Move the SingletonSocket to a temporary directory

chrome/browser/process_singleton_linux.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // On Linux, when the user tries to launch a second copy of chrome, we check
 // for a socket in the user's profile directory.  If the socket file is open we
 // send a message to the first chrome browser process with the current
 // directory and second process command line flags.  The second process then
 // exits.
 //
+// Because many networked filesystem implementations do not support unix domain
+// sockets, we create the socket in a temporary directory and create a symlink
+// in the profile. This temporary directory is no longer bound to the profile,
+// and may disappear across a reboot or login to a separate session. To bind
+// them, we store a unique cookie in the profile directory, which must also be
+// present in the remote directory to connect. The cookie is checked both before
+// and after the connection. /tmp is sticky, and different Chrome sessions use
+// different cookies. Thus, a matching cookie before and after means the
+// connection was to a directory with a valid cookie.
+//
 // We also have a lock file, which is a symlink to a non-existent destination.
 // The destination is a string containing the hostname and process id of
 // chrome's browser process, eg. "SingletonLock -> example.com-9156".  When the
 // first copy of chrome exits it will delete the lock file on shutdown, so that
 // a different instance on a different host may then use the profile directory.
 //
 // If writing to the socket fails, the hostname in the lock is checked to see if
 // another instance is running a different host using a shared filesystem (nfs,
 // etc.) If the hostname differs an error is displayed and the second process
 // exits.  Otherwise the first process (if any) is killed and the second process
@@ skipping 27 matching lines @@
 #include "base/base_paths.h"
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/file_path.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
 #include "base/platform_thread.h"
 #include "base/process_util.h"
+#include "base/rand_util.h"
 #include "base/safe_strerror_posix.h"
 #include "base/stl_util-inl.h"
 #include "base/string_number_conversions.h"
 #include "base/sys_string_conversions.h"
 #include "base/utf_string_conversions.h"
 #include "base/time.h"
 #include "base/timer.h"
 #include "chrome/browser/browser_init.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_thread.h"
@@ skipping 115 matching lines @@
       // No more data to read.
       return bytes_read;
     } else {
       bytes_read += rv;
     }
   } while (bytes_read < bufsize);
 
   return bytes_read;
 }
 
-// Set up a socket and sockaddr appropriate for messaging.
-void SetupSocket(const std::string& path, int* sock, struct sockaddr_un* addr) {
-  *sock = socket(PF_UNIX, SOCK_STREAM, 0);
-  PCHECK(*sock >= 0) << "socket() failed";
-
-  int rv = SetNonBlocking(*sock);
-  DCHECK_EQ(0, rv) << "Failed to make non-blocking socket.";
-  rv = SetCloseOnExec(*sock);
-  DCHECK_EQ(0, rv) << "Failed to set CLOEXEC on socket.";
-
+// Set up a sockaddr appropriate for messaging.
+void SetupSockAddr(const std::string& path, struct sockaddr_un* addr) {
   addr->sun_family = AF_UNIX;
   CHECK(path.length() < arraysize(addr->sun_path))
       << "Socket path too long: " << path;
   base::strlcpy(addr->sun_path, path.c_str(), arraysize(addr->sun_path));
 }
 
-// Read a symbol link, return empty string if given path is not a symbol link.
+// Set up a socket appropriate for messaging.
+int SetupSocketOnly() {
+  int sock = socket(PF_UNIX, SOCK_STREAM, 0);
+  PCHECK(sock >= 0) << "socket() failed";
+
+  int rv = SetNonBlocking(sock);
+  DCHECK_EQ(0, rv) << "Failed to make non-blocking socket.";
+  rv = SetCloseOnExec(sock);
+  DCHECK_EQ(0, rv) << "Failed to set CLOEXEC on socket.";
+
+  return sock;
+}
+
+// Set up a socket and sockaddr appropriate for messaging.
+void SetupSocket(const std::string& path, int* sock, struct sockaddr_un* addr) {
+  *sock = SetupSocketOnly();
+  SetupSockAddr(path, addr);
+}
+
+// Read a symbolic link, return empty string if given path is not a
+// symbol link. This version does not interpret the errno, leaving
+// the caller to do so.
+bool ReadLinkSilent(const std::string& path, std::string* output) {
+  char buf[PATH_MAX];
+  ssize_t len = readlink(path.c_str(), buf, PATH_MAX);
+  if (len >= 0) {
+    output->assign(buf, len);
+    return true;
+  }
+  output->clear();
+  return false;
+}
+
+// Read a symbolic link, return empty string if given path is not a symbol link.
 std::string ReadLink(const std::string& path) {
-  struct stat statbuf;
-
-  if (lstat(path.c_str(), &statbuf) < 0) {
-    DCHECK_EQ(errno, ENOENT);
-    return std::string();
+  std::string target;
+  if (!ReadLinkSilent(path, &target)) {
+    // The only errno that should occur is ENOENT.
+    if (errno != 0 && errno != ENOENT)
+      PLOG(ERROR) << "readlink(" << path << ") failed";
   }
-
-  if (S_ISLNK(statbuf.st_mode)) {
-    char buf[PATH_MAX + 1];
-    ssize_t len = readlink(path.c_str(), buf, PATH_MAX);
-    if (len > 0) {
-      buf[len] = '\0';
-      return std::string(buf);
-    } else {
-      PLOG(ERROR) << "readlink(" << path << ") failed";
-    }
-  }
-
-  return std::string();
+  return target;
 }
 
