git: a6bc861c2090 - stable/13 - rc.subr: use _pidcmd to determine pid for protect

From: Mateusz Piotrowski <0mp_at_FreeBSD.org>
Date: Thu, 07 Jul 2022 18:13:53 UTC
The branch stable/13 has been updated by 0mp (doc, ports committer):

URL: https://cgit.FreeBSD.org/src/commit/?id=a6bc861c2090e6f1b52c930d27df340efd1f0a74

commit a6bc861c2090e6f1b52c930d27df340efd1f0a74
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2021-06-24 18:14:31 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-07-07 18:12:09 +0000

    rc.subr: use _pidcmd to determine pid for protect
    
    This is a more reliable method that accounts for existing pidfiles,
    procname and interpreter settings.
    
    Current method of obtaining the pid for oomprotect="YES"|"ALL" processes
    in certain cases fails to find a unique pid.
    
    One such case are rc.d scripts defining command as:
    command="daemon"
    
    which results in all processes started via daemon being selected and
    passed to protect(1) which fails and prints usage:
    
    $ /etc/rc.d/exampled restart
    Stopping exampled.
    Starting exampled.
    usage: protect [-i] command
       protect [-cdi] -g pgrp | -p pid
    
    Running the same with -x reveals what happens:
    
    + pid='3051 4268 4390 4421 4427 4470 4588 4733 4740 4870 4949 4954 4979
    5835 5866 55487 55583 56525 57643 57789 57882 58072 58167 99419'
    + /usr/bin/protect -p 3051 4268 4390 4421 4427 4470 4588 4733 4740 4870
    4949 4954 4979 5835 5866 55487 55583 56525 57643 57789 57882 58072 58167
    99419
    usage: protect [-i] command
       protect [-cdi] -g pgrp | -p pid
    
    We have a more reliable way of obtaining pid already defined in rc.subr
    and available when protect(1) needs it. We can simply `eval $_pidcmd`
    which also invokes `check_process` but properly accounts for existing
    pidfile, procname and interpreter settings.
    
    With the change the pidfile is properly obtained.
    
    Submitted by:   Adam Wolk <a.wolk at fudosecurity.com>
    Sponsored by:   Fudo Security
    Differential Revision:  https://reviews.freebsd.org/D30367
    
    Approved by:    oshogbo
    
    (cherry picked from commit 6ba108e52d175b6833437c8627ae5d0546a4e102)
---
 libexec/rc/rc.subr | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index e859ae06962f..b027fa5facf4 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -1272,13 +1272,13 @@ $command $rc_flags $command_args"
 			# We cannot use protect(1) inside jails.
 			if [ -n "$_oomprotect" ] && [ -f "${PROTECT}" ] &&
 			    [ "$(sysctl -n security.jail.jailed)" -eq 0 ]; then
-				pid=$(check_process $command)
+				[ -z "${rc_pid}" ] && eval $_pidcmd
 				case $_oomprotect in
 				[Aa][Ll][Ll])
-					${PROTECT} -i -p ${pid}
+					${PROTECT} -i -p ${rc_pid}
 					;;
 				[Yy][Ee][Ss])
-					${PROTECT} -p ${pid}
+					${PROTECT} -p ${rc_pid}
 					;;
 				esac
 			fi