Add support for exiting on stdin or stdout EOF

DemiMarie · DemiMarie · commit 5a16b4c281a2 · 2024-05-01T23:13:04.000-04:00
This adds two new boolean service configuration options: - exit-on-stdout-eof: exit when the socket service shuts down its output stream for writing. - exit-on-stdin-eof: exit when the client sends EOF. To avoid compatibility problems, global variables are used to pass this information from the configuration parser to the I/O code. In the future, there should be a better way to pass this information, so global variables are used right now. Fortunately, the configuration parser only runs once in the life of any process right now, so this commit adds assertions to check this. Qubes OS ships with assertions enabled, so any violation of this rule will be detected. The main use of these features is to emulate the old qubes.ConnectTCP and qubes.UpdatesProxy services, which already had this behavior due to the use of socat. These features are only supported for socket-based services, as executable services are more complicated and do not have a use case right now. Currently, if a service exits due to exit-on-stdin-eof, the empty MSG_DATA_STDOUT that indicates EOF is not sent. This is not a problem because qrexec-client-vm interprets MSG_DATA_EXIT_CODE as also indicating EOF on stdout and stderr. Fixes: QubesOS/qubes-issues#9176
diff --git a/libqrexec/exec.c b/libqrexec/exec.c
@@ -311,9 +311,15 @@ static int find_file(
     return rc;
 }
 
+bool exit_on_stdout_eof = false;
+bool exit_on_stdin_eof = false;
+
 static int load_service_config_raw(struct qrexec_parsed_command *cmd,
                                    char **user)
 {
+    static bool called_yet = false;
+    assert(!called_yet);
+    called_yet = true;
     const char *config_path = getenv("QUBES_RPC_CONFIG_PATH");
     if (!config_path)
         config_path = QUBES_RPC_CONFIG_PATH;
@@ -328,7 +334,9 @@ static int load_service_config_raw(struct qrexec_parsed_command *cmd,
     if (ret == -1)
         return 0;
     return qubes_toml_config_parse(config_full_path, &cmd->wait_for_session, user,
-                                   &cmd->send_service_descriptor);
+                                   &cmd->send_service_descriptor,
+                                   &exit_on_stdout_eof,
+                                   &exit_on_stdin_eof);
 }
 
 int load_service_config_v2(struct qrexec_parsed_command *cmd) {
@@ -731,6 +739,16 @@ int find_qrexec_service(
                 path_buffer.data);
             return -2;
         }
+        if (exit_on_stdout_eof) {
+            LOG(ERROR, "Refusing to execute executable service %s with exit_on_stdout_eof=true",
+                path_buffer.data);
+            return -2;
+        }
+        if (exit_on_stdin_eof) {
+            LOG(ERROR, "Refusing to execute executable service %s with exit_on_stdin_eof=true",
+                path_buffer.data);
+            return -2;
+        }
         return 0;
     }
 
diff --git a/libqrexec/private.h b/libqrexec/private.h
@@ -1,2 +1,7 @@
 #include <stdbool.h>
-int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *skip_service_descriptor);
+extern bool exit_on_stdout_eof, exit_on_stdin_eof;
+int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session,
+                            char **user,
+                            bool *send_service_descriptor,
+                            bool *exit_on_stdout_eof,
+                            bool *exit_on_stdin_eof);
diff --git a/libqrexec/process_io.c b/libqrexec/process_io.c
@@ -32,6 +32,7 @@
 
 #include "libqrexec-utils.h"
 #include "remote.h"
+#include "private.h"
 
