AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-09 14:50:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
e64a1e81aa
glibc/posix/tst-spawn5.c

299 lines
8.2 KiB
C
Raw Normal View History

posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
/* Tests for posix_spawn signal handling.
Update copyright dates with scripts/update-copyrights
2024-01-01 18:12:26 +00:00
Copyright (C) 2021-2024 Free Software Foundation, Inc.
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <spawn.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <dirent.h>
#include <stdbool.h>
#include <errno.h>
#include <limits.h>
#include <support/check.h>
#include <support/xunistd.h>
#include <support/support.h>
#include <arch-fd_to_filename.h>
#include <array_length.h>
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349) Returning a pidfd allows a process to keep a race-free handle for a child process, otherwise, the caller will need to either use pidfd_open (which still might be subject to TOCTOU) or keep the old racy interface base on pid_t. To correct use pifd_spawn, the kernel must support not only returning the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux 5.4). If kernel does not support the waitid, pidfd return ENOSYS. It avoids the need to racy workarounds, such as reading the procfs fdinfo to get the pid to use along with other wait interfaces. These interfaces are similar to the posix_spawn and posix_spawnp, with the only difference being it returns a process file descriptor (int) instead of a process ID (pid_t). Their prototypes are: int pidfd_spawn (int *restrict pidfd, const char *restrict file, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict], char *const envp[restrict]) int pidfd_spawnp (int *restrict pidfd, const char *restrict path, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict_arr], char *const envp[restrict_arr]); A new symbol is used instead of a posix_spawn extension to avoid possible issues with language bindings that might track the return argument lifetime. Although on Linux pid_t and int are interchangeable, POSIX only states that pid_t should be a signed integer. Both symbols reuse the posix_spawn posix_spawn_file_actions_t and posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It also means that both interfaces support the same attribute and file actions, and a new flag or file action on posix_spawn is also added automatically for pidfd_spawn. Also, using posix_spawn plumbing allows the reusing of most of the current testing with some changes: - waitid is used instead of waitpid since it is a more generic interface. - tst-posix_spawn-setsid.c is adapted to take into consideration that the caller can check for session id directly. The test now spawns itself and writes the session id as a file instead. - tst-spawn3.c need to know where pidfd_spawn is used so it keeps an extra file description unused. Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid support), Linux 5.4 (full support), and Linux 6.2. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
#include <tst-spawn.h>
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
/* Nonzero if the program gets called via `exec'. */
static int restart;
/* Hold the four initial argument used to respawn the process, plus
the extra '--direct' and '--restart', and a final NULL. */
static char *initial_argv[7];
Properly run tst-spawn5 directly [BZ #28067] Change tst-spawn5.c to handle tst-spawn5 without optional path to ld.so, --library-path nor the library path when glibc is configured with --enable-hardcoded-path-in-tests. This fixes BZ #28067. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-07-09 12:57:51 +00:00
static int initial_argv_count;
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
#define CMDLINE_OPTIONS \
{ "restart", no_argument, &restart, 1 },
#define NFDS 100
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
static int
parse_fd (const char *str)
{
char *endptr;
long unsigned int fd = strtoul (str, &endptr, 10);
if (*endptr != '\0' || fd > INT_MAX)
FAIL_EXIT1 ("invalid file descriptor value: %s", str);
return fd;
}
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
/* Called on process re-execution. The arguments are the expected opened
file descriptors. */
_Noreturn static void
handle_restart (int argc, char *argv[])
{
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
TEST_VERIFY (argc > 0);
int lowfd = parse_fd (argv[0]);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
size_t nfds = argc > 1 ? argc - 1 : 0;
struct fd_t
{
int fd;
_Bool found;
} *fds = xmalloc (sizeof (struct fd_t) * nfds);
for (int i = 0; i < nfds; i++)
{
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
fds[i].fd = parse_fd (argv[i + 1]);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
fds[i].found = false;
}
DIR *dirp = opendir (FD_TO_FILENAME_PREFIX);
if (dirp == NULL)
FAIL_EXIT1 ("opendir (\"" FD_TO_FILENAME_PREFIX "\"): %m");
while (true)
{
errno = 0;
struct dirent64 *e = readdir64 (dirp);
if (e == NULL)
{
if (errno != 0)
FAIL_EXIT1 ("readdir: %m");
break;
}
if (e->d_name[0] == '.')
