2016-01-19 19:33:32 +00:00
|
|
|
/* POSIX spawn interface. Linux version.
|
2023-01-06 21:08:04 +00:00
|
|
|
Copyright (C) 2016-2023 Free Software Foundation, Inc.
|
2016-01-19 19:33:32 +00:00
|
|
|
This file is part of the GNU C Library.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
|
|
License along with the GNU C Library; if not, see
|
Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:
sed -ri '
s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
$(find $(git ls-files) -prune -type f \
! -name '*.po' \
! -name 'ChangeLog*' \
! -path COPYING ! -path COPYING.LIB \
! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
! -path manual/texinfo.tex ! -path scripts/config.guess \
! -path scripts/config.sub ! -path scripts/install-sh \
! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
! -path INSTALL ! -path locale/programs/charmap-kw.h \
! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
! '(' -name configure \
-execdir test -f configure.ac -o -f configure.in ';' ')' \
! '(' -name preconfigure \
-execdir test -f preconfigure.ac ';' ')' \
-print)
and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:
chmod a+x sysdeps/unix/sysv/linux/riscv/configure
# Omit irrelevant whitespace and comment-only changes,
# perhaps from a slightly-different Autoconf version.
git checkout -f \
sysdeps/csky/configure \
sysdeps/hppa/configure \
sysdeps/riscv/configure \
sysdeps/unix/sysv/linux/csky/configure
# Omit changes that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
git checkout -f \
sysdeps/powerpc/powerpc64/ppc-mcount.S \
sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
# Omit change that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 05:40:42 +00:00
|
|
|
<https://www.gnu.org/licenses/>. */
|
2016-01-19 19:33:32 +00:00
|
|
|
|
2021-03-10 15:26:33 +00:00
|
|
|
#include <internal-signals.h>
|
|
|
|
#include <ldsodefs.h>
|
2016-01-19 19:33:32 +00:00
|
|
|
#include <local-setxid.h>
|
2021-03-10 15:26:33 +00:00
|
|
|
#include <not-cancel.h>
|
|
|
|
#include <paths.h>
|
2016-01-19 19:33:32 +00:00
|
|
|
#include <shlib-compat.h>
|
2021-03-10 15:26:33 +00:00
|
|
|
#include <spawn.h>
|
|
|
|
#include <spawn_int.h>
|
|
|
|
#include <sysdep.h>
|
|
|
|
#include <sys/resource.h>
|
Add an internal wrapper for clone, clone2 and clone3
The clone3 system call (since Linux 5.3) provides a superset of the
functionality of clone and clone2. It also provides a number of API
improvements, including the ability to specify the size of the child's
stack area which can be used by kernel to compute the shadow stack size
when allocating the shadow stack. Add:
extern int __clone_internal (struct clone_args *__cl_args,
int (*__func) (void *__arg), void *__arg);
to provide an abstract interface for clone, clone2 and clone3.
1. Simplify stack management for thread creation by passing both stack
base and size to create_thread.
2. Consolidate clone vs clone2 differences into a single file.
3. Call __clone3 if HAVE_CLONE3_WAPPER is defined. If __clone3 returns
-1 with ENOSYS, fall back to clone or clone2.
4. Use only __clone_internal to clone a thread. Since the stack size
argument for create_thread is now unconditional, always pass stack size
to create_thread.
5. Enable the public clone3 wrapper in the future after it has been
added to all targets.
NB: Sandbox will return ENOSYS on clone3 in both Chromium:
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/218438259dd795456f0a48f67cbe5b4e520db88b
commit 218438259dd795456f0a48f67cbe5b4e520db88b
Author: Matthew Denton <mpdenton@chromium.org>
Date: Thu Jun 03 20:06:13 2021
Linux sandbox: return ENOSYS for clone3
Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.
Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}
[modify] https://crrev.com/218438259dd795456f0a48f67cbe5b4e520db88b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
and Firefox:
https://hg.mozilla.org/integration/autoland/rev/ecb4011a0c76
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-02-13 19:47:46 +00:00
|
|
|
#include <clone_internal.h>
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
/* The Linux implementation of posix_spawn{p} uses the clone syscall directly
|
|
|
|
with CLONE_VM and CLONE_VFORK flags and an allocated stack. The new stack
|
|
|
|
and start function solves most the vfork limitation (possible parent
|
|
|
|
clobber due stack spilling). The remaining issue are:
|
|
|
|
|
|
|
|
1. That no signal handlers must run in child context, to avoid corrupting
|
|
|
|
parent's state.
|
|
|
|
2. The parent must ensure child's stack freeing.
|
|
|
|
3. Child must synchronize with parent to enforce 2. and to possible
|
|
|
|
return execv issues.
|
|
|
|
|
2016-09-28 00:52:17 +00:00
|
|
|
The first issue is solved by blocking all signals in child, even
|
|
|
|
the NPTL-internal ones (SIGCANCEL and SIGSETXID). The second and
|
|
|
|
third issue is done by a stack allocation in parent, and by using a
|
|
|
|
field in struct spawn_args where the child can write an error
|
|
|
|
code. CLONE_VFORK ensures that the parent does not run until the
|
|
|
|
child has either exec'ed successfully or exited. */
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
|
|
|
|
/* The Unix standard contains a long explanation of the way to signal
|
|
|
|
an error after the fork() was successful. Since no new wait status
|
|
|
|
was wanted there is no way to signal an error using one of the
|
|
|
|
available methods. The committee chose to signal an error by a
|
|
|
|
normal program exit with the exit code 127. */
|
|
|
|
#define SPAWN_ERROR 127
|
|
|
|
|
|
|
|
|
|
|
|
struct posix_spawn_args
|
|
|
|
{
|
2022-04-21 12:41:59 +00:00
|
|
|
internal_sigset_t oldmask;
|
2016-01-19 19:33:32 +00:00
|
|
|
const char *file;
|
|
|
|
int (*exec) (const char *, char *const *, char *const *);
|
|
|
|
const posix_spawn_file_actions_t *fa;
|
|
|
|
const posix_spawnattr_t *restrict attr;
|
|
|
|
char *const *argv;
|
|
|
|
ptrdiff_t argc;
|
|
|
|
char *const *envp;
|
|
|
|
int xflags;
|
2023-01-12 13:58:51 +00:00
|
|
|
bool use_clone3;
|
2016-09-28 00:52:17 +00:00
|
|
|
int err;
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
int pidfd;
|
2016-01-19 19:33:32 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Older version requires that shell script without shebang definition
|
|
|
|
to be called explicitly using /bin/sh (_PATH_BSHELL). */
|
|
|
|
static void
|
|
|
|
maybe_script_execute (struct posix_spawn_args *args)
|
|
|
|
{
|
|
|
|
if (SHLIB_COMPAT (libc, GLIBC_2_2, GLIBC_2_15)
|
|
|
|
&& (args->xflags & SPAWN_XFLAGS_TRY_SHELL) && errno == ENOEXEC)
|
|
|
|
{
|
|
|
|
char *const *argv = args->argv;
|
|
|
|
ptrdiff_t argc = args->argc;
|
|
|
|
|
|
|
|
/* Construct an argument list for the shell. */
|
2018-09-06 12:27:03 +00:00
|
|
|
char *new_argv[argc + 2];
|
2016-01-19 19:33:32 +00:00
|
|
|
new_argv[0] = (char *) _PATH_BSHELL;
|
|
|
|
new_argv[1] = (char *) args->file;
|
|
|
|
if (argc > 1)
|
2019-02-27 13:55:45 +00:00
|
|
|
memcpy (new_argv + 2, argv + 1, argc * sizeof (char *));
|
2016-01-19 19:33:32 +00:00
|
|
|
else
|
|
|
|
new_argv[2] = NULL;
|
|
|
|
|
|
|
|
/* Execute the shell. */
|
|
|
|
args->exec (new_argv[0], new_argv, args->envp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Function used in the clone call to setup the signals mask, posix_spawn
|
|
|
|
attributes, and file actions. It run on its own stack (provided by the
|
|
|
|
posix_spawn call). */
|
|
|
|
static int
|
|
|
|
__spawni_child (void *arguments)
|
|
|
|
{
|
|
|
|
struct posix_spawn_args *args = arguments;
|
|
|
|
const posix_spawnattr_t *restrict attr = args->attr;
|
|
|
|
const posix_spawn_file_actions_t *file_actions = args->fa;
|
|
|
|
|
2023-01-12 13:58:51 +00:00
|
|
|
/* The child must ensure that no signal handler is enabled because it
|
|
|
|
shares memory with parent, so all signal dispositions must be either
|
|
|
|
SIG_DFL or SIG_IGN. If clone3/CLONE_CLEAR_SIGHAND is used, there is
|
|
|
|
only the need to set the defined signals POSIX_SPAWN_SETSIGDEF to
|
|
|
|
SIG_DFL; otherwise, the code iterates over all signals. */
|
2016-01-19 19:33:32 +00:00
|
|
|
struct sigaction sa;
|
|
|
|
memset (&sa, '\0', sizeof (sa));
|
|
|
|
|
|
|
|
sigset_t hset;
|
|
|
|
__sigprocmask (SIG_BLOCK, 0, &hset);
|
|
|
|
for (int sig = 1; sig < _NSIG; ++sig)
|
|
|
|
{
|
|
|
|
if ((attr->__flags & POSIX_SPAWN_SETSIGDEF)
|
posix: Use posix_spawn on system
This patch uses posix_spawn on system implementation. On Linux this has
the advantage of much lower memory consumption (usually 32 Kb minimum for
the mmap stack area).
