Add support for exiting on client or service EOF

This adds two new boolean service configuration options:

- exit-on-service-eof: exit when the socket service shuts down its
  output stream for writing.

- exit-on-client-eof: exit when the client shuts down its output stream
  for writing.

The information is passed through an extended qrexec_parsed_command
struct.  New functions are added that avoid the executables having to
access members that are private to libqrexec.

The main use of these features is to emulate the old qubes.ConnectTCP
and qubes.UpdatesProxy services, which already had this behavior due to
the use of socat.

These features are only supported for socket-based services, as
executable services are more complicated and do not have a use case
right now.

Currently, if a service exits due to exit-on-stdin-eof, the empty
MSG_DATA_STDOUT that indicates EOF is not sent.  This is not a problem
because qrexec-client-vm interprets MSG_DATA_EXIT_CODE as also
indicating EOF on stdout and stderr.

Fixes: QubesOS/qubes-issues#9176

Author: DemiMarie

agent/qrexec-agent-data.c

@@ -281,7 +281,7 @@ static int handle_new_process_common(
     req.prefix_data.data = NULL;
     req.prefix_data.len = 0;
 
-    exit_code = process_io(&req);
+    exit_code = qrexec_process_io(&req, cmd);
 
     if (type == MSG_EXEC_CMDLINE) {
         if (pid > 0)
@@ -382,7 +382,7 @@ int handle_data_client(
         req.prefix_data.len = 0;
     }
 
-    exit_code = process_io(&req);
+    exit_code = qrexec_process_io(&req, NULL);
     libvchan_close(data_vchan);
     return exit_code;
 }

agent/qrexec-agent.c

@@ -648,9 +648,8 @@ static void handle_server_exec_request_do(int type,
         return;
     }
 
-    /* Fork server does not load configuration, so if sending a service
-     * descriptor is not enabled, do not use it. */
-    if (cmd != NULL && !cmd->nogui && cmd->send_service_descriptor) {
+    /* Ask libqrexec-utils if the fork server is safe to use */
+    if (qrexec_cmd_use_fork_server(cmd)) {
         /* try fork server */
         int child_socket = try_fork_server(type,
                 params->connect_domain, params->connect_port,

agent/qrexec-client-vm.c

@@ -149,7 +149,7 @@ int main(int argc, char **argv)
 
     setup_logging("qrexec-client-vm");
 
-    // TODO: this should be in process_io
+    // TODO: this should be in qrexec_process_io
     signal(SIGPIPE, SIG_IGN);
 
     while (1) {

daemon/qrexec-client.c

@@ -303,6 +303,8 @@ int main(int argc, char **argv)
                     prepare_ret = QREXEC_EXIT_PROBLEM;
                 else {
                     prepare_ret = prepare_local_fds(command, &stdin_buffer);
+                    /* Don't pass this to handshake_and_go() as this is not
+                     * a service call to dom0. */
                     destroy_qrexec_parsed_command(command);
                 }
             } else {
@@ -333,7 +335,7 @@ int main(int argc, char **argv)
                 .replace_chars_stdout = replace_chars_stdout,
                 .replace_chars_stderr = replace_chars_stderr,
             };
-            rc = handshake_and_go(&params);
+            rc = handshake_and_go(&params, NULL);
 cleanup:
             if (kill && domname) {
                 size_t l;

daemon/qrexec-daemon-common.c

@@ -409,7 +409,8 @@ static void handle_failed_exec(libvchan_t *data_vchan, bool is_service, int exit
     }
 }
 
-static int select_loop(struct handshake_params *params)
+static int select_loop(const struct handshake_params *params,
+                       const struct qrexec_parsed_command *cmd)
 {
     struct process_io_request req = { 0 };
     int exit_code;
@@ -429,7 +430,7 @@ static int select_loop(struct handshake_params *params)
     req.prefix_data.data = NULL;
     req.prefix_data.len = 0;
 
-    exit_code = process_io(&req);
+    exit_code = qrexec_process_io(&req, cmd);
     return (params->exit_with_code ? exit_code : 0);
 }
 
