Boot - don't store pid commands on macOS

samaaron · samaaron · commit d3eca5becf48 · 2021-01-23T02:18:16.000Z
When executing within a hardened runtime on macOS it appears that calling `ps` either directly or via `Sys::ProcTable.ps` is denied causing the Ruby process to be immediately terminated.

We called `ps` in order to get the command name of the pid we were registering to store it alongside and to check with when attempting to clear and kill running processes.

We no longer do this on macOS and therefore avoid the Ruby process from being terminated prematurely.

Eventually we need to look into re-designing the process creation and management system from a suite of Ruby scripts to a reliable running process that we connect to via a TCP connection which when disconnected will cause all registered pids to be terminated.
diff --git a/app/server/ruby/bin/task-clear.rb b/app/server/ruby/bin/task-clear.rb
@@ -48,7 +48,8 @@
   pids = ARGV
 end
 
-log_process_info "\n\nClearing pids: #{pids.inspect}\n"
+log_process_info "\n\task-clear.rb\n\n"
+log_process_info "\nClearing pids: #{pids.inspect}\n"
 
 if pids.empty?
   log_process_info "No pids to clear :-)\n"
@@ -76,17 +77,26 @@
     FileUtils.rm pid_path
   end
 
+    command_line = ""
+
   begin
-    info = Sys::ProcTable.ps(pid: pid)
-    raise unless info
+    if os == :osx
+      # We can't use ProcTable.ps or `ps` from within a hardened runtime
+      # on macOS So don't attempt to extract command line for pid
+    else
+      info = Sys::ProcTable.ps(pid: pid)
+      raise unless info
+      command_line = info.cmdline.strip
+    end
+
   rescue
     log_process_info "  -- unable to get ProcTable info for: #{pid}"
     log_process_info "  -- process: #{pid} not running"
     next
   end
 
   # Don't kill process unless the command line arguments match
-  next unless info.cmdline.strip == orig_cmdline.strip
+  next unless command_line.strip == orig_cmdline.strip
 
   if os == :windows
     # We're on Windows, so go straight for the jugular
diff --git a/app/server/ruby/bin/task-register.rb b/app/server/ruby/bin/task-register.rb
@@ -33,11 +33,34 @@
 
 f = nil
 
+os = case RUBY_PLATFORM
+     when /.*arm.*-linux.*/
+       :raspberry
+     when /.*linux.*/
+       :linux
+     when /.*darwin.*/
+       :osx
+     when /.*mingw.*/
+       :windows
+     else
+       :unknown
+     end
+
+command_line = ""
+
 begin
-  if s = Sys::ProcTable.ps(pid: pid)
+  if os == :osx
+      # We can't use ProcTable.ps or `ps` from within a hardened runtime
+      # on macOS So don't attempt to extract command line for pid
+  else
+    info = Sys::ProcTable.ps(pid: pid)
+    command_line = info.cmdline.strip
+  end
+
+  if command_line
     f = File.open(pid_path, 'w')
-    f.puts s.cmdline
-    log_process_info "Started [#{pid}] [-] #{s.cmdline} [-] #{pid_path}"
+    f.puts command_line
+    log_process_info "Started [#{pid}] [-] #{command_line} [-] #{pid_path}"
   end
 rescue Exception => e
   log_process_info "ERROR: Unable to write information for PID #{pid} to path #{pid_path}!"