Although POSIX does not require, glibc system implementation aims to be
thread and cancellation safe. The cancellation code is moved to generic
implementation and enabled iff SIGCANCEL is defined (similar on how the
cancellation handler is enabled on nptl-init.c).
Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu,
arm-linux-gnueabihf, and powerpc64le-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawni_child): Use
__sigismember instead of sigismember.
* sysdeps/posix/system.c [SIGCANCEL] (cancel_handler_args,
cancel_handler): New definitions.
(CLEANUP_HANDLER, CLEANUP_RESET): Likewise.
(DO_LOCK, DO_UNLOCK, INIT_LOCK, ADD_REF, SUB_REF): Remove.
(do_system): Use posix_spawn instead of fork and execl and remove
reentracy code.
* sysdeps/generic/not-errno.h (__kill_noerrno): New prototype.
* sysdeps/unix/sysv/linux/not-errno.h (__kill_noerrno): Likewise.
* sysdeps/unix/sysv/linux/ia64/system.c: Remove file.
* sysdeps/unix/sysv/linux/s390/system.c: Likewise.
* sysdeps/unix/sysv/linux/sparc/system.c: Likewise.
* sysdeps/unix/sysv/linux/system.c: Likewise.
2018-10-24 19:29:38 +00:00
|
|
|
&& __sigismember (&attr->__sd, sig))
|
2016-01-19 19:33:32 +00:00
|
|
|
{
|
|
|
|
sa.sa_handler = SIG_DFL;
|
|
|
|
}
|
2023-01-12 13:58:51 +00:00
|
|
|
else if (!args->use_clone3 && __sigismember (&hset, sig))
|
2016-01-19 19:33:32 +00:00
|
|
|
{
|
2022-04-21 12:41:59 +00:00
|
|
|
if (is_internal_signal (sig))
|
2016-01-19 19:33:32 +00:00
|
|
|
sa.sa_handler = SIG_IGN;
|
|
|
|
else
|
|
|
|
{
|
|
|
|
__libc_sigaction (sig, 0, &sa);
|
2023-01-12 13:58:48 +00:00
|
|
|
if (sa.sa_handler == SIG_IGN || sa.sa_handler == SIG_DFL)
|
2016-01-19 19:33:32 +00:00
|
|
|
continue;
|
|
|
|
sa.sa_handler = SIG_DFL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
continue;
|
|
|
|
|
|
|
|
__libc_sigaction (sig, &sa, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef _POSIX_PRIORITY_SCHEDULING
|
|
|
|
/* Set the scheduling algorithm and parameters. */
|
|
|
|
if ((attr->__flags & (POSIX_SPAWN_SETSCHEDPARAM | POSIX_SPAWN_SETSCHEDULER))
|
|
|
|
== POSIX_SPAWN_SETSCHEDPARAM)
|
|
|
|
{
|
2017-04-24 12:43:41 +00:00
|
|
|
if (__sched_setparam (0, &attr->__sp) == -1)
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
else if ((attr->__flags & POSIX_SPAWN_SETSCHEDULER) != 0)
|
|
|
|
{
|
2017-04-24 12:43:41 +00:00
|
|
|
if (__sched_setscheduler (0, attr->__policy, &attr->__sp) == -1)