 // Unlink a path. Return true on success.
 bool UnlinkPath(const std::string& path) {
   int rv = unlink(path.c_str());
   if (rv < 0 && errno != ENOENT)
     PLOG(ERROR) << "Failed to unlink " << path;
 
   return rv == 0;
 }
 
+// Create a symlink. Returns true on success.
+bool SymlinkPath(const std::string& target, const std::string& path) {
+  if (symlink(target.c_str(), path.c_str()) < 0) {
+    // Double check the value in case symlink suceeded but we got an incorrect
+    // failure due to NFS packet loss & retry.
+    int saved_errno = errno;
+    if (ReadLink(path) != target) {
+      // If we failed to create the lock, most likely another instance won the
+      // startup race.
+      errno = saved_errno;
+      PLOG(ERROR) << "Failed to create " << path;
+      return false;
+    }
+  }
+  return true;
+}
+
 // Extract the hostname and pid from the lock symlink.
 // Returns true if the lock existed.
 bool ParseLockPath(const std::string& path,
                    std::string* hostname,
                    int* pid) {
   std::string real_path = ReadLink(path);
   if (real_path.empty())
     return false;
 
-  std::string::size_type pos = real_path.rfind('-');
+  std::string::size_type pos = real_path.rfind(kLockDelimiter);
 
   // If the path is not a symbolic link, or doesn't contain what we expect,
   // bail.
   if (pos == std::string::npos) {
     *hostname = "";
     *pid = -1;
     return true;
   }
 
   *hostname = real_path.substr(0, pos);
@@ skipping 68 matching lines @@
     // progress of shutting down and finishes before we try to kill it).
     DCHECK(rv == 0 || errno == ESRCH) << "Error killing process: "
                                       << safe_strerror(errno);
     return true;
   }
 
   LOG(ERROR) << "Failed to extract pid from path: " << path;
   return true;
 }
 
-// A helper class to close a socket automatically.
-class SocketCloser {
+// A helper class to hold onto a socket.
+class ScopedSocket {
  public:
-  explicit SocketCloser(int fd) : fd_(fd) { }
-  ~SocketCloser() { CloseSocket(fd_); }
+  ScopedSocket() : fd_(-1) { Reset(); }
+  ~ScopedSocket() { Close(); }
+  int fd() { return fd_; }
+  void Reset() {
+    Close();
+    fd_ = SetupSocketOnly();
+  }
+  void Close() {
+    if (fd_ >= 0)
+      CloseSocket(fd_);
+    fd_ = -1;
+  }
  private:
   int fd_;
 };
 
+// Returns a random string for uniquifying profile connections.
+std::string GenerateCookie() {
+  return base::Uint64ToString(base::RandUint64());
+}
+
+bool CheckCookie(const FilePath& path, const std::string& cookie) {
+  return (cookie == ReadLink(path.value()));
+}
+
+bool ConnectSocket(ScopedSocket* socket,
+                   const FilePath& socket_path,
+                   const FilePath& cookie_path) {
+  std::string socket_target;
+  if (ReadLinkSilent(socket_path.value(), &socket_target)) {
+    // It's a symlink. Read the cookie.
+    std::string cookie = ReadLink(cookie_path.value());
+    if (cookie.empty())
+      return false;
+    FilePath remote_cookie = FilePath(socket_target).DirName().
+        Append(chrome::kSingletonCookieFilename);
+    // Verify the cookie before connecting.
+    if (!CheckCookie(remote_cookie, cookie))
+      return false;
+    // Now we know the directory was (at that point) created by the profile
+    // owner. Try to connect.
+    sockaddr_un addr;
+    SetupSockAddr(socket_path.value(), &addr);
+    int ret = HANDLE_EINTR(connect(socket->fd(),
+                                   reinterpret_cast<sockaddr*>(&addr),
+                                   sizeof(addr)));
+    if (ret != 0)
+      return false;
+    // Check the cookie again. We only link in /tmp, which is sticky, so, if the
+    // directory is still correct, it must have been correct in-between when we
+    // connected. POSIX, sadly, lacks a connectat().
+    if (!CheckCookie(remote_cookie, cookie)) {
+      socket->Reset();
+      return false;
+    }
+    // Success!
+    return true;
+  } else if (errno == EINVAL) {
+    // It exists, but is not a symlink (or some other error we detect
+    // later). Just connect to it directly; this is an older version of Chrome.
+    sockaddr_un addr;
+    SetupSockAddr(socket_path.value(), &addr);
+    int ret = HANDLE_EINTR(connect(socket->fd(),
+                                   reinterpret_cast<sockaddr*>(&addr),
+                                   sizeof(addr)));
+    return (ret == 0);
+  } else {
+    // File is missing, or other error.
+    if (errno != ENOENT)
+      PLOG(ERROR) << "readlink failed";
+    return false;
+  }
+}
+
 }  // namespace
 