@@ -493,10 +494,11 @@ int run_qrexec_to_dom0(const struct service_params *svc_params,
         .replace_chars_stdout = false, // stdout is _from_ dom0
         .replace_chars_stderr = false, // stderr is _from_ dom0
     };
-    return handshake_and_go(&params);
+    return handshake_and_go(&params, command);
 }
 
-int handshake_and_go(struct handshake_params *params)
+int handshake_and_go(struct handshake_params *params,
+                     const struct qrexec_parsed_command *cmd)
 {
     int rc = QREXEC_EXIT_PROBLEM;
     if (params->data_vchan == NULL || !libvchan_is_open(params->data_vchan)) {
@@ -507,11 +509,12 @@ int handshake_and_go(struct handshake_params *params)
                                                        params->remote_send_first);
     if (data_protocol_version >= 0) {
         if (params->prepare_ret != 0) {
-            rc = params->prepare_ret == -1 ? QREXEC_EXIT_SERVICE_NOT_FOUND : QREXEC_EXIT_PROBLEM;
+            rc = params->prepare_ret == -1 ? QREXEC_EXIT_SERVICE_NOT_FOUND : rc;
             handle_failed_exec(params->data_vchan, params->remote_send_first, rc);
         } else {
+            assert((cmd != NULL) == params->remote_send_first);
             params->data_protocol_version = data_protocol_version;
-            rc = select_loop(params);
+            rc = select_loop(params, cmd);
         }
     }
 cleanup:

daemon/qrexec-daemon-common.h

@@ -33,7 +33,8 @@ struct handshake_params {
     bool replace_chars_stderr;
 };
 __attribute__((warn_unused_result))
-int handshake_and_go(struct handshake_params *params);
+int handshake_and_go(struct handshake_params *params,
+                     const struct qrexec_parsed_command *cmd);
 __attribute__((warn_unused_result))
 int handle_agent_handshake(libvchan_t *vchan, bool remote_send_first);
 __attribute__((warn_unused_result))

libqrexec/exec.c

@@ -328,7 +328,16 @@ static int load_service_config_raw(struct qrexec_parsed_command *cmd,
     if (ret == -1)
         return 0;
     return qubes_toml_config_parse(config_full_path, &cmd->wait_for_session, user,
-                                   &cmd->send_service_descriptor);
+                                   &cmd->send_service_descriptor,
+                                   &cmd->exit_on_stdout_eof,
+                                   &cmd->exit_on_stdin_eof);
+}
+
+bool qrexec_cmd_use_fork_server(const struct qrexec_parsed_command *cmd) {
+    if (cmd == NULL)
+        return false;
+    return !cmd->nogui && cmd->send_service_descriptor && !cmd->exit_on_stdin_eof &&
+           !cmd->exit_on_stdout_eof;
 }
 
 int load_service_config_v2(struct qrexec_parsed_command *cmd) {
@@ -341,6 +350,16 @@ int load_service_config_v2(struct qrexec_parsed_command *cmd) {
                 "skip-service-descriptor=true", cmd->service_descriptor);
             return -1;
         }
+        if (cmd->exit_on_stdin_eof) {
+            LOG(ERROR, "service %s: Cannot set explicit username if "
+                "exit-on-client-eof=true", cmd->service_descriptor);
+            return -1;
+        }
+        if (cmd->exit_on_stdout_eof) {
+            LOG(ERROR, "service %s: Cannot set explicit username if "
+                "exit-on-service-eof=true", cmd->service_descriptor);
+            return -1;
+        }
         free(cmd->username);
         cmd->username = tmp_user;
     }
@@ -731,6 +750,18 @@ int find_qrexec_service(
                 path_buffer.data);
             return -2;
         }
+        if (cmd->exit_on_stdout_eof) {
+            LOG(ERROR, "Refusing to execute executable service %s with "
+                       "exit-on-service-eof=true",
+                path_buffer.data);
+            return -2;
+        }
+        if (cmd->exit_on_stdin_eof) {
+            LOG(ERROR, "Refusing to execute executable service %s with "
+                       "exit-on-client-eof=true",
+                path_buffer.data);
+            return -2;
+        }
         return 0;
     }
 

libqrexec/libqrexec-utils.h

@@ -89,6 +89,14 @@ struct qrexec_parsed_command {
     /* Remaining fields are private to libqrexec-utils.  Do not access them
      * directly - they may change in any update. */
 