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-04-21 13:40:56 +00:00
|
|
|
if ((attr->__flags & POSIX_SPAWN_SETSID) != 0
|
|
|
|
&& __setsid () < 0)
|
|
|
|
goto fail;
|
|
|
|
|
2016-01-19 19:33:32 +00:00
|
|
|
/* Set the process group ID. */
|
|
|
|
if ((attr->__flags & POSIX_SPAWN_SETPGROUP) != 0
|
2017-04-24 12:43:41 +00:00
|
|
|
&& __setpgid (0, attr->__pgrp) != 0)
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
|
|
|
|
/* Set the effective user and group IDs. */
|
|
|
|
if ((attr->__flags & POSIX_SPAWN_RESETIDS) != 0
|
2017-04-24 12:43:41 +00:00
|
|
|
&& (local_seteuid (__getuid ()) != 0
|
|
|
|
|| local_setegid (__getgid ()) != 0))
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
|
|
|
|
/* Execute the file actions. */
|
|
|
|
if (file_actions != 0)
|
|
|
|
{
|
|
|
|
int cnt;
|
|
|
|
struct rlimit64 fdlimit;
|
|
|
|
bool have_fdlimit = false;
|
|
|
|
|
|
|
|
for (cnt = 0; cnt < file_actions->__used; ++cnt)
|
|
|
|
{
|
|
|
|
struct __spawn_action *action = &file_actions->__actions[cnt];
|
|
|
|
|
|
|
|
switch (action->tag)
|
|
|
|
{
|
|
|
|
case spawn_do_close:
|
2017-07-03 18:22:58 +00:00
|
|
|
if (__close_nocancel (action->action.close_action.fd) != 0)
|
2016-01-19 19:33:32 +00:00
|
|
|
{
|
|
|
|
if (!have_fdlimit)
|
|
|
|
{
|
|
|
|
__getrlimit64 (RLIMIT_NOFILE, &fdlimit);
|
|
|
|
have_fdlimit = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Signal errors only for file descriptors out of range. */
|
|
|
|
if (action->action.close_action.fd < 0
|
|
|
|
|| action->action.close_action.fd >= fdlimit.rlim_cur)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case spawn_do_open:
|
|
|
|
{
|
2016-09-16 20:44:50 +00:00
|
|
|
/* POSIX states that if fildes was already an open file descriptor,
|
|
|
|
it shall be closed before the new file is opened. This avoid
|
2023-05-23 10:50:31 +00:00
|
|
|
potential issues when posix_spawn plus addopen action is called
|
2016-09-16 20:44:50 +00:00
|
|
|
with the process already at maximum number of file descriptor
|
|
|
|
opened and also for multiple actions on single-open special
|
|
|
|
paths (like /dev/watchdog). */
|
2017-07-03 18:22:58 +00:00
|
|
|
__close_nocancel (action->action.open_action.fd);
|
2016-09-16 20:44:50 +00:00
|
|
|
|
2017-07-03 14:11:24 +00:00
|
|
|
int ret = __open_nocancel (action->action.open_action.path,
|
2017-04-24 12:43:41 +00:00
|
|
|
action->action.
