clevis-decrypt-sss fails to kill all child processes (and their respective children) #460
Description
For an example, see olastor/clevis-pin-fido2#3 (however, this is not a problem specific to this pin; clevis-decrypt-sss should always ensure that no (grand)child processes are left behind).
As demonstrated below (using two terminals), threshold t=1 is reached and the decryption succeeds, but one of the FIDO2 keys is still being queried until the key-specific timeout kicks in while clevis-decrypt-sss already terminated:
[2024-04-12T13:16:01+0200] root@ubuntu:/tmp# echo "Hello, world." | clevis encrypt sss '{"t": 1, "pins": {"fido2": [{"device": "/dev/input/by-id/yubikey_12345678"}, {"device": "/dev/input/by-id/yubikey_87654321"}]}}' >test01.jwe
clevis-encrypt-fido2: Please insert your specified FIDO2 token /dev/input/by-id/yubikey_12345678
clevis-encrypt-fido2: Please insert your specified FIDO2 token /dev/input/by-id/yubikey_87654321
[…]
[2024-04-12T13:17:31+0200] root@ubuntu:/tmp# clevis decrypt < test01.jwe
Hello, world.
[2024-04-12T13:17:55+0200] root@ubuntu:/tmp# fido2-assert: fido_dev_get_assert: FIDO_ERR_ACTION_TIMEOUT
[2024-04-12T13:17:33+0200] root@ubuntu:/tmp# ps axu | grep -E 'clevis|fido2'
root 1183736 0.0 0.0 18680 3580 pts/7 S+ 13:17 0:00 /bin/bash -e /usr/bin/clevis-decrypt
root 1183741 0.0 0.0 7800 5084 pts/7 S+ 13:17 0:00 /usr/bin/clevis-decrypt-sss
root 1183742 0.0 0.0 18680 3588 pts/7 S+ 13:17 0:00 /bin/bash -e /usr/bin/clevis-decrypt
root 1183743 0.0 0.0 18680 3492 pts/7 S+ 13:17 0:00 /bin/bash -e /usr/bin/clevis-decrypt
root 1183752 0.0 0.0 18680 3604 pts/7 S+ 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183753 0.0 0.0 18680 3584 pts/7 S+ 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183802 0.0 0.0 18680 1716 pts/7 S+ 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183804 0.3 0.0 8072 5668 pts/7 S+ 13:17 0:00 fido2-assert -G -h -t up=true -t pin=false /dev/input/by-id/yubikey_12345678
root 1183808 0.0 0.0 18680 1640 pts/7 S+ 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183811 0.3 0.0 8072 5788 pts/7 S+ 13:17 0:00 fido2-assert -G -h -t up=true -t pin=false /dev/input/by-id/yubikey_87654321
root 1183819 0.0 0.0 18040 2316 pts/5 S+ 13:17 0:00 grep --color=auto -E clevis|fido2
[2024-04-12T13:17:46+0200] root@ubuntu:/tmp# pstree -p 1183741
clevis-decrypt-(1183741)─┬─clevis-decrypt(1183742)───clevis-decrypt-(1183752)───clevis-decrypt-(1183802)─┬─base64(1183807)
│ ├─fido2-assert(1183804)
│ ├─head(1183805)
│ ├─jose(1183809)
│ └─tail(1183806)
└─clevis-decrypt(1183743)───clevis-decrypt-(1183753)───clevis-decrypt-(1183808)─┬─base64(1183814)
├─fido2-assert(1183811)
├─head(1183812)
├─jose(1183815)
└─tail(1183813)
[2024-04-12T13:17:52+0200] root@ubuntu:/tmp# ps axu | grep -E 'clevis|fido2'
root 1183753 0.0 0.0 18680 3584 pts/7 S 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183808 0.0 0.0 18680 1640 pts/7 S 13:17 0:00 /bin/bash /usr/bin/clevis-decrypt-fido2
root 1183811 0.0 0.0 8072 5788 pts/7 S 13:17 0:00 fido2-assert -G -h -t up=true -t pin=false /dev/input/by-id/yubikey_87654321
root 1183865 0.0 0.0 18040 2304 pts/5 S+ 13:18 0:00 grep --color=auto -E clevis|fido2
[2024-04-12T13:18:03+0200] root@ubuntu:/tmp# pstree -c 1183753
clevis-decrypt-───clevis-decrypt-─┬─base64
├─fido2-assert
├─head
├─jose
└─tail
[2024-04-12T13:18:09+0200] root@ubuntu:/tmp#