lws_spawn: add cgroup support if on linux

Author: lws-team

READMEs/README.lws_spawn.md

@@ -0,0 +1,90 @@
+# Spawning and Managing Child Processes with `lws_spawn`
+
+The `lws_spawn` API provides a robust, platform-agnostic way to create and manage child processes directly from your C application, fully integrated with the libwebsockets event loop.
+
+## Overview
+
+The `lws_spawn` API is designed to securely run external executables as child processes. Its key features include:
+
+*   **Event-Loop Integration**: The child process lifecycle is managed without blocking the main lws event loop.
+*   **Standard I/O Redirection**: The child's `stdin`, `stdout`, and `stderr` are automatically redirected to pipes. These pipes are represented as standard `struct lws` connection instances (`wsi`), allowing you to interact with the child process using familiar lws protocol callbacks.
+*   **Automatic Lifecycle Management**: Lws handles waiting for and "reaping" the terminated child process, providing a callback with its exit status and resource accounting information.
+*   **Security**: Provides options for setting a `chroot()` jail and the working directory for the child process.
+*   **Timeout Management**: An optional timeout can be specified to automatically kill a child process that runs for too long.
+*   **Linux Cgroup Containment**: On Linux, spawned processes can be automatically placed into a new, dedicated cgroup for resource control and isolation. The cgroup is automatically removed when the process is reaped.
+
+## Core API Usage
+
+The primary entrypoint for this API is `lws_spawn_piped()`. It takes a single argument: a pointer to a `struct lws_spawn_piped_info` which you populate to describe the child process you want to create.
+
+Key members of `struct lws_spawn_piped_info`:
+
+-   `exec_array`: A `NULL`-terminated array of strings for the executable path and its arguments (equivalent to `argv`).
+-   `env_array`: A `NULL`-terminated array of strings for the child's environment variables (e.g., `{"VAR1=VALUE1", "VAR2=VALUE2", NULL}`).
+-   `vh`: The `lws_vhost` the new stdio `wsi` should be associated with.
+-   `protocol_name`: The name of the lws protocol that will handle events for the stdio `wsi`. This is **mandatory** for proper cleanup.
+-   `reap_cb`: A **mandatory** callback function of type `lsp_cb_t` that lws will call after the child process has terminated and been reaped.
+-   `opaque`: A user pointer that will be passed to your `reap_cb` and will also be available on the stdio `wsi` via `lws_get_opaque_user_data()`.
+-   `timeout_us`: Optional timeout in microseconds. If the process runs longer than this, it will be sent a `SIGTERM`.
+
+### Lifecycle and Cleanup
+
+Proper cleanup is essential. When the child process exits, its stdio pipes are closed by the operating system. This generates a `LWS_CALLBACK_RAW_FILE_CLOSE` event on each of the three stdio `wsi`.
+
+Your protocol handler **must** implement a case for this reason and call `lws_spawn_stdwsi_closed()`:
+
+```c
+static int my_spawn_protocol_cb(struct lws *wsi, enum lws_callback_reasons reason, ...)
+{
+    struct my_spawn_state *st = (struct my_spawn_state *)
+                                lws_get_opaque_user_data(wsi);
+
+    switch (reason) {
+    case LWS_CALLBACK_RAW_FILE_CLOSE:
+        if (st && st->lsp)
+            lws_spawn_stdwsi_closed(st->lsp, wsi);
+        break;
+    /* ... other cases ... */
+    }
+    return 0;
+}
+```
+
+When lws has been notified that all three stdio `wsi` have closed, it will proceed to reap the child process and invoke your `reap_cb`.
+
+## Linux Cgroup Support
+
+On Linux, `lws_spawn` can automatically create a transient cgroup v2 for each spawned process, providing resource isolation. The cgroup is automatically removed when the process is reaped.
+
+### Permissions and One-Time Setup
+
+By default, creating new cgroups in `/sys/fs/cgroup/` requires `root` privileges. A non-root user will get a "Permission Denied" error.
+
+The recommended solution is to have an administrator (or a CI setup script) perform a **one-time setup** to delegate control of a subdirectory to the user running the lws application:
+
+```sh
+# Run these commands as root once
+sudo mkdir -p /sys/fs/cgroup/lws
+sudo chown myuser:mygroup /sys/fs/cgroup/lws
+echo "+cpu +memory +pids +io" | sudo tee /sys/fs/cgroup/lws/cgroup.subtree_control
+```
+
+For applications that start as `root` and then drop privileges, lws provides a helper function to perform this setup programmatically: `int lws_spawn_cgroup_admin_init(const char *toplevel_name, const char *owner_or_NULL, const char *group_or_NULL);`. Call this function once at startup while your process still has root privileges.  The cgroup directory will take on the ownership and group given in the args, NULL means to skip the change.  If `toplevel_name` is NULL, it defaults to the builtin one "lws" as the toplevel token.  It returns success (0) if the toplevel entry already existed as well as if successfully created.
+
+Typically it will called by a daemon during init while it is still root, and configured to prepare the cgroup dir ownership for the less-privileged user / group it subsequently runs under.
+
+### API Usage
+
+To enable cgroup containment for a spawned process, set the following members in your `struct lws_spawn_piped_info`:
+
+-   `cgroup_name_suffix`: A string that will be used to name the cgroup directory. For example, a suffix of `"lws/my-task"` will create a cgroup at `/sys/fs/cgroup/lws/my-task`. This must be unique for concurrent spawns.
+
+-   `p_cgroup_ret`: An optional pointer to an `int`. If provided, lws will write `0` to this integer on successful cgroup creation, and `1` on failure.
+
+If cgroup creation fails (e.g., due to permissions), `lws_spawn_piped()` will **not** fail. It will log a warning and proceed to spawn the process without cgroup containment. Use `p_cgroup_ret` to confirm the outcome.
+
+## Example
+
+For a complete, working example that demonstrates these concepts, including cgroup setup and verification, please refer to the API test located at:
+
+`minimal-examples-lowlevel/api-tests/api-test-lws_spawn/`

