SERVER: Set the process group during server_setup()

By calling setpgid() in server_setup() we are able to kill the process
in the watchdog by simply doing kill(-getpid(), SIGTERM).

However, in order to have it working properly the SELinux policy for
SSSD has to be updated and unless SSSD is ran with SELinux on permissive
mode, each of the responders and the monitor will trigger a similar
message:

    Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied
    { setpgid } for  pid=11630 comm="sssd_pac"
    scontext=system_u:system_r:sssd_t:s0
    tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

It's important to say that till SELinux policy is fixed, we might end up
leaking some processes.

Related:
https://fedorahosted.org/sssd/ticket/3266

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/util/server.c b/src/util/server.c
index 605fa543d..9c9441840 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -460,6 +460,17 @@ int server_setup(const char *name, int flags,
     struct logrotate_ctx *lctx;
     char *locale;
     int watchdog_interval;
+    pid_t my_pid;
+
+    my_pid = getpid();
+    ret = setpgid(my_pid, my_pid);
+    if (ret != EOK) {
+        ret = errno;
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Failed setting process group: %s[%d]. "
+              "We might leak processes in case of failure\n",
+              sss_strerror(ret), ret);
+    }
 
     if (!is_socket_activated()) {
         ret = chown_debug_file(NULL, uid, gid);