|
|
|
|
open_action.oflag | O_LARGEFILE,
|
|
|
|
action->action.open_action.mode);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
if (ret == -1)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
int new_fd = ret;
|
|
|
|
|
|
|
|
/* Make sure the desired file descriptor is used. */
|
|
|
|
if (ret != action->action.open_action.fd)
|
|
|
|
{
|
2017-04-24 12:43:41 +00:00
|
|
|
if (__dup2 (new_fd, action->action.open_action.fd)
|
2016-01-19 19:33:32 +00:00
|
|
|
!= action->action.open_action.fd)
|
|
|
|
goto fail;
|
|
|
|
|
2017-07-03 18:22:58 +00:00
|
|
|
if (__close_nocancel (new_fd) != 0)
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case spawn_do_dup2:
|
2018-09-19 19:14:34 +00:00
|
|
|
/* Austin Group issue #411 requires adddup2 action with source
|
|
|
|
and destination being equal to remove close-on-exec flag. */
|
|
|
|
if (action->action.dup2_action.fd
|
|
|
|
== action->action.dup2_action.newfd)
|
|
|
|
{
|
|
|
|
int fd = action->action.dup2_action.newfd;
|
|
|
|
int flags = __fcntl (fd, F_GETFD, 0);
|
|
|
|
if (flags == -1)
|
|
|
|
goto fail;
|
|
|
|
if (__fcntl (fd, F_SETFD, flags & ~FD_CLOEXEC) == -1)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
else if (__dup2 (action->action.dup2_action.fd,
|
|
|
|
action->action.dup2_action.newfd)
|
|
|
|
!= action->action.dup2_action.newfd)
|
2016-01-19 19:33:32 +00:00
|
|
|
goto fail;
|
|
|
|
break;
|
2018-11-06 15:08:12 +00:00
|
|
|
|
|
|
|
case spawn_do_chdir:
|
|
|
|
if (__chdir (action->action.chdir_action.path) != 0)
|
|
|
|
goto fail;
|
|
|
|
break;
|
2018-12-07 14:00:04 +00:00
|
|
|
|
|
|
|
case spawn_do_fchdir:
|
|
|
|
if (__fchdir (action->action.fchdir_action.fd) != 0)
|
|
|
|
goto fail;
|
|
|
|
break;
|
2021-03-10 15:26:33 +00:00
|
|
|
|
|
|
|
case spawn_do_closefrom:
|
|
|
|
{
|
|
|
|
int lowfd = action->action.closefrom_action.from;
|
|
|
|
int r = INLINE_SYSCALL_CALL (close_range, lowfd, ~0U, 0);
|
|
|
|
if (r != 0 && !__closefrom_fallback (lowfd, false))
|
|
|
|
goto fail;
|
|
|
|
} break;
|
2022-01-27 13:11:30 +00:00
|
|
|
|
|
|
|
case spawn_do_tcsetpgrp:
|
|
|
|
{
|
|
|
|
/* Check if it is possible to avoid an extra syscall. */
|
|
|
|
pid_t pgrp = (attr->__flags & POSIX_SPAWN_SETPGROUP) != 0
|
|
|
|
&& attr->__pgrp != 0
|
|
|
|
? attr->__pgrp : __getpgid (0);
|
|
|
|
if (__tcsetpgrp (action->action.setpgrp_action.fd, pgrp) != 0)
|
|
|
|
goto fail;
|
|
|
|
}
|
2016-01-19 19:33:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set the initial signal mask of the child if POSIX_SPAWN_SETSIGMASK
|
|
|
|
is set, otherwise restore the previous one. */
|
2022-04-21 12:41:59 +00:00
|
|
|
if (attr->__flags & POSIX_SPAWN_SETSIGMASK)
|
|
|
|
__sigprocmask (SIG_SETMASK, &attr->__ss, NULL);
|
|
|
|
else
|
|
|
|
internal_sigprocmask (SIG_SETMASK, &args->oldmask, NULL);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
args->exec (args->file, args->argv, args->envp);
|
|
|
|
|
|
|
|
/* This is compatibility function required to enable posix_spawn run
|
|
|
|
script without shebang definition for older posix_spawn versions
|
|
|
|
(2.15). */
|
|
|
|
maybe_script_execute (args);
|
|
|
|
|
|
|
|
fail:
|
2016-09-28 00:52:17 +00:00
|
|
|
/* errno should have an appropriate non-zero value; otherwise,
|
|
|
|
there's a bug in glibc or the kernel. For lack of an error code
|
|
|
|
(EINTERNALBUG) describing that, use ECHILD. Another option would
|
|
|
|
be to set args->err to some negative sentinel and have the parent
|
|
|
|
abort(), but that seems needlessly harsh. */
|
|
|
|
args->err = errno ? : ECHILD;
|
2016-05-30 13:04:47 +00:00
|
|
|
_exit (SPAWN_ERROR);
|
2016-01-19 19:33:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Spawn a new process executing PATH with the attributes describes in *ATTRP.
|
|
|
|
Before running the process perform the actions described in FILE-ACTIONS. */
|
|
|
|
static int
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
__spawnix (int *pid, const char *file,
|
2016-01-19 19:33:32 +00:00
|
|
|
const posix_spawn_file_actions_t * file_actions,
|
|
|
|
const posix_spawnattr_t * attrp, char *const argv[],
|
|
|
|
char *const envp[], int xflags,
|
|
|
|
int (*exec) (const char *, char *const *, char *const *))
|
|
|
|
{
|
|
|
|
pid_t new_pid;
|
|
|
|
struct posix_spawn_args args;
|
|
|
|
int ec;
|
|
|
|
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
bool use_pidfd = xflags & SPAWN_XFLAGS_RET_PIDFD;
|
|
|
|
|
|
|
|
/* For CLONE_PIDFD, older kernels might not fail with unsupported flags or
|
|
|
|
some versions might not support waitid (P_PIDFD). So to avoid the need
|
|
|
|
to handle the error on the helper process, check for full pidfd
|
|
|
|
support.