include/libwebsockets/lws-misc.h

@@ -1053,6 +1053,8 @@ typedef void (*lsp_cb_t)(void *opaque, lws_usec_t *accounting, siginfo_t *si,
  * \p timeout: optional us-resolution timeout, or zero
  * \p reap_cb: callback when child process has been reaped and the lsp destroyed
  * \p tsi: tsi to bind stdwsi to... from opt_parent if given
+ * \p cgroup_name_suffix: for Linux, encapsulate spawn into this new cgroup
+ * \p p_cgroup_ret: NULL, or pointer to int to show if cgroups applied OK (0 = OK)
  */
 struct lws_spawn_piped_info {
 	struct lws_dll2_owner		*owner;
@@ -1078,6 +1080,9 @@ struct lws_spawn_piped_info {
 	const struct lws_role_ops	*ops; /* NULL is raw file */
 
 	uint8_t				disable_ctrlc;
+
+	const char			*cgroup_name_suffix;
+	int				*p_cgroup_ret;
 };
 
 /**
@@ -1154,6 +1159,29 @@ lws_spawn_get_stdfd(struct lws *wsi);
  */
 LWS_VISIBLE LWS_EXTERN int
 lws_spawn_get_fd_stdxxx(struct lws_spawn_piped *lsp, int std_idx);
+
+/**
+ * lws_spawn_cgroup_admin_init() - Create lws parent cgroup
+ *
+ * \p toplevel_name: NULL (chooses name 'lws') or the name fragment to
+ *			try to create.
+ * \p user: NULL, or the user name that will use the toplevel cgroup
+ * \p group: NULL, or the group name that will use the toplevel cgroup
+ *
+ * This helper should be called once at startup by a process that has root
+ * privileges. It will create and configure the master cgroup directory
+ * `/sys/fs/cgroup/<toplevel_name>`.
+ *
+ * After this has been called successfully, the process can drop privileges
+ * to a non-root user, and subsequent calls to lws_spawn_piped() with a
+ * cgroup_name_suffix will succeed as long as that user has write permission
+ * in the master cgroup directory (which can be arranged via chown).
+ *
+ * Returns 0 on success. On non-Linux platforms, it's a no-op that returns 1.
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_spawn_cgroup_admin_init(const char *toplevel_name,
+			    const char *user, const char *group);
 #endif
 
 struct lws_fsmount {

lib/core-net/private-lib-core-net.h

@@ -926,6 +926,10 @@ struct lws_spawn_piped {
 	lws_sorted_usec_list_t		sul;
 	lws_sorted_usec_list_t		sul_reap;
 
+#if defined(__linux__)
+	char				cgroup_path[256];
+#endif
+
 	struct lws_context		*context;
 	struct lws			*stdwsi[3];
 	lws_filefd_type			pipe_fds[3][2];

lib/core/context.c

@@ -1757,7 +1757,7 @@ lws_system_cpd_set(struct lws_context *cx, lws_cpd_result_t result)
 		return;
 
