Add Darwin/macOS support for SSS and Tang pins

src/luks/tests/meson.build

@@ -1,9 +1,14 @@
 # We use jq for comparing the pin config in the clevis luks list tests.
 jq = find_program('jq', required: false)
 
-# We use cryptsetup for testing LUKS2 binding and saving the token in a
-# given token slot.
-cryptsetup = find_program('cryptsetup', required: true)
+# All LUKS tests require cryptsetup. The test directory is included
+# unconditionally by the parent meson.build, so we must handle the case
+# where cryptsetup is not available (e.g., on macOS/Darwin).
+cryptsetup = find_program('cryptsetup', required: false)
+if not cryptsetup.found()
+  warning('Will not run LUKS tests due to missing cryptsetup')
+  subdir_done()
+endif
 
 # Use keyctl to check an existing token id can be created from
 # kernel keyring password
@@ -14,6 +19,9 @@ else
     warning('keyutils not installed, unable to test existing token id binding')
 endif
 
+# We use jq for comparing the pin config in the clevis luks list tests.
+jq = find_program('jq', required: false)
+
 common_functions = configure_file(input: 'tests-common-functions.in',
   output: 'tests-common-functions',
   configuration: luksmeta_data,

src/pins/sss/clevis-decrypt-sss.c

@@ -41,7 +41,7 @@
 #include <jose/b64.h>
 #include <jose/jwe.h>
 
-#include <sys/epoll.h>
+#include <poll.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 
@@ -141,7 +141,8 @@ main(int argc, char *argv[])
     int ret = EXIT_FAILURE;
     json_t *p = NULL;
     json_int_t t = 1;
-    int epoll = -1;
+    struct pollfd *pollfds = NULL;
+    nfds_t nfds = 0;
     size_t pl = 0;
 
     if (argc == 2 && strcmp(argv[1], "--summary") == 0)
@@ -150,10 +151,6 @@ main(int argc, char *argv[])
     if (isatty(STDIN_FILENO) || argc != 1)
         goto usage;
 
-    epoll = epoll_create1(EPOLL_CLOEXEC);
-    if (epoll < 0)
-        return ret;
-
     jwe = compact_jwe(stdin);
     if (!jwe)
         goto egress;
@@ -195,31 +192,59 @@ main(int argc, char *argv[])
         if (!pin->file)
             goto egress;
 
-        if (epoll_ctl(epoll, EPOLL_CTL_ADD, fileno(pin->file),
-                      &(struct epoll_event) {
-                          .events = EPOLLIN | EPOLLPRI,
-                          .data.fd = fileno(pin->file)
-                      }) < 0)
-            goto egress;
+        {
+            struct pollfd *tmp = realloc(pollfds,
+                                        (nfds + 1) * sizeof(*pollfds));
+            if (!tmp)
+                goto egress;
+            pollfds = tmp;
+            pollfds[nfds].fd = fileno(pin->file);
+            pollfds[nfds].events = POLLIN | POLLPRI;
+            pollfds[nfds].revents = 0;
+            nfds++;
+        }
     }
 
     json_decref(pins);
     pins = json_array();
     if (!pins)
         goto egress;
 
-    for (struct epoll_event e; true; ) {
-        int r = 0;
-
-        r = epoll_wait(epoll, &e, 1, -1);
-        if (r != 1)
+    while (true) {
+        int r = poll(pollfds, nfds, -1);
+        if (r <= 0)
             break;
 
         for (struct pin *pin = chldrn.next; pin != &chldrn; pin = pin->next) {
-            if (!pin->file || e.data.fd != fileno(pin->file))
+            nfds_t pi;
+
+            if (!pin->file)
                 continue;
 
-            if (e.events & (EPOLLIN | EPOLLPRI)) {
+            for (pi = 0; pi < nfds; pi++) {
+                if (pollfds[pi].fd == fileno(pin->file))
+                    break;
+            }
+            if (pi >= nfds)
+                continue;
+
+            /* If no data available but pipe closed/errored, mark as failed */
+            if (!(pollfds[pi].revents & (POLLIN | POLLPRI))) {
+                if (pollfds[pi].revents & (POLLERR | POLLHUP | POLLNVAL)) {
+                    fclose(pin->file);
+                    pin->file = NULL;
+                    pollfds[pi].fd = -1;
+                    waitpid(pin->pid, NULL, 0);
+                    pin->pid = 0;
+                    pin->next->prev = pin->prev;
+                    pin->prev->next = pin->next;
+                    free(pin);
+                    break;
+                }
+                continue;
+            }
+
+            {
                 const size_t ptl = pl * 2;
 
                 pin->pt = malloc(ptl);
@@ -249,6 +274,8 @@ main(int argc, char *argv[])
 
             fclose(pin->file);
             pin->file = NULL;
+            /* Remove closed fd from poll set (poll ignores negative fds) */
+            pollfds[pi].fd = -1;
 
             waitpid(pin->pid, NULL, 0);
             pin->pid = 0;
@@ -324,7 +351,7 @@ main(int argc, char *argv[])
         free(pin);
     }
 
-    close(epoll);
+    free(pollfds);
     return ret;
 
 usage:

src/pins/sss/clevis-encrypt-sss.c

@@ -42,7 +42,6 @@
 #include <jose/b64.h>
 #include <jose/jwe.h>
 
-#include <sys/epoll.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 

src/pins/sss/sss.c

@@ -349,11 +349,15 @@ call(char *const argv[], const void *buf, size_t len, pid_t *pid)
 
     *pid = 0;
 
-    if (pipe2(dump, O_CLOEXEC) < 0)
+    if (pipe(dump) < 0)
         goto error;
+    fcntl(dump[0], F_SETFD, FD_CLOEXEC);
+    fcntl(dump[1], F_SETFD, FD_CLOEXEC);
 
-    if (pipe2(load, O_CLOEXEC) < 0)
+    if (pipe(load) < 0)
         goto error;
+    fcntl(load[0], F_SETFD, FD_CLOEXEC);
+    fcntl(load[1], F_SETFD, FD_CLOEXEC);
 
     *pid = fork();
     if (*pid < 0)