|
|
|
|
ENOSYS is returned because without proper waitid support, pidfd_spawn
|
|
|
|
can not be used proporly independently of its arguments. */
|
|
|
|
if (use_pidfd && !__clone_pidfd_supported ())
|
|
|
|
return ENOSYS;
|
|
|
|
|
2016-01-19 19:33:32 +00:00
|
|
|
/* To avoid imposing hard limits on posix_spawn{p} the total number of
|
|
|
|
arguments is first calculated to allocate a mmap to hold all possible
|
|
|
|
values. */
|
|
|
|
ptrdiff_t argc = 0;
|
|
|
|
/* Linux allows at most max (0x7FFFFFFF, 1/4 stack size) arguments
|
|
|
|
to be used in a execve call. We limit to INT_MAX minus one due the
|
2023-05-23 10:50:31 +00:00
|
|
|
compatibility code that may execute a shell script (maybe_script_execute)
|
2016-01-19 19:33:32 +00:00
|
|
|
where it will construct another argument list with an additional
|
|
|
|
argument. */
|
|
|
|
ptrdiff_t limit = INT_MAX - 1;
|
|
|
|
while (argv[argc++] != NULL)
|
|
|
|
if (argc == limit)
|
|
|
|
{
|
|
|
|
errno = E2BIG;
|
|
|
|
return errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
int prot = (PROT_READ | PROT_WRITE
|
|
|
|
| ((GL (dl_stack_flags) & PF_X) ? PROT_EXEC : 0));
|
|
|
|
|
|
|
|
/* Add a slack area for child's stack. */
|
|
|
|
size_t argv_size = (argc * sizeof (void *)) + 512;
|
posix_spawn: use a larger min stack for -fstack-check [BZ #21253]
When glibc is built with -fstack-check, trying to use posix_spawn can
lead to segfaults due to gcc internally probing stack memory too far.
The new spawn API will allocate a minimum of 1 page, but the stack
checking logic might probe a couple of pages. When it tries to walk
them, everything falls apart.
The gcc internal docs [1] state the default interval checking is one
page. Which means we need two pages (the current one, and the next
probed). No target currently defines it larger.
Further, it mentions that the default minimum stack size needed to
recover from an overflow is 4/8KiB for sjlj or 8/12KiB for others.
But some Linux targets (like mips and ppc) go up to 16KiB (and some
non-Linux targets go up to 24KiB).
Let's create each child with a minimum of 32KiB slack space to support
them all, and give us future breathing room.
No test is added as existing ones crash. Even a simple call is
enough to trigger the problem:
char *argv[] = { "/bin/ls", NULL };
posix_spawn(NULL, "/bin/ls", NULL, NULL, argv, NULL);
[1] https://gcc.gnu.org/onlinedocs/gcc-6.3.0/gccint/Stack-Checking.html
2017-03-16 06:59:31 +00:00
|
|
|
/* We need at least a few pages in case the compiler's stack checking is
|
|
|
|
enabled. In some configs, it is known to use at least 24KiB. We use
|
|
|
|
32KiB to be "safe" from anything the compiler might do. Besides, the
|
2021-03-10 15:26:33 +00:00
|
|
|
extra pages won't actually be allocated unless they get used.
|
|
|
|
It also acts the slack for spawn_closefrom (including MIPS64 getdents64
|
|
|
|
where it might use about 1k extra stack space). */
|
posix_spawn: use a larger min stack for -fstack-check [BZ #21253]
When glibc is built with -fstack-check, trying to use posix_spawn can
lead to segfaults due to gcc internally probing stack memory too far.
The new spawn API will allocate a minimum of 1 page, but the stack
checking logic might probe a couple of pages. When it tries to walk
them, everything falls apart.
The gcc internal docs [1] state the default interval checking is one
page. Which means we need two pages (the current one, and the next
probed). No target currently defines it larger.
