */
	313	void profile, / I - Security profile to use */
38e73f87	314	cupsd_job_t job, / I - Job associated with process */
b9faaae1	315	int pid) / O - Process ID */
ef416fc2	316	{
0268488e	317	int i; /* Looping var */
e60ec91f	318	const char exec_path = command; / Command to be exec'd */
0268488e MS	319	char real_argv[103], / Real command-line arguments */
0268488e MS	320	cups_exec[1024]; /* Path to "cups-exec" program */
7e86f2f6	321	uid_t user; /* Command UID */
e00b005a	322	cupsd_proc_t proc; / New process record */
ef416fc2	323	#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
e00b005a	324	struct sigaction action; /* POSIX signal handler */
ef416fc2	325	#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
e53920b9	326	#if defined(__APPLE__)
e00b005a	327	char processPath[1024], /* CFProcessPath environment variable */
	328	linkpath[1024]; /* Link path for symlinks... */
	329	int linkbytes; /* Bytes for link path */
e53920b9	330	#endif /* __APPLE__ */
ef416fc2	331
ef416fc2	332
22c9029b MS	333	*pid = 0;
22c9029b MS	334
0268488e MS	335	/*
	336	* Figure out the UID for the child process...
	337	*/
	338
bf3816c7 MS	339	if (RunUser)
	340	user = RunUser;
	341	else if (root)
	342	user = 0;
	343	else
	344	user = User;
	345
0268488e MS	346	/*
	347	* Check the permissions of the command we are running...
	348	*/
	349
22c9029b MS	350	if (_cupsFileCheck(command, _CUPS_FILE_CHECK_PROGRAM, !RunUser,
22c9029b MS	351	cupsdLogFCMessage, job ? job->printer : NULL))
bf3816c7	352	return (0);
76cd9e37	353
e53920b9	354	#if defined(__APPLE__)
e53920b9	355	if (envp)
e00b005a	356	{
e00b005a	357	/*
f3c17241 MS	358	* Add special voodoo magic for OS X - this allows OS X programs to access
f3c17241 MS	359	* their bundle resources properly...
e00b005a	360	*/
e00b005a	361
e53920b9	362	if ((linkbytes = readlink(command, linkpath, sizeof(linkpath) - 1)) > 0)
	363	{
	364	/*
	365	* Yes, this is a symlink to the actual program, nul-terminate and
	366	* use it...
	367	*/
	368
	369	linkpath[linkbytes] = '\0';
e00b005a	370
e53920b9	371	if (linkpath[0] == '/')
	372	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s",
	373	linkpath);
	374	else
	375	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s/%s",
f7deaa1a	376	dirname((char *)command), linkpath);
e53920b9	377	}
e00b005a	378	else
e53920b9	379	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s", command);
bd7854cb	380
e53920b9	381	envp[0] = processPath; /* Replace <CFProcessPath> string */
	382	}
	383	#endif /* __APPLE__ */
e00b005a	384
0268488e MS	385	/*
	386	* Use helper program when we have a sandbox profile...
	387	*/
	388
	389	if (profile)
	390	{
	391	snprintf(cups_exec, sizeof(cups_exec), "%s/daemon/cups-exec", ServerBin);
	392
	393	real_argv[0] = cups_exec;
	394	real_argv[1] = profile;
	395	real_argv[2] = (char *)command;
	396
	397	for (i = 0;
	398	i < (int)(sizeof(real_argv) / sizeof(real_argv[0]) - 4) && argv[i];
	399	i ++)
	400	real_argv[i + 3] = argv[i];
	401
	402	real_argv[i + 3] = NULL;
	403
e60ec91f MS	404	argv = real_argv;
e60ec91f MS	405	exec_path = cups_exec;
0268488e MS	406	}
0268488e MS	407
ef416fc2	408	/*
	409	* Block signals before forking...
	410	*/
	411
	412	cupsdHoldSignals();
	413
	414	if ((*pid = fork()) == 0)
	415	{
	416	/*
88f9aafc MS	417	* Child process goes here; update stderr as needed...