 #if !defined(LWS_WITH_NO_LOGS)
-	lwsl_cx_notice(cx, "setting CPD result %s", cname[result]);
+	lwsl_cx_info(cx, "setting CPD result %s", cname[result]);
 #endif
 
 	cx->captive_portal_detect = (uint8_t)result;

lib/plat/unix/unix-spawn.c

@@ -28,6 +28,13 @@
 
 #include "private-lib-core.h"
 #include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+
+#if defined(__linux__)
+#include <sys/stat.h>
+#endif
 
 #if defined(__OpenBSD__) || defined(__NetBSD__)
 #include <sys/resource.h>
@@ -51,7 +58,7 @@ lws_spawn_sul_reap(struct lws_sorted_usec_list *sul)
 	struct lws_spawn_piped *lsp = lws_container_of(sul,
 					struct lws_spawn_piped, sul_reap);
 
-	lwsl_notice("%s: reaping spawn after last stdpipe, tries left %d\n",
+	lwsl_info("%s: reaping spawn after last stdpipe, tries left %d\n",
 		    __func__, lsp->reap_retry_budget);
 	if (!lws_spawn_reap(lsp) && !lsp->pipes_alive) {
 		if (--lsp->reap_retry_budget) {
@@ -212,6 +219,21 @@ lws_spawn_reap(struct lws_spawn_piped *lsp)
 
 	lws_sul_cancel(&lsp->sul);
 
+#if defined(__linux__)
+	if (lsp->cgroup_path[0]) {
+		/*
+		 * The child has been reaped, we can remove the cgroup dir.
+		 * This will only work if the cgroup is empty, which it should
+		 * be now.
+		 */
+		if (rmdir(lsp->cgroup_path))
+			lwsl_warn("%s: unable to rmdir cgroup %s, errno %d\n",
+				  __func__, lsp->cgroup_path, errno);
+		else
+			lwsl_info("%s: reaped cgroup %s\n", __func__, lsp->cgroup_path);
+	}
+#endif
+
 	/*
 	 * All the stdwsi went down, nothing more is coming... it's over
 	 * Collect the final information and then reap the dead process
@@ -350,6 +372,13 @@ lws_spawn_piped(const struct lws_spawn_piped_info *i)
 	lsp->info = *i;
 	lsp->reap_retry_budget = 20;
 
+#if defined(__linux__)
+	lsp->cgroup_path[0] = '\0';
+#endif
+
+	if (i->p_cgroup_ret)
+		*i->p_cgroup_ret = 1; /* Default to cgroup failed */
+
 	/*
 	 * Prepare the stdin / out / err pipes
 	 */
@@ -445,6 +474,31 @@ lws_spawn_piped(const struct lws_spawn_piped_info *i)
 		   lsp->stdwsi[LWS_STDIN]->desc.sockfd,
 		   lsp->stdwsi[LWS_STDOUT]->desc.sockfd,
 		   lsp->stdwsi[LWS_STDERR]->desc.sockfd);
+ 
+#if defined(__linux__)
+	if (i->cgroup_name_suffix && i->cgroup_name_suffix[0]) {
+		lws_snprintf(lsp->cgroup_path, sizeof(lsp->cgroup_path),
+			     "/sys/fs/cgroup/%s", i->cgroup_name_suffix);
+
+		/*
+		 * This is the step that requires the process to either be root,
+		 * or for an admin to have delegated control of /sys/fs/cgroup/a
+		 * to the user running the process, if the suffix is "a/b".
+		 */
+		if (mkdir(lsp->cgroup_path, 0755)) {
+			lwsl_warn("%s: Failed to create cgroup %s, errno %d. "
+				  "Continuing without cgroup.\n",
+				 __func__, lsp->cgroup_path, errno);
+			lsp->cgroup_path[0] = '\0';
+			/* Do not abort, just clear the path and continue */
+		} else {
+			lwsl_info("%s: created cgroup %s\n", __func__, lsp->cgroup_path);
+			if (i->p_cgroup_ret)
+				/* Report cgroup success to caller */
+				*i->p_cgroup_ret = 0;
+		}
+	}
+#endif
 
 	/* we are ready with the redirection pipes... do the (v)fork */
 #if defined(__sun) || !defined(LWS_HAVE_VFORK) || !defined(LWS_HAVE_EXECVPE)
@@ -510,6 +564,32 @@ lws_spawn_piped(const struct lws_spawn_piped_info *i)
 	 * process is OK.  Stuff that happens after the execvpe() is OK.
 	 */
 