continue;
char *endptr;
long int fd = strtol (e->d_name, &endptr, 10);
if (*endptr != '\0' || fd < 0 || fd > INT_MAX)
FAIL_EXIT1 ("readdir: invalid file descriptor name: /proc/self/fd/%s",
e->d_name);
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
/* Ignore the descriptors not in the range of the opened files. */
if (fd < lowfd || fd == dirfd (dirp))
continue;
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
bool found = false;
for (int i = 0; i < nfds; i++)
if (fds[i].fd == fd)
fds[i].found = found = true;
if (!found)
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
{
char *path = xasprintf ("/proc/self/fd/%s", e->d_name);
char *resolved = xreadlink (path);
FAIL_EXIT1 ("unexpected open file descriptor %ld: %s", fd, resolved);
}
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
}
closedir (dirp);
for (int i = 0; i < nfds; i++)
if (!fds[i].found)
FAIL_EXIT1 ("file descriptor %d not opened", fds[i].fd);
free (fds);
exit (EXIT_SUCCESS);
}
static void
spawn_closefrom_test (posix_spawn_file_actions_t *fa, int lowfd, int highfd,
int *extrafds, size_t nextrafds)
{
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
/* 3 or 7 elements from initial_argv:
Properly run tst-spawn5 directly [BZ #28067] Change tst-spawn5.c to handle tst-spawn5 without optional path to ld.so, --library-path nor the library path when glibc is configured with --enable-hardcoded-path-in-tests. This fixes BZ #28067. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-07-09 12:57:51 +00:00
+ path to ld.so optional
+ --library-path optional
+ the library path optional
+ application name
+ --direct
+ --restart
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
+ lowest opened file descriptor
+ up to 2 * maximum_fd arguments (the expected open file descriptors),
plus NULL. */
Properly run tst-spawn5 directly [BZ #28067] Change tst-spawn5.c to handle tst-spawn5 without optional path to ld.so, --library-path nor the library path when glibc is configured with --enable-hardcoded-path-in-tests. This fixes BZ #28067. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-07-09 12:57:51 +00:00
int argv_size = initial_argv_count + 2 * NFDS + 1;
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
char *args[argv_size];
int argc = 0;
for (char **arg = initial_argv; *arg != NULL; arg++)
args[argc++] = *arg;
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
args[argc++] = xasprintf ("%d", lowfd);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
for (int i = lowfd; i < highfd; i++)
args[argc++] = xasprintf ("%d", i);
for (int i = 0; i < nextrafds; i++)
args[argc++] = xasprintf ("%d", extrafds[i]);
args[argc] = NULL;
TEST_VERIFY (argc < argv_size);
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349) Returning a pidfd allows a process to keep a race-free handle for a child process, otherwise, the caller will need to either use pidfd_open (which still might be subject to TOCTOU) or keep the old racy interface base on pid_t. To correct use pifd_spawn, the kernel must support not only returning the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux 5.4). If kernel does not support the waitid, pidfd return ENOSYS. It avoids the need to racy workarounds, such as reading the procfs fdinfo to get the pid to use along with other wait interfaces. These interfaces are similar to the posix_spawn and posix_spawnp, with the only difference being it returns a process file descriptor (int) instead of a process ID (pid_t). Their prototypes are: int pidfd_spawn (int *restrict pidfd, const char *restrict file, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict], char *const envp[restrict]) int pidfd_spawnp (int *restrict pidfd, const char *restrict path, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict_arr], char *const envp[restrict_arr]); A new symbol is used instead of a posix_spawn extension to avoid possible issues with language bindings that might track the return argument lifetime. Although on Linux pid_t and int are interchangeable, POSIX only states that pid_t should be a signed integer. Both symbols reuse the posix_spawn posix_spawn_file_actions_t and posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It also means that both interfaces support the same attribute and file actions, and a new flag or file action on posix_spawn is also added automatically for pidfd_spawn. Also, using posix_spawn plumbing allows the reusing of most of the current testing with some changes: - waitid is used instead of waitpid since it is a more generic interface. - tst-posix_spawn-setsid.c is adapted to take into consideration that the caller can check for session id directly. The test now spawns itself and writes the session id as a file instead. - tst-spawn3.c need to know where pidfd_spawn is used so it keeps an extra file description unused. Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid support), Linux 5.4 (full support), and Linux 6.2. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