+    /* For socket-based services: Should the event loop exit on EOF from
+     * the client? */
+    bool exit_on_stdin_eof;
+
+    /* For socket-based services: Should the event loop exit on EOF from
+     * the service? */
+    bool exit_on_stdout_eof;
+
     /* Pointer to the argument, or NULL if there is no argument.
      * Same buffer as "service_descriptor". */
     char *arg;
@@ -307,10 +315,24 @@ struct process_io_request {
  * process_io_request.
  *
  * Returns intended exit code (local or remote), but calls exit() on errors.
+ *
+ * Deprecated, use qrexec_process_io() instead.
  */
-__attribute__((visibility("default")))
+__attribute__((visibility("default"), warn_unused_result))
 int process_io(const struct process_io_request *req);
 
+/*
+ * Pass IO between vchan and local FDs. See the comments for
+ * process_io_request.
+ *
+ * Returns intended exit code (local or remote), but calls exit() on errors.
+ *
+ * cmd may be NULL to use the default behavior.
+ */
+__attribute__((visibility("default"), warn_unused_result))
+int qrexec_process_io(const struct process_io_request *req,
+                      const struct qrexec_parsed_command *cmd);
+
 // Logging
 
 #define DEBUG    1
@@ -388,4 +410,15 @@ bool qubes_sendmsg_all(struct msghdr *msg, int sock);
 __attribute__((visibility("default")))
 int qubes_wait_for_vchan_connection_with_timeout(
         libvchan_t *conn, int wait_fd, bool is_server, time_t timeout);
+
+/**
+ * Determine if the fork server should be used, even though the fork server
+ * does not load service configuration.
+ *
+ * \param cmd The command to check.
+ * \return true if the command should be executed using the fork server,
+ *         false otherwise.
+ */
+__attribute__((visibility("default")))
+bool qrexec_cmd_use_fork_server(const struct qrexec_parsed_command *cmd);
 #endif /* LIBQREXEC_UTILS_H */

libqrexec/private.h

@@ -1,2 +1,7 @@
+#pragma once
 #include <stdbool.h>
-int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *skip_service_descriptor);
+int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session,
+                            char **user,
+                            bool *send_service_descriptor,
+                            bool *exit_on_stdout_eof,
+                            bool *exit_on_stdin_eof);

libqrexec/process_io.c

@@ -32,6 +32,7 @@
 
 #include "libqrexec-utils.h"
 #include "remote.h"
+#include "private.h"
 
 static _Noreturn void handle_vchan_error(const char *op)
 {
@@ -79,15 +80,23 @@ enum {
 };
 
 int process_io(const struct process_io_request *req) {
+    return qrexec_process_io(req, NULL);
+}
+
+int qrexec_process_io(const struct process_io_request *req,
+                      const struct qrexec_parsed_command *cmd) {
     libvchan_t *vchan = req->vchan;
     int stdin_fd = req->stdin_fd;
     int stdout_fd = req->stdout_fd;
     int stderr_fd = req->stderr_fd;
     struct buffer *stdin_buf = req->stdin_buf;
 