Further, it mentions that the default minimum stack size needed to
recover from an overflow is 4/8KiB for sjlj or 8/12KiB for others.
But some Linux targets (like mips and ppc) go up to 16KiB (and some
non-Linux targets go up to 24KiB).
Let's create each child with a minimum of 32KiB slack space to support
them all, and give us future breathing room.
No test is added as existing ones crash. Even a simple call is
enough to trigger the problem:
char *argv[] = { "/bin/ls", NULL };
posix_spawn(NULL, "/bin/ls", NULL, NULL, argv, NULL);
[1] https://gcc.gnu.org/onlinedocs/gcc-6.3.0/gccint/Stack-Checking.html
2017-03-16 06:59:31 +00:00
|
|
|
argv_size += (32 * 1024);
|
2016-01-19 19:33:32 +00:00
|
|
|
size_t stack_size = ALIGN_UP (argv_size, GLRO(dl_pagesize));
|
|
|
|
void *stack = __mmap (NULL, stack_size, prot,
|
|
|
|
MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
|
|
|
|
if (__glibc_unlikely (stack == MAP_FAILED))
|
2016-09-28 00:52:17 +00:00
|
|
|
return errno;
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
/* Disable asynchronous cancellation. */
|
2016-09-14 17:07:20 +00:00
|
|
|
int state;
|
2021-04-21 17:49:50 +00:00
|
|
|
__pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, &state);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
2016-09-28 00:52:17 +00:00
|
|
|
/* Child must set args.err to something non-negative - we rely on
|
|
|
|
the parent and child sharing VM. */
|
posix: Fix improper assert in Linux posix_spawn (BZ#22273)
As noted by Florian Weimer, current Linux posix_spawn implementation
can trigger an assert if the auxiliary process is terminated before
actually setting the err member:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
[...]
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size), stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
Another possible issue is killing the child between setting the err and
actually calling execve. In this case the process will not ran, but
posix_spawn also will not report any error:
269
270 args->err = 0;
271 args->exec (args->file, args->argv, args->envp);
As suggested by Andreas Schwab, this patch removes the faulty assert
and also handles any signal that happens before fork and execve as the
spawn was successful (and thus relaying the handling to the caller to
figure this out). Different than Florian, I can not see why using
atomics to set err would help here, essentially the code runs
sequentially (due CLONE_VFORK) and I think it would not be legal the
compiler evaluate ec without checking for new_pid result (thus there
is no need to compiler barrier).
Summarizing the possible scenarios on posix_spawn execution, we
have:
1. For default case with a success execution, args.err will be 0, pid
will not be collected and it will be reported to caller.
2. For default failure case, args.err will be positive and the it will
be collected by the waitpid. An error will be reported to the
caller.
3. For the unlikely case where the process was terminated and not
collected by a caller signal handler, it will be reported as succeful
execution and not be collected by posix_spawn (since args.err will
be 0). The caller will need to actually handle this case.
4. For the unlikely case where the process was terminated and collected
by caller we have 3 other possible scenarios:
4.1. The auxiliary process was terminated with args.err equal to 0:
it will handled as 1. (so it does not matter if we hit the pid
reuse race since we won't possible collect an unexpected
process).
4.2. The auxiliary process was terminated after execve (due a failure
in calling it) and before setting args.err to -1: it will also
be handle as 1. but with the issue of not be able to report the
caller a possible execve failures.
4.3. The auxiliary process was terminated after args.err is set to -1:
this is the case where it will be possible to hit the pid reuse
case where we will need to collected the auxiliary pid but we
can not be sure if it will be expected one. I think for this
case we need to actually change waitpid to use WNOHANG to avoid
hanging indefinitely on the call and report an error to caller
since we can't differentiate between a default failure as 2.
and a possible pid reuse race issue.
Checked on x86_64-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawnix): Handle the case where
the auxiliary process is terminated by a signal before calling _exit
or execve.