PID_T_TYPE pid;
siginfo_t sinfo;
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349) Returning a pidfd allows a process to keep a race-free handle for a child process, otherwise, the caller will need to either use pidfd_open (which still might be subject to TOCTOU) or keep the old racy interface base on pid_t. To correct use pifd_spawn, the kernel must support not only returning the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux 5.4). If kernel does not support the waitid, pidfd return ENOSYS. It avoids the need to racy workarounds, such as reading the procfs fdinfo to get the pid to use along with other wait interfaces. These interfaces are similar to the posix_spawn and posix_spawnp, with the only difference being it returns a process file descriptor (int) instead of a process ID (pid_t). Their prototypes are: int pidfd_spawn (int *restrict pidfd, const char *restrict file, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict], char *const envp[restrict]) int pidfd_spawnp (int *restrict pidfd, const char *restrict path, const posix_spawn_file_actions_t *restrict facts, const posix_spawnattr_t *restrict attrp, char *const argv[restrict_arr], char *const envp[restrict_arr]); A new symbol is used instead of a posix_spawn extension to avoid possible issues with language bindings that might track the return argument lifetime. Although on Linux pid_t and int are interchangeable, POSIX only states that pid_t should be a signed integer. Both symbols reuse the posix_spawn posix_spawn_file_actions_t and posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It also means that both interfaces support the same attribute and file actions, and a new flag or file action on posix_spawn is also added automatically for pidfd_spawn. Also, using posix_spawn plumbing allows the reusing of most of the current testing with some changes: - waitid is used instead of waitpid since it is a more generic interface. - tst-posix_spawn-setsid.c is adapted to take into consideration that the caller can check for session id directly. The test now spawns itself and writes the session id as a file instead. - tst-spawn3.c need to know where pidfd_spawn is used so it keeps an extra file description unused. Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid support), Linux 5.4 (full support), and Linux 6.2. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
TEST_COMPARE (POSIX_SPAWN (&pid, args[0], fa, NULL, args, environ), 0);
TEST_COMPARE (WAITID (P_PID, pid, &sinfo, WEXITED), 0);
TEST_COMPARE (sinfo.si_code, CLD_EXITED);
TEST_COMPARE (sinfo.si_status, 0);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
}
static void
do_test_closefrom (void)
{
Use support_open_dev_null_range io/tst-closefrom, misc/tst-close_range, and posix/tst-spawn5 (BZ #28260) It ensures a continuous range of file descriptor and avoid hitting the RLIMIT_NOFILE. Checked on x86_64-linux-gnu.
2021-08-24 19:15:50 +00:00
int lowfd = support_open_dev_null_range (NFDS, O_RDONLY, 0600);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
const int half_fd = lowfd + NFDS / 2;
/* Close half of the descriptors and check result. */
{
posix_spawn_file_actions_t fa;
TEST_COMPARE (posix_spawn_file_actions_init (&fa), 0);
int ret = posix_spawn_file_actions_addclosefrom_np (&fa, half_fd);
if (ret == EINVAL)
/* Hurd currently does not support closefrom fileaction. */
FAIL_UNSUPPORTED ("posix_spawn_file_actions_addclosefrom_np unsupported");
TEST_COMPARE (ret, 0);
spawn_closefrom_test (&fa, lowfd, half_fd, NULL, 0);
TEST_COMPARE (posix_spawn_file_actions_destroy (&fa), 0);
}
/* Create some gaps, close up to a threshold, and check result. */
xclose (lowfd + 57);
xclose (lowfd + 78);
xclose (lowfd + 81);
xclose (lowfd + 82);
xclose (lowfd + 84);
xclose (lowfd + 90);
{
posix_spawn_file_actions_t fa;
TEST_COMPARE (posix_spawn_file_actions_init (&fa), 0);
TEST_COMPARE (posix_spawn_file_actions_addclosefrom_np (&fa, half_fd), 0);
spawn_closefrom_test (&fa, lowfd, half_fd, NULL, 0);
TEST_COMPARE (posix_spawn_file_actions_destroy (&fa), 0);
}
/* Close the remaining but the last one. */
{
posix_spawn_file_actions_t fa;
TEST_COMPARE (posix_spawn_file_actions_init (&fa), 0);
