Generalise code for hunting agents that may be holding YubiKeys

This commit is contained in:
Jack Grigg
2022-12-31 13:07:15 +00:00
parent d4f8993988
commit 6e47448560
+20 -17
View File
@@ -77,27 +77,27 @@ pub(crate) fn wait_for_readers() -> Result<Context, Error> {
} }
} }
/// Stops `scdaemon` if it is running. /// Looks for agent processes that might be holding exclusive access to a YubiKey, and
/// asks them as nicely as possible to release it.
/// ///
/// Returns `true` if `scdaemon` was running and was successfully interrupted (or killed /// Returns `true` if any known agent was running and was successfully interrupted (or
/// if the platform doesn't support interrupts). /// killed if the platform doesn't support interrupts).
fn stop_scdaemon() -> bool { fn hunt_agents() -> bool {
debug!("Sharing violation encountered, looking for scdaemon processes to stop"); debug!("Sharing violation encountered, looking for agent processes");
use sysinfo::{ use sysinfo::{ProcessExt, ProcessRefreshKind, RefreshKind, Signal, System, SystemExt};
Process, ProcessExt, ProcessRefreshKind, RefreshKind, Signal, System, SystemExt,
};
let mut interrupted = false; let mut interrupted = false;
let sys = let sys =
System::new_with_specifics(RefreshKind::new().with_processes(ProcessRefreshKind::new())); System::new_with_specifics(RefreshKind::new().with_processes(ProcessRefreshKind::new()));
for process in sys for process in sys.processes().values() {
.processes() match process.name() {
.values() "scdaemon" | "scdaemon.exe" => {
.filter(|val: &&Process| ["scdaemon", "scdaemon.exe"].contains(&val.name())) // gpg-agent runs scdaemon to interact with smart cards. The canonical way
{ // to reload it is `gpgconf --reload scdaemon`, which kills and restarts
// the process. We emulate that here with SIGINT (which it listens to).
if process if process
.kill_with(Signal::Interrupt) .kill_with(Signal::Interrupt)
.unwrap_or_else(|| process.kill()) .unwrap_or_else(|| process.kill())
@@ -106,8 +106,11 @@ fn stop_scdaemon() -> bool {
interrupted = true; interrupted = true;
} }
} }
_ => (),
}
}
// If we did interrupt `scdaemon`, pause briefly to allow it to exit. // If we did interrupt an agent, pause briefly to allow it to finish up.
if interrupted { if interrupted {
sleep(Duration::from_millis(100)); sleep(Duration::from_millis(100));
} }
@@ -121,7 +124,7 @@ fn open_sesame(
op().or_else(|e| match e { op().or_else(|e| match e {
yubikey::Error::PcscError { yubikey::Error::PcscError {
inner: Some(pcsc::Error::SharingViolation), inner: Some(pcsc::Error::SharingViolation),
} if stop_scdaemon() => op(), } if hunt_agents() => op(),
_ => Err(e), _ => Err(e),
}) })
} }
@@ -129,7 +132,7 @@ fn open_sesame(
/// Opens a connection to this reader, returning a `YubiKey` if successful. /// Opens a connection to this reader, returning a `YubiKey` if successful.
/// ///
/// This is equivalent to [`Reader::open`], but additionally handles the presence of /// This is equivalent to [`Reader::open`], but additionally handles the presence of
/// `scdaemon` (which can indefinitely hold exclusive access to a YubiKey). /// agents (which can indefinitely hold exclusive access to a YubiKey).
pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error> { pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error> {
open_sesame(|| reader.open()) open_sesame(|| reader.open())
} }
@@ -137,7 +140,7 @@ pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error
/// Opens a YubiKey with a specific serial number. /// Opens a YubiKey with a specific serial number.
/// ///
/// This is equivalent to [`YubiKey::open_by_serial`], but additionally handles the /// This is equivalent to [`YubiKey::open_by_serial`], but additionally handles the
/// presence of `scdaemon` (which can indefinitely hold exclusive access to a YubiKey). /// presence of agents (which can indefinitely hold exclusive access to a YubiKey).
fn open_by_serial(serial: Serial) -> Result<YubiKey, yubikey::Error> { fn open_by_serial(serial: Serial) -> Result<YubiKey, yubikey::Error> {
open_sesame(|| YubiKey::open_by_serial(serial)) open_sesame(|| YubiKey::open_by_serial(serial))
} }