Add binary checksum to starter applications.
Signed-off-by: Tyler Chatow <tchatow@gmail.com>
Change-Id: I43ef575584deeb59d437fd0576e160bb8f75b8ab
diff --git a/aos/starter/BUILD b/aos/starter/BUILD
index e6dad81..6e6afe4 100644
--- a/aos/starter/BUILD
+++ b/aos/starter/BUILD
@@ -33,6 +33,7 @@
"//aos/events:event_loop",
"//aos/events:shm_event_loop",
"//aos/util:scoped_pipe",
+ "@boringssl//:crypto",
"@com_github_google_glog//:glog",
],
)
diff --git a/aos/starter/starter.fbs b/aos/starter/starter.fbs
index 4b66833..1fd990e 100644
--- a/aos/starter/starter.fbs
+++ b/aos/starter/starter.fbs
@@ -45,7 +45,10 @@
EXECV_ERR,
// Failed to change to the requested group
- SET_GRP_ERR
+ SET_GRP_ERR,
+
+ // Failed to either find the binary or open it for reading.
+ RESOLVE_ERR,
}
table Status {
@@ -73,6 +76,12 @@
// Indicates the reason the application is not running. Only valid if
// application is STOPPED.
last_stop_reason: LastStopReason (id: 6);
+
+ binary_sha256: string (id: 7);
+
+ // Resolved path to the binary executed. May be absolute or relative to the
+ // working directory of starter.
+ full_path: string (id: 8);
}
root_type Status;
diff --git a/aos/starter/subprocess.cc b/aos/starter/subprocess.cc
index c1eb618..76a22f2 100644
--- a/aos/starter/subprocess.cc
+++ b/aos/starter/subprocess.cc
@@ -6,7 +6,9 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include "absl/strings/str_split.h"
#include "glog/logging.h"
+#include "openssl/sha.h"
namespace aos::starter {
@@ -92,6 +94,12 @@
start_timer_->Disable();
restart_timer_->Disable();
+ if (!UpdatePathAndChecksum()) {
+ stop_reason_ = aos::starter::LastStopReason::RESOLVE_ERR;
+ MaybeQueueRestart();
+ return;
+ }
+
status_pipes_ = util::ScopedPipe::MakePipe();
if (capture_stdout_) {
@@ -198,15 +206,15 @@
}
// argv[0] should be the program name
- args_.insert(args_.begin(), path_);
+ args_.insert(args_.begin(), full_path_);
std::vector<char *> cargs = CArgs();
- execvp(path_.c_str(), cargs.data());
+ execv(full_path_.c_str(), cargs.data());
// If we got here, something went wrong
status_pipes_.write->Write(
static_cast<uint32_t>(aos::starter::LastStopReason::EXECV_ERR));
- PLOG(WARNING) << "Could not execute " << name_ << " (" << path_ << ')';
+ PLOG(WARNING) << "Could not execute " << name_ << " (" << full_path_ << ')';
_exit(EXIT_FAILURE);
}
@@ -296,6 +304,15 @@
on_change_();
}
+void Application::MaybeQueueRestart() {
+ if (autorestart()) {
+ QueueStart();
+ } else {
+ status_ = aos::starter::State::STOPPED;
+ on_change_();
+ }
+}
+
std::vector<char *> Application::CArgs() {
std::vector<char *> cargs;
std::transform(args_.begin(), args_.end(), std::back_inserter(cargs),
@@ -345,10 +362,70 @@
}
}
+bool Application::UpdatePathAndChecksum() {
+ int fin = -1;
+ std::string test_path;
+ if (path_.find('/') != std::string::npos) {
+ test_path = path_;
+ fin = open(path_.c_str(), O_RDONLY);
+ } else {
+ char *path = secure_getenv("PATH");
+ for (std::string_view path_cmp : absl::StrSplit(path, ':')) {
+ test_path = absl::StrCat(path_cmp, "/", path_);
+ fin = open(test_path.c_str(), O_RDONLY);
+ if (fin != -1) break;
+ }
+ }
+ if (fin == -1) {
+ PLOG(WARNING) << "Failed to open binary '" << path_ << "' as file";
+ return false;
+ }
+
+ full_path_ = std::move(test_path);
+
+ // Hash iteratively to avoid reading the entire binary into memory
+ constexpr std::size_t kReadSize = 1024 * 16;
+
+ SHA256_CTX ctx;
+ CHECK_EQ(SHA256_Init(&ctx), 1);
+
+ std::array<uint8_t, kReadSize> buf;
+
+ while (true) {
+ const ssize_t result = read(fin, buf.data(), kReadSize);
+ PCHECK(result != -1);
+ if (result == 0) {
+ break;
+ } else {
+ CHECK_EQ(SHA256_Update(&ctx, buf.data(), result), 1);
+ }
+ }
+ PCHECK(close(fin) == 0);
+