 static _Noreturn void handle_vchan_error(const char *op)
 {
@@ -91,6 +92,8 @@ int process_io(const struct process_io_request *old_req) {
         .is_service = old_req->is_service,
         .replace_chars_stdout = old_req->replace_chars_stdout,
         .replace_chars_stderr = old_req->replace_chars_stderr,
+        .exit_on_stdout_eof = exit_on_stdout_eof,
+        .exit_on_stdin_eof = exit_on_stdin_eof,
         .data_protocol_version = (uint16_t)old_req->data_protocol_version,
         .size = sizeof(new_req),
         .null_fd = -1,
@@ -144,19 +147,41 @@ int qubes_qrexec_process_io(const struct qrexec_process_io_request *req) {
     set_nonblock(stdin_fd);
     if (stdout_fd != stdin_fd)
         set_nonblock(stdout_fd);
+    if (is_service && local_pid == 0) {
+        assert(stdin_fd == stdout_fd);
+        assert(stderr_fd == -1);
+    }
     if (stderr_fd >= 0) {
         assert(is_service); // if this is a client, stderr_fd is *always* -1
         set_nonblock(stderr_fd);
     }
+    if (req->exit_on_stdout_eof || req->exit_on_stdin_eof) {
+        assert(is_service); // only valid for socket services
+        assert(local_pid == 0); // ditto
+    }
 
     /* Convenience macros that eliminate a ton of error-prone boilerplate */
-#define close_stdin() do {                      \
-    close_stdio(stdin_fd, stdout_fd, SHUT_WR);  \
-    stdin_fd = -1;                              \
+#define close_stdin() do {                          \
+    if (req->exit_on_stdin_eof) {                   \
+        /* Set stdin_fd and stdout_fd to -1.        \
+         * No need to close them as the process     \
+         * will soon exit. */                       \
+        stdin_fd = stdout_fd = -1;                  \
+    } else {                                        \
+        close_stdio(stdin_fd, stdout_fd, SHUT_WR);  \
+        stdin_fd = -1;                              \
+    }                                               \
 } while (0)
-#define close_stdout() do {                     \
-    close_stdio(stdout_fd, stdin_fd, SHUT_RD);  \
-    stdout_fd = -1;                             \
+#define close_stdout() do {                         \
+    if (req->exit_on_stdout_eof) {                  \
+        /* Set stdin_fd and stdout_fd to -1.        \
+         * No need to close them as the process     \
+         * will soon exit. */                       \
+        stdin_fd = stdout_fd = -1;                  \
+    } else {                                        \
+        close_stdio(stdout_fd, stdin_fd, SHUT_RD);  \
+        stdout_fd = -1;                             \
+    }                                               \
 } while (0)
 #pragma GCC poison close_stdio
 
diff --git a/libqrexec/toml.c b/libqrexec/toml.c
@@ -171,7 +171,8 @@ static void toml_value_free(union toml_data *value, enum toml_type ty) {
     }
 }
 
-int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *send_service_descriptor)
+int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *send_service_descriptor,
+                            bool *exit_on_stdout_eof, bool *exit_on_stdin_eof)
 {
     int result = -1; /* assume problem */
     FILE *config_file = fopen(config_full_path, "re");
@@ -187,6 +188,8 @@ int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session
     bool seen_wait_for_session = false;
     bool seen_user = false;
     bool seen_skip_service_descriptor = false;
+    bool seen_exit_on_stdin_eof = false;
+    bool seen_exit_on_stdout_eof = false;
     *wait_for_session = 0;
     *send_service_descriptor = true;
 #define CHECK_DUP_KEY(v) do {                                               \
@@ -290,6 +293,14 @@ int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session
                 CHECK_TYPE(TOML_TYPE_BOOL, "wait-for-session");
                 *wait_for_session = value.boolean;
             }
+        } else if (strcmp(current_line, "exit-on-stdin-eof") == 0) {
+            CHECK_DUP_KEY(seen_exit_on_stdin_eof);
+            CHECK_TYPE(TOML_TYPE_BOOL, "exit-on-stdin-eof");
+            *exit_on_stdin_eof = value.boolean;
+        } else if (strcmp(current_line, "exit-on-stdout-eof") == 0) {
+            CHECK_DUP_KEY(seen_exit_on_stdout_eof);
+            CHECK_TYPE(TOML_TYPE_BOOL, "exit-on-stdout-eof");
+            *exit_on_stdout_eof = value.boolean;
         } else if (strcmp(current_line, "skip-service-descriptor") == 0) {
             CHECK_DUP_KEY(seen_skip_service_descriptor);
             CHECK_TYPE(TOML_TYPE_BOOL, "skip-service-descriptor");
diff --git a/qrexec/tests/socket/agent.py b/qrexec/tests/socket/agent.py
@@ -584,6 +584,14 @@ def test_exec_service_with_invalid_config_7(self):
         # skip-service-descriptor not allowed with executable service
         self.exec_service_with_invalid_config("skip-service-descriptor = true\n")
 