 ///////////////////////////////////////////////////////////////////////////////
 // ProcessSingleton::LinuxWatcher
 // A helper class for a Linux specific implementation of the process singleton.
 // This class sets up a listener on the singleton socket and handles parsing
 // messages that come in on the singleton socket.
 class ProcessSingleton::LinuxWatcher
     : public MessageLoopForIO::Watcher,
       public MessageLoop::DestructionObserver,
@@ skipping 288 matching lines @@
 
 ///////////////////////////////////////////////////////////////////////////////
 // ProcessSingleton
 //
 ProcessSingleton::ProcessSingleton(const FilePath& user_data_dir)
     : locked_(false),
       foreground_window_(NULL),
       ALLOW_THIS_IN_INITIALIZER_LIST(watcher_(new LinuxWatcher(this))) {
   socket_path_ = user_data_dir.Append(chrome::kSingletonSocketFilename);
   lock_path_ = user_data_dir.Append(chrome::kSingletonLockFilename);
+  cookie_path_ = user_data_dir.Append(chrome::kSingletonCookieFilename);
 }
 
 ProcessSingleton::~ProcessSingleton() {
 }
 
 ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
   return NotifyOtherProcessWithTimeout(*CommandLine::ForCurrentProcess(),
                                        kTimeoutInSeconds,
                                        true);
 }
 
 ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
     const CommandLine& cmd_line,
     int timeout_seconds,
     bool kill_unresponsive) {
   DCHECK_GE(timeout_seconds, 0);
 
-  int socket;
-  sockaddr_un addr;
-  SetupSocket(socket_path_.value(), &socket, &addr);
-
-  // It'll close the socket automatically when exiting this method.
-  SocketCloser socket_closer(socket);
-
+  ScopedSocket socket;
   for (int retries = 0; retries <= timeout_seconds; ++retries) {
-    // Connecting to the socket
-    int ret = HANDLE_EINTR(connect(socket,
-                                   reinterpret_cast<sockaddr*>(&addr),
-                                   sizeof(addr)));
-    if (ret == 0)
+    // Try to connect to the socket.
+    if (ConnectSocket(&socket, socket_path_, cookie_path_))
       break;
 
     // If we're in a race with another process, they may be in Create() and have
     // created the lock but not attached to the socket.  So we check if the
     // process with the pid from the lockfile is currently running and is a
     // chrome browser.  If so, we loop and try again for |timeout_seconds|.
 
     std::string hostname;
     int pid;
     if (!ParseLockPath(lock_path_.value(), &hostname, &pid)) {
@@ skipping 30 matching lines @@
       // Retries failed.  Kill the unresponsive chrome process and continue.
       if (!kill_unresponsive || !KillProcessByLockPath(lock_path_.value()))
         return PROFILE_IN_USE;
       return PROCESS_NONE;
     }
 
     PlatformThread::Sleep(1000 /* ms */);
   }
 
   timeval timeout = {timeout_seconds, 0};
-  setsockopt(socket, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout));
+  setsockopt(socket.fd(), SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout));
 
   // Found another process, prepare our command line
   // format is "START\0<current dir>\0<argv[0]>\0...\0<argv[n]>".
   std::string to_send(kStartToken);
   to_send.push_back(kTokenDelimiter);
 
   FilePath current_dir;
   if (!PathService::Get(base::DIR_CURRENT, &current_dir))
     return PROCESS_NONE;
   to_send.append(current_dir.value());
 
   const std::vector<std::string>& argv = cmd_line.argv();
   for (std::vector<std::string>::const_iterator it = argv.begin();
       it != argv.end(); ++it) {
     to_send.push_back(kTokenDelimiter);
     to_send.append(*it);
   }
 