2017-10-12 18:20:57 +00:00
|
|
|
args.err = 0;
|
2016-01-19 19:33:32 +00:00
|
|
|
args.file = file;
|
|
|
|
args.exec = exec;
|
|
|
|
args.fa = file_actions;
|
|
|
|
args.attr = attrp ? attrp : &(const posix_spawnattr_t) { 0 };
|
|
|
|
args.argv = argv;
|
|
|
|
args.argc = argc;
|
|
|
|
args.envp = envp;
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
args.pidfd = 0;
|
2016-01-19 19:33:32 +00:00
|
|
|
args.xflags = xflags;
|
|
|
|
|
2022-04-21 12:41:59 +00:00
|
|
|
internal_signal_block_all (&args.oldmask);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
/* The clone flags used will create a new child that will run in the same
|
|
|
|
memory space (CLONE_VM) and the execution of calling thread will be
|
2016-09-28 00:52:17 +00:00
|
|
|
suspend until the child calls execve or _exit.
|
|
|
|
|
2016-01-19 19:33:32 +00:00
|
|
|
Also since the calling thread execution will be suspend, there is not
|
|
|
|
need for CLONE_SETTLS. Although parent and child share the same TLS
|
|
|
|
namespace, there will be no concurrent access for TLS variables (errno
|
|
|
|
for instance). */
|
2023-08-24 16:42:17 +00:00
|
|
|
bool set_cgroup = attrp ? (attrp->__flags & POSIX_SPAWN_SETCGROUP) : false;
|
Add an internal wrapper for clone, clone2 and clone3
The clone3 system call (since Linux 5.3) provides a superset of the
functionality of clone and clone2. It also provides a number of API
improvements, including the ability to specify the size of the child's
stack area which can be used by kernel to compute the shadow stack size
when allocating the shadow stack. Add:
extern int __clone_internal (struct clone_args *__cl_args,
int (*__func) (void *__arg), void *__arg);
to provide an abstract interface for clone, clone2 and clone3.
1. Simplify stack management for thread creation by passing both stack
base and size to create_thread.
2. Consolidate clone vs clone2 differences into a single file.
3. Call __clone3 if HAVE_CLONE3_WAPPER is defined. If __clone3 returns
-1 with ENOSYS, fall back to clone or clone2.
4. Use only __clone_internal to clone a thread. Since the stack size
argument for create_thread is now unconditional, always pass stack size
to create_thread.
5. Enable the public clone3 wrapper in the future after it has been
added to all targets.
NB: Sandbox will return ENOSYS on clone3 in both Chromium:
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/218438259dd795456f0a48f67cbe5b4e520db88b
commit 218438259dd795456f0a48f67cbe5b4e520db88b
Author: Matthew Denton <mpdenton@chromium.org>
Date: Thu Jun 03 20:06:13 2021
Linux sandbox: return ENOSYS for clone3
Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.
Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}
[modify] https://crrev.com/218438259dd795456f0a48f67cbe5b4e520db88b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
and Firefox:
https://hg.mozilla.org/integration/autoland/rev/ecb4011a0c76
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-02-13 19:47:46 +00:00
|
|
|
struct clone_args clone_args =
|
|
|
|
{
|
2023-01-12 13:58:51 +00:00
|
|
|
/* Unsupported flags like CLONE_CLEAR_SIGHAND will be cleared up by
|
|
|
|
__clone_internal_fallback. */
|
2023-08-24 16:42:17 +00:00
|
|
|
.flags = (set_cgroup ? CLONE_INTO_CGROUP : 0)
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
| (use_pidfd ? CLONE_PIDFD : 0)
|
2023-08-24 16:42:17 +00:00
|
|
|
| CLONE_CLEAR_SIGHAND
|
|
|
|
| CLONE_VM
|
|
|
|
| CLONE_VFORK,
|
Add an internal wrapper for clone, clone2 and clone3
The clone3 system call (since Linux 5.3) provides a superset of the
functionality of clone and clone2. It also provides a number of API
improvements, including the ability to specify the size of the child's
stack area which can be used by kernel to compute the shadow stack size
when allocating the shadow stack. Add:
extern int __clone_internal (struct clone_args *__cl_args,
int (*__func) (void *__arg), void *__arg);
to provide an abstract interface for clone, clone2 and clone3.
1. Simplify stack management for thread creation by passing both stack
base and size to create_thread.
2. Consolidate clone vs clone2 differences into a single file.
3. Call __clone3 if HAVE_CLONE3_WAPPER is defined. If __clone3 returns
-1 with ENOSYS, fall back to clone or clone2.
4. Use only __clone_internal to clone a thread. Since the stack size
argument for create_thread is now unconditional, always pass stack size
to create_thread.
5. Enable the public clone3 wrapper in the future after it has been