TEST_COMPARE (posix_spawn_file_actions_addclosefrom_np (&fa, lowfd + 1), 0);
spawn_closefrom_test (&fa, lowfd, lowfd + 1, NULL, 0);
TEST_COMPARE (posix_spawn_file_actions_destroy (&fa), 0);
}
/* Close everything. */
{
posix_spawn_file_actions_t fa;
TEST_COMPARE (posix_spawn_file_actions_init (&fa), 0);
TEST_COMPARE (posix_spawn_file_actions_addclosefrom_np (&fa, lowfd), 0);
spawn_closefrom_test (&fa, lowfd, lowfd, NULL, 0);
TEST_COMPARE (posix_spawn_file_actions_destroy (&fa), 0);
}
/* Close a range and add some file actions. */
{
posix_spawn_file_actions_t fa;
TEST_COMPARE (posix_spawn_file_actions_init (&fa), 0);
TEST_COMPARE (posix_spawn_file_actions_addclosefrom_np (&fa, lowfd + 1), 0);
TEST_COMPARE (posix_spawn_file_actions_addopen (&fa, lowfd, "/dev/null",
0666, O_RDONLY), 0);
TEST_COMPARE (posix_spawn_file_actions_adddup2 (&fa, lowfd, lowfd + 1), 0);
TEST_COMPARE (posix_spawn_file_actions_addopen (&fa, lowfd, "/dev/null",
0666, O_RDONLY), 0);
spawn_closefrom_test (&fa, lowfd, lowfd, (int[]){lowfd, lowfd + 1}, 2);
TEST_COMPARE (posix_spawn_file_actions_destroy (&fa), 0);
}
}
static int
do_test (int argc, char *argv[])
{
/* We must have either:
- one or four parameters if called initially:
+ argv[1]: path for ld.so optional
+ argv[2]: "--library-path" optional
+ argv[3]: the library path optional
+ argv[4]: the application name
- six parameters left if called through re-execution:
+ argv[1]: the application name
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
+ argv[2]: the lowest file descriptor expected
+ argv[3]: first expected open file descriptor optional
Fix all the remaining misspellings -- BZ 25337
2023-05-20 13:37:47 +00:00
+ argv[n]: last expected open file descriptor optional
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
* When built with --enable-hardcoded-path-in-tests or issued without
using the loader directly. */
if (restart)
posix: Ignore non opened files on tst-spawn5 The make program might open a pipe for its job server, which triggers an invalid check on the spawned process. This patch now passes the lowest file descriptor as ithe first argument, so only the range that was actually opened is checked. Checked on x86_64-linux-gnu and i686-linux-gnu and centos7 (which triggers the issue).
2021-07-13 13:46:23 +00:00
/* Ignore the application name. */
handle_restart (argc - 1, &argv[1]);
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
Properly run tst-spawn5 directly [BZ #28067] Change tst-spawn5.c to handle tst-spawn5 without optional path to ld.so, --library-path nor the library path when glibc is configured with --enable-hardcoded-path-in-tests. This fixes BZ #28067. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-07-09 12:57:51 +00:00
TEST_VERIFY_EXIT (argc == 2 || argc == 5);
int i;
for (i = 0; i < argc - 1; i++)
initial_argv[i] = argv[i + 1];
initial_argv[i++] = (char *) "--direct";
initial_argv[i++] = (char *) "--restart";
initial_argv_count = i;
posix: Add posix_spawn_file_actions_addclosefrom_np This patch adds a way to close a range of file descriptors on posix_spawn as a new file action. The API is similar to the one provided by Solaris 11 [1], where the file action causes the all open file descriptors greater than or equal to input on to be closed when the new process is spawned. The function posix_spawn_file_actions_addclosefrom_np is safe to be implemented by iterating over /proc/self/fd, since the Linux spawni.c helper process does not use CLONE_FILES, so its has own file descriptor table and any failure (in /proc operation) aborts the process creation and returns an error to the caller. I am aware that this file action might be redundant to the current approach of POSIX in promoting O_CLOEXEC in more interfaces. However O_CLOEXEC is still not the default and for some specific usages, the caller needs to close all possible file descriptors to avoid them leaking. Some examples are CPython (discussed in BZ#10353) and OpenJDK jspawnhelper [2] (where OpenJDK spawns a helper process to exactly closes all file descriptors). Most likely any environment which calls functions that might open file descriptor under the hood and aim to use posix_spawn might face the same requirement. Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15. [1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html [2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-03-10 15:26:33 +00:00
do_test_closefrom ();
return 0;
}
#define TEST_FUNCTION_ARGV do_test
#include <support/test-driver.c>
Reference in New Issue Copy Permalink