+#if defined(__linux__)
+	if (lsp->cgroup_path[0]) {
+		char path[300], pid_str[20];
+		int fd, len;
+
+		/*
+		 * We are the new child process. We must move ourselves into
+		 * the cgroup created for us by the parent.
+		 */
+		lws_snprintf(path, sizeof(path) - 1, "%s/cgroup.procs", lsp->cgroup_path);
+		fd = open(path, O_WRONLY);
+		if (fd >= 0) {
+			len = lws_snprintf(pid_str, sizeof(pid_str) - 1, "%d", (int)getpid());
+			if (write(fd, pid_str, (size_t)len) != (ssize_t)len) {
+				/*
+				 * using lwsl_err here is unsafe in vfork()
+				 * child, just exit with a special code
+				 */
+				_exit(121);
+			}
+			close(fd);
+		} else
+			_exit(122);
+	}
+#endif
+
 	if (i->chroot_path && chroot(i->chroot_path)) {
 		lwsl_err("%s: child chroot %s failed, errno %d\n",
 			 __func__, i->chroot_path, errno);
@@ -603,6 +683,21 @@ lws_spawn_stdwsi_closed(struct lws_spawn_piped *lsp, struct lws *wsi)
 {
 	int n;
 
+	/*
+	 * This is part of the normal cleanup path, check if the lsp has already
+	 * been destroyed by a timeout or other error path. If the stdwsi that
+	 * is closing has already been nulled out, we have already been through
+	 * destroy.
+	 */
+	for (n = 0; n < 3; n++)
+		if (lsp->stdwsi[n] == wsi)
+			goto found;
+
+	/* Not found, so must have been destroyed already */
+	return;
+
+found:
+ 
 	assert(lsp);
 	lsp->pipes_alive--;
 	lwsl_debug("%s: pipes alive %d\n", __func__, lsp->pipes_alive);
@@ -621,6 +716,88 @@ lws_spawn_get_stdfd(struct lws *wsi)
 	return wsi->lsp_channel;
 }
 
+int
+lws_spawn_cgroup_admin_init(const char *toplevel_name, const char *user, const char *group)
+{
+#if defined(__linux__)
+	uid_t uid = (uid_t)-1;
+	gid_t gid = (gid_t)-1;
+	char path[128];
+	int cfd;
+
+	if (!toplevel_name)
+		toplevel_name = "lws";
+
+	lws_snprintf(path, sizeof(path), "/sys/fs/cgroup/%s", toplevel_name);
+
+	/*
+	 * Create the lws parent cgroup directory. This will only succeed if
+	 * the process has sufficient privileges (e.g., root).
+	 */
+	if (mkdir(path, 0755) && errno != EEXIST) {
+		lwsl_warn("%s: Failed to mkdir %s: %s\n",
+			  __func__, path, strerror(errno));
+		return 1;
+	}
+
+	/*
+	 * Now, change the ownership of the directory to the user/group that
+	 * lws will drop privileges to. This allows the non-root user to
+	 * create sub-cgroups inside.
+	 */
+	if (user) {
+		struct passwd *pwd;
+
+		pwd = getpwnam(user);
+		if (pwd)
+			uid = pwd->pw_uid;
+		else
+			lwsl_warn("%s: user '%s' not found\n", __func__, user);
+	}
+	if (group) {
+		struct group *grp;
+ 
+		grp = getgrnam(group);
+		if (grp)
+			gid = grp->gr_gid;
+		else
+			lwsl_warn("%s: group '%s' not found\n", __func__, group);
+	}
+
+	lwsl_notice("%s: switching cgroup toplevel owner to %d:%d\n",
+			__func__, uid, gid);
+
+	if (chown("/sys/fs/cgroup/lws", uid, gid) < 0)
+		lwsl_warn("%s: failed to chown /sys/fs/cgroup/lws: %s\n",
+			  __func__, strerror(errno));
+
+	lws_snprintf(path, sizeof(path), "/sys/fs/cgroup/%s/cgroup.subtree_control",
+			toplevel_name);
+
+	/*
+	 * We must enable controllers for the parent before they can be
+	 * used by children. This makes them available for delegation.
+	 * This step might require root.
+	 */
+	cfd = lws_open(path, LWS_O_WRONLY);
+	if (cfd < 0) {
+		/* May fail if user doesn't own the file, that's okay */
+		lwsl_info("%s: cannot open subtree_control: %s\n",
+			    __func__, strerror(errno));
+		return 0; /* Still a success if dir exists */
+	}
+
+	if (write(cfd, "+cpu +memory +pids +io", 22) != 22)
+		/* ignore, may be there already or fail due to perms */
+		lwsl_debug("%s: setting admin cgroup options failed\n", __func__);
+	close(cfd);
+	lwsl_notice("%s: lws cgroup parent configured\n", __func__);
+
+	return 0;
+#endif
+	return 1; /* Not supported on this platform */
+}
+
 int
 lws_spawn_get_fd_stdxxx(struct lws_spawn_piped *lsp, int std_idx)
 {