-    bool is_service = req->is_service;
+    bool const is_service = req->is_service;
+    assert(is_service == (cmd != NULL));
     bool replace_chars_stdout = req->replace_chars_stdout;
     bool replace_chars_stderr = req->replace_chars_stderr;
+    bool const exit_on_stdin_eof = cmd != NULL && cmd->exit_on_stdin_eof;
+    bool const exit_on_stdout_eof = cmd != NULL && cmd->exit_on_stdout_eof;
     const int data_protocol_version = req->data_protocol_version;
     const size_t max_chunk_size = max_data_chunk_size(data_protocol_version);
     pid_t local_pid = req->local_pid;
@@ -119,19 +128,41 @@ int process_io(const struct process_io_request *req) {
     set_nonblock(stdin_fd);
     if (stdout_fd != stdin_fd)
         set_nonblock(stdout_fd);
+    if (is_service && local_pid == 0) {
+        assert(stdin_fd == stdout_fd);
+        assert(stderr_fd == -1);
+    }
     if (stderr_fd >= 0) {
         assert(is_service); // if this is a client, stderr_fd is *always* -1
         set_nonblock(stderr_fd);
     }
+    if (exit_on_stdin_eof || exit_on_stdout_eof) {
+        assert(is_service); // only valid for socket services
+        assert(local_pid == 0); // ditto
+    }
 
     /* Convenience macros that eliminate a ton of error-prone boilerplate */
-#define close_stdin() do {                      \
-    close_stdio(stdin_fd, stdout_fd, SHUT_WR);  \
-    stdin_fd = -1;                              \
+#define close_stdin() do {                          \
+    if (exit_on_stdin_eof) {                        \
+        /* Set stdin_fd and stdout_fd to -1.        \
+         * No need to close them as the process     \
+         * will soon exit. */                       \
+        stdin_fd = stdout_fd = -1;                  \
+    } else {                                        \
+        close_stdio(stdin_fd, stdout_fd, SHUT_WR);  \
+        stdin_fd = -1;                              \
+    }                                               \
 } while (0)
-#define close_stdout() do {                     \
-    close_stdio(stdout_fd, stdin_fd, SHUT_RD);  \
-    stdout_fd = -1;                             \
+#define close_stdout() do {                         \
+    if (exit_on_stdout_eof) {                       \
+        /* Set stdin_fd and stdout_fd to -1.        \
+         * No need to close them as the process     \
+         * will soon exit. */                       \
+        stdin_fd = stdout_fd = -1;                  \
+    } else {                                        \
+        close_stdio(stdout_fd, stdin_fd, SHUT_RD);  \
+        stdout_fd = -1;                             \
+    }                                               \
 } while (0)
 #pragma GCC poison close_stdio
 

libqrexec/toml.c

@@ -171,7 +171,8 @@ static void toml_value_free(union toml_data *value, enum toml_type ty) {
     }
 }
 
-int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *send_service_descriptor)
+int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session, char **user, bool *send_service_descriptor,
+                            bool *exit_on_service_eof, bool *exit_on_client_eof)
 {
     int result = -1; /* assume problem */
     FILE *config_file = fopen(config_full_path, "re");
@@ -187,6 +188,8 @@ int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session
     bool seen_wait_for_session = false;
     bool seen_user = false;
     bool seen_skip_service_descriptor = false;
+    bool seen_exit_on_client_eof = false;
+    bool seen_exit_on_service_eof = false;
     *wait_for_session = 0;
     *send_service_descriptor = true;
 #define CHECK_DUP_KEY(v) do {                                               \
@@ -290,6 +293,14 @@ int qubes_toml_config_parse(const char *config_full_path, bool *wait_for_session
                 CHECK_TYPE(TOML_TYPE_BOOL, "wait-for-session");
                 *wait_for_session = value.boolean;
             }
+        } else if (strcmp(current_line, "exit-on-client-eof") == 0) {
+            CHECK_DUP_KEY(seen_exit_on_client_eof);
+            CHECK_TYPE(TOML_TYPE_BOOL, "exit-on-client-eof");
+            *exit_on_client_eof = value.boolean;
+        } else if (strcmp(current_line, "exit-on-service-eof") == 0) {
+            CHECK_DUP_KEY(seen_exit_on_service_eof);
+            CHECK_TYPE(TOML_TYPE_BOOL, "exit-on-service-eof");
+            *exit_on_service_eof = value.boolean;
         } else if (strcmp(current_line, "skip-service-descriptor") == 0) {
             CHECK_DUP_KEY(seen_skip_service_descriptor);
             CHECK_TYPE(TOML_TYPE_BOOL, "skip-service-descriptor");