+ std::array<uint8_t, SHA256_DIGEST_LENGTH> hash_buf;
+ CHECK_EQ(SHA256_Final(hash_buf.data(), &ctx), 1);
+
+ static constexpr std::string_view kHexTable = "0123456789abcdef";
+
+ static_assert(hash_buf.size() * 2 == kSha256HexStrSize);
+ for (std::size_t i = 0; i < hash_buf.size(); ++i) {
+ checksum_[i * 2] = kHexTable[(hash_buf[i] & 0xF0U) >> 4U];
+ checksum_[i * 2 + 1] = kHexTable[hash_buf[i] & 0x0FU];
+ }
+
+ return true;
+}
+
flatbuffers::Offset<aos::starter::ApplicationStatus>
Application::PopulateStatus(flatbuffers::FlatBufferBuilder *builder) {
CHECK_NOTNULL(builder);
auto name_fbs = builder->CreateString(name_);
+ auto full_path_fbs = builder->CreateString(full_path_);
+ flatbuffers::Offset<flatbuffers::String> binary_sha256_fbs;
+ if (pid_ != -1) {
+ binary_sha256_fbs =
+ builder->CreateString(checksum_.data(), checksum_.size());
+ }
aos::starter::ApplicationStatus::Builder status_builder(*builder);
status_builder.add_name(name_fbs);
@@ -360,6 +437,8 @@
if (pid_ != -1) {
status_builder.add_pid(pid_);
status_builder.add_id(id_);
+ status_builder.add_binary_sha256(binary_sha256_fbs);
+ status_builder.add_full_path(full_path_fbs);
}
status_builder.add_last_start_time(start_time_.time_since_epoch().count());
return status_builder.Finish();
@@ -441,12 +520,7 @@
LOG(WARNING) << "Failed to start '" << name_ << "' on pid " << pid_
<< " : Exited with status " << exit_code_.value();
}
- if (autorestart()) {
- QueueStart();
- } else {
- status_ = aos::starter::State::STOPPED;
- on_change_();
- }
+ MaybeQueueRestart();
break;
}
case aos::starter::State::RUNNING: {
@@ -458,12 +532,7 @@
<< " exited unexpectedly with status "
<< exit_code_.value();
}
- if (autorestart()) {
- QueueStart();
- } else {
- status_ = aos::starter::State::STOPPED;
- on_change_();
- }
+ MaybeQueueRestart();
break;
}
case aos::starter::State::STOPPING: {
diff --git a/aos/starter/subprocess.h b/aos/starter/subprocess.h
index 9ee9e31..ed4d0dd 100644
--- a/aos/starter/subprocess.h
+++ b/aos/starter/subprocess.h
@@ -75,6 +75,8 @@
bool autorestart() const { return autorestart_; }
+ std::string_view full_path() const { return full_path_; }
+
const std::string &GetStdout();
const std::string &GetStderr();
std::optional<int> exit_code() const { return exit_code_; }
@@ -91,6 +93,9 @@
void QueueStart();
+ // Queues start if autorestart set, otherwise moves state to stopped.
+ void MaybeQueueRestart();
+
// Copy flatbuffer vector of strings to vector of std::string.
static std::vector<std::string> FbsVectorToVector(
const flatbuffers::Vector<flatbuffers::Offset<flatbuffers::String>> &v);
@@ -106,11 +111,21 @@
// call).
std::vector<char *> CArgs();
+ // Resolves the path to the binary from the PATH environment variable. On
+ // success, updates full_path_ to the absolute path to the binary and the
+ // checksum_ to the hex-encoded sha256 hash of the file; returns true. On
+ // failure, returns false.
+ bool UpdatePathAndChecksum();
+
// Next unique id for all applications
static inline uint64_t next_id_ = 0;
+ static constexpr size_t kSha256HexStrSize = 256 / CHAR_BIT * 2;
+
std::string name_;
std::string path_;
+ std::string full_path_;
+ std::array<char, kSha256HexStrSize> checksum_{"DEADBEEF"};
std::vector<std::string> args_;
std::string user_name_;
std::optional<uid_t> user_;
diff --git a/aos/starter/subprocess_test.cc b/aos/starter/subprocess_test.cc
index 93fbf6a..ede39f8 100644
--- a/aos/starter/subprocess_test.cc
+++ b/aos/starter/subprocess_test.cc
@@ -49,6 +49,9 @@
event_loop.Run();
+ EXPECT_TRUE(echo_stdout.full_path() == "/bin/echo" ||
+ echo_stdout.full_path() == "/usr/bin/echo")
+ << echo_stdout.full_path();
ASSERT_EQ("abcdef\n", echo_stdout.GetStdout());
ASSERT_TRUE(echo_stdout.GetStderr().empty());
EXPECT_TRUE(observed_stopped);