	418	*/
	419
	420	if (errfd != 2)
	421	{
	422	if (errfd < 0)
	423	errfd = open("/dev/null", O_WRONLY);
	424
	425	if (errfd != 2)
	426	{
	427	dup2(errfd, 2);
	428	close(errfd);
	429	}
	430	}
	431
	432	/*
	433	* Put this process in its own process group so that we can kill any child
	434	* processes it creates.
	435	*/
	436
	437	#ifdef HAVE_SETPGID
	438	if (!RunUser && setpgid(0, 0))
	439	exit(errno + 100);
	440	#else
	441	if (!RunUser && setpgrp())
	442	exit(errno + 100);
	443	#endif /* HAVE_SETPGID */
	444
	445	/*
	446	* Update the remaining file descriptors as needed...
ef416fc2	447	*/
	448
	449	if (infd != 0)
	450	{
68b10830 MS	451	if (infd < 0)
	452	infd = open("/dev/null", O_RDONLY);
	453
	454	if (infd != 0)
	455	{
	456	dup2(infd, 0);
	457	close(infd);
	458	}
ef416fc2	459	}
68b10830	460
ef416fc2	461	if (outfd != 1)
ef416fc2	462	{
68b10830 MS	463	if (outfd < 0)
	464	outfd = open("/dev/null", O_WRONLY);
	465
	466	if (outfd != 1)
	467	{
	468	dup2(outfd, 1);
	469	close(outfd);
	470	}
ef416fc2	471	}
68b10830	472
68b10830	473	if (backfd != 3 && backfd >= 0)
ef416fc2	474	{
68b10830 MS	475	dup2(backfd, 3);
68b10830 MS	476	close(backfd);
ef416fc2	477	fcntl(3, F_SETFL, O_NDELAY);
ef416fc2	478	}
68b10830 MS	479
68b10830 MS	480	if (sidefd != 4 && sidefd >= 0)
f7deaa1a	481	{
68b10830 MS	482	dup2(sidefd, 4);
68b10830 MS	483	close(sidefd);
f7deaa1a	484	fcntl(4, F_SETFL, O_NDELAY);
f7deaa1a	485	}
ef416fc2	486
	487	/*
	488	* Change the priority of the process based on the FilterNice setting.
5bd77a73	489	* (this is not done for root processes...)
ef416fc2	490	*/
	491
	492	if (!root)
	493	nice(FilterNice);
	494
	495	/*
88f9aafc	496	* Reset group membership to just the main one we belong to.
ef416fc2	497	*/
ef416fc2	498
88f9aafc MS	499	if (!RunUser && setgid(Group))
88f9aafc MS	500	exit(errno + 100);
ef416fc2	501
88f9aafc MS	502	if (!RunUser && setgroups(1, &Group))
88f9aafc MS	503	exit(errno + 100);
ef416fc2	504
88f9aafc MS	505	/*
	506	* Change user to something "safe"...
	507	*/
41681883	508
88f9aafc MS	509	if (!RunUser && user && setuid(user))
88f9aafc MS	510	exit(errno + 100);
ef416fc2	511
	512	/*
	513	* Change umask to restrict permissions on created files...
	514	*/
	515
	516	umask(077);
	517
	518	/*
	519	* Unblock signals before doing the exec...
	520	*/
	521
	522	#ifdef HAVE_SIGSET
	523	sigset(SIGTERM, SIG_DFL);
	524	sigset(SIGCHLD, SIG_DFL);
ef55b745	525	sigset(SIGPIPE, SIG_DFL);
ef416fc2	526	#elif defined(HAVE_SIGACTION)
	527	memset(&action, 0, sizeof(action));
	528
	529	sigemptyset(&action.sa_mask);
	530	action.sa_handler = SIG_DFL;
	531
	532	sigaction(SIGTERM, &action, NULL);
	533	sigaction(SIGCHLD, &action, NULL);
ef55b745	534	sigaction(SIGPIPE, &action, NULL);
ef416fc2	535	#else
	536	signal(SIGTERM, SIG_DFL);
	537	signal(SIGCHLD, SIG_DFL);
ef55b745	538	signal(SIGPIPE, SIG_DFL);
ef416fc2	539	#endif /* HAVE_SIGSET */
	540
	541	cupsdReleaseSignals();
	542
	543	/*
0268488e MS	544	* Execute the command; if for some reason this doesn't work, log an error
0268488e MS	545	* exit with a non-zero value...