+    def test_exec_service_with_invalid_config_8(self):
+        # exit-on-stdout-eof not allowed with executable service
+        self.exec_service_with_invalid_config("exit-on-stdout-eof = true\n")
+
+    def test_exec_service_with_invalid_config_9(self):
+        # exit-on-stdin-eof not allowed with executable service
+        self.exec_service_with_invalid_config("exit-on-stdin-eof = true\n")
+
     def test_exec_service_with_arg(self):
         self.make_executable_service(
             "local-rpc",
@@ -714,6 +722,76 @@ def test_connect_socket_no_metadata_user(self):
         )
         self.check_dom0(dom0)
 
+    def test_connect_socket_exit_on_stdin_eof(self):
+        socket_path = os.path.join(
+            self.tempdir, "rpc", "qubes.SocketService+arg2"
+        )
+        with open(
+            os.path.join(self.tempdir, "rpc-config", "qubes.SocketService+arg2"), "w"
+        ) as f:
+            f.write("""\
+skip-service-descriptor = true
+exit-on-stdin-eof = true
+""")
+        server = qrexec.socket_server(socket_path)
+        self.addCleanup(server.close)
+
+        target, dom0 = self.execute_qubesrpc("qubes.SocketService+arg2", "domX")
+
+        server.accept()
+
+        message = b"stdin data"
+        target.send_message(qrexec.MSG_DATA_STDIN, message)
+        target.send_message(qrexec.MSG_DATA_STDIN, b"")
+        # Check for EOF on stdin
+        self.assertEqual(server.recvall(len(message) + 1), message)
+        messages = target.recv_all_messages()
+        # No stderr
+        self.assertListEqual(
+            util.sort_messages(messages),
+            [
+                (qrexec.MSG_DATA_EXIT_CODE, b"\0\0\0\0"),
+            ],
+        )
+        self.check_dom0(dom0)
+        server.close()
+
+    def test_connect_socket_exit_on_stdout_eof(self):
+        socket_path = os.path.join(
+            self.tempdir, "rpc", "qubes.SocketService+arg2"
+        )
+        with open(
+            os.path.join(self.tempdir, "rpc-config", "qubes.SocketService+arg2"), "w"
+        ) as f:
+            f.write("""\
+skip-service-descriptor = true
+exit-on-stdout-eof = true
+""")
+        server = qrexec.socket_server(socket_path)
+        self.addCleanup(server.close)
+
+        target, dom0 = self.execute_qubesrpc("qubes.SocketService+arg2", "domX")
+
+        server.accept()
+
+        message = b"stdin data"
+        target.send_message(qrexec.MSG_DATA_STDIN, message)
+        self.assertEqual(server.recvall(len(message)), message)
+        # Trigger EOF on stdout
+        server.shutdown(socket.SHUT_WR)
+        # Server should exit
+        messages = target.recv_all_messages()
+        # No stderr
+        self.assertListEqual(
+            util.sort_messages(messages),
+            [
+                (qrexec.MSG_DATA_STDOUT, b""),
+                (qrexec.MSG_DATA_EXIT_CODE, b"\0\0\0\0"),
+            ],
+        )
+        self.check_dom0(dom0)
+        server.close()
+
     def test_connect_socket_no_metadata(self):
         socket_path = os.path.join(
             self.tempdir, "rpc", "qubes.SocketService+arg2"
diff --git a/qrexec/tests/socket/qrexec.py b/qrexec/tests/socket/qrexec.py
@@ -117,6 +117,8 @@ def accept(self):
         self.server_conn.close()
         self.server_conn = None
 
+    def shutdown(self, arg):
+        self.conn.shutdown(arg)
 
 def vchan_client(socket_dir, domain, remote_domain, port):
     vchan_socket_path = os.path.join(
