SERVER: Set the process group during server_setup()

By calling setpgid() in server_setup() we are able to kill the process in the watchdog by simply doing kill(-getpid(), SIGTERM). However, in order to have it working properly the SELinux policy for SSSD has to be updated and unless SSSD is ran with SELinux on permissive mode, each of the responders and the monitor will trigger a similar message: Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc: denied { setpgid } for pid=11630 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0 It's important to say that till SELinux policy is fixed, we might end up leaking some processes. Related: https://fedorahosted.org/sssd/ticket/3266 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SSSD · Jan 25, 2017 · 087162b · 087162b
1 parent 9657c17
commit 087162b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
@@ -1468,7 +1468,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
               "Terminating [%s][%d]\n", svc->name, svc->pid);
         do {
             errno = 0;
-            kret = kill(svc->pid, SIGTERM);
+            kret = kill(-svc->pid, SIGTERM);
             if (kret < 0) {
                 error = errno;
                 DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
@@ -1489,7 +1489,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
                               "[%d][%s] while waiting for [%s]\n",
                                   error, strerror(error), svc->name);
                         /* Forcibly kill this child */
-                        kill(svc->pid, SIGKILL);
+                        kill(-svc->pid, SIGKILL);
                         break;
                     }
                 } else if (pid != 0) {
@@ -1504,7 +1504,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
                         DEBUG(SSSDBG_FATAL_FAILURE,
                               "Child [%s] did not exit cleanly\n", svc->name);
                         /* Forcibly kill this child */
-                        kill(svc->pid, SIGKILL);
+                        kill(-svc->pid, SIGKILL);
                     }
                     killed = true;
                 }

diff --git a/src/util/server.c b/src/util/server.c
@@ -460,6 +460,17 @@ int server_setup(const char *name, int flags,
     struct logrotate_ctx *lctx;
     char *locale;
     int watchdog_interval;
+    pid_t my_pid;
+
+    my_pid = getpid();
+    ret = setpgid(my_pid, my_pid);
+    if (ret != EOK) {
+        ret = errno;
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Failed setting process group: %s[%d]. "
+              "We might leak processes in case of failure\n",
+              sss_strerror(ret), ret);
+    }
 
     if (!is_socket_activated()) {
         ret = chown_debug_file(NULL, uid, gid);