ef416fc2	546	*/
	547
	548	if (envp)
e60ec91f	549	execve(exec_path, argv, envp);
ef416fc2	550	else
e60ec91f	551	execv(exec_path, argv);
ef416fc2	552
88f9aafc	553	exit(errno + 100);
ef416fc2	554	}
	555	else if (*pid < 0)
	556	{
	557	/*
	558	* Error - couldn't fork a new process!
	559	*/
	560
	561	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to fork %s - %s.", command,
	562	strerror(errno));
	563
	564	*pid = 0;
	565	}
e00b005a	566	else
	567	{
	568	if (!process_array)
	569	process_array = cupsArrayNew((cups_array_func_t)compare_procs, NULL);
f3c17241	570
e00b005a	571	if (process_array)
	572	{
	573	if ((proc = calloc(1, sizeof(cupsd_proc_t) + strlen(command))) != NULL)
	574	{
b9faaae1	575	proc->pid = *pid;
38e73f87	576	proc->job_id = job ? job->id : 0;
e60ec91f	577	_cups_strcpy(proc->name, command);
e00b005a	578
	579	cupsArrayAdd(process_array, proc);
	580	}
	581	}
	582	}
ef416fc2	583
	584	cupsdReleaseSignals();
	585
b9faaae1 MS	586	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	587	"cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
	588	"infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
38e73f87	589	"profile=%p, job=%p(%d), pid=%p) = %d",
b9faaae1	590	command, argv, envp, infd, outfd, errfd, backfd, sidefd,
38e73f87	591	root, profile, job, job ? job->id : 0, pid, *pid);
b9faaae1	592
ef416fc2	593	return (*pid);
	594	}
	595
	596
	597	/*
e00b005a	598	* 'compare_procs()' - Compare two processes.
	599	*/
	600
	601	static int /* O - Result of comparison */
	602	compare_procs(cupsd_proc_t a, / I - First process */
	603	cupsd_proc_t b) / I - Second process */
	604	{
	605	return (a->pid - b->pid);
	606	}
	607
	608
a4924f6c MS	609	#ifdef HAVE_SANDBOX_H
	610	/*
	611	* 'cupsd_requote()' - Make a regular-expression version of a string.
	612	*/
	613
	614	static char * /* O - Quoted string */
	615	cupsd_requote(char dst, / I - Destination buffer */
	616	const char src, / I - Source string */
	617	size_t dstsize) /* I - Size of destination buffer */
	618	{
	619	int ch; /* Current character */
	620	char dstptr, / Current position in buffer */
	621	dstend; / End of destination buffer */
	622
	623
	624	dstptr = dst;
	625	dstend = dst + dstsize - 2;
	626
	627	while (*src && dstptr < dstend)
	628	{
	629	ch = *src++;
	630
cb7f98ee MS	631	if (ch == '/' && !*src)
	632	break; /* Don't add trailing slash */
	633
a4924f6c MS	634	if (strchr(".?*()[]^$\\", ch))
	635	*dstptr++ = '\\';
	636
7e86f2f6	637	*dstptr++ = (char)ch;
a4924f6c MS	638	}
	639
	640	*dstptr = '\0';
	641
	642	return (dst);
	643	}
	644	#endif /* HAVE_SANDBOX_H */
	645
	646
e00b005a	647	/*
f2d18633	648	* End of "$Id$".
ef416fc2	649	*/