   // Send the message
-  if (!WriteToSocket(socket, to_send.data(), to_send.length())) {
+  if (!WriteToSocket(socket.fd(), to_send.data(), to_send.length())) {
     // Try to kill the other process, because it might have been dead.
     if (!kill_unresponsive || !KillProcessByLockPath(lock_path_.value()))
       return PROFILE_IN_USE;
     return PROCESS_NONE;
   }
 
-  if (shutdown(socket, SHUT_WR) < 0)
+  if (shutdown(socket.fd(), SHUT_WR) < 0)
     PLOG(ERROR) << "shutdown() failed";
 
   // Read ACK message from the other process. It might be blocked for a certain
   // timeout, to make sure the other process has enough time to return ACK.
   char buf[kMaxACKMessageLength + 1];
   ssize_t len =
-      ReadFromSocket(socket, buf, kMaxACKMessageLength, timeout_seconds);
+      ReadFromSocket(socket.fd(), buf, kMaxACKMessageLength, timeout_seconds);
 
   // Failed to read ACK, the other process might have been frozen.
   if (len <= 0) {
     if (!kill_unresponsive || !KillProcessByLockPath(lock_path_.value()))
       return PROFILE_IN_USE;
     return PROCESS_NONE;
   }
 
   buf[len] = '\0';
   if (strncmp(buf, kShutdownToken, arraysize(kShutdownToken) - 1) == 0) {
@@ skipping 46 matching lines @@
   // The symlink lock is pointed to the hostname and process id, so other
   // processes can find it out.
   std::string symlink_content = StringPrintf(
       "%s%c%u",
       net::GetHostName().c_str(),
       kLockDelimiter,
       base::GetCurrentProcId());
 
   // Create symbol link before binding the socket, to ensure only one instance
   // can have the socket open.
-  if (symlink(symlink_content.c_str(), lock_path_.value().c_str()) < 0) {
-    // Double check the value in case symlink suceeded but we got an incorrect
-    // failure due to NFS packet loss & retry.
-    int saved_errno = errno;
-    if (ReadLink(lock_path_.value()) != symlink_content) {
+  if (!SymlinkPath(symlink_content, lock_path_.value())) {
       // If we failed to create the lock, most likely another instance won the
       // startup race.
-      errno = saved_errno;
-      PLOG(ERROR) << "Failed to create " << lock_path_.value();
       return false;
-    }
   }
 
-  SetupSocket(socket_path_.value(), &sock, &addr);
+  // Create the socket file somewhere in /tmp which is usually mounted as a
+  // normal filesystem. Some network filesystems (notably AFS) are screwy and
+  // do not support Unix domain sockets.
+  if (!socket_dir_.CreateUniqueTempDir()) {
+    LOG(ERROR) << "Failed to create socket directory.";
+    return false;
+  }
+  // Setup the socket symlink and the two cookies.
+  FilePath socket_target_path =
+      socket_dir_.path().Append(chrome::kSingletonSocketFilename);
+  std::string cookie = GenerateCookie();
+  FilePath remote_cookie_path =
+      socket_dir_.path().Append(chrome::kSingletonCookieFilename);
+  UnlinkPath(socket_path_.value());
+  UnlinkPath(cookie_path_.value());
+  if (!SymlinkPath(socket_target_path.value(), socket_path_.value()) ||
+      !SymlinkPath(cookie, cookie_path_.value()) ||
+      !SymlinkPath(cookie, remote_cookie_path.value())) {
+    // We've already locked things, so we can't have lost the startup race,
+    // but something doesn't like us.
+    LOG(ERROR) << "Failed to create symlinks.";
+    socket_dir_.Delete();
+    return false;
+  }
 
-  UnlinkPath(socket_path_.value());
+  SetupSocket(socket_target_path.value(), &sock, &addr);
 
   if (bind(sock, reinterpret_cast<sockaddr*>(&addr), sizeof(addr)) < 0) {
-    PLOG(ERROR) << "Failed to bind() " << socket_path_.value();
+    PLOG(ERROR) << "Failed to bind() " << socket_target_path.value();
     CloseSocket(sock);
     return false;
   }
 
   if (listen(sock, 5) < 0)
     NOTREACHED() << "listen failed: " << safe_strerror(errno);
 
   // Normally we would use ChromeThread, but the IO thread hasn't started yet.
   // Using g_browser_process, we start the thread so we can listen on the
   // socket.
   MessageLoop* ml = g_browser_process->io_thread()->message_loop();
   DCHECK(ml);
   ml->PostTask(FROM_HERE, NewRunnableMethod(
     watcher_.get(),
     &ProcessSingleton::LinuxWatcher::StartListening,
     sock));
 
   return true;
 }
 
 void ProcessSingleton::Cleanup() {
+  UnlinkPath(socket_path_.value());
+  UnlinkPath(cookie_path_.value());
   UnlinkPath(lock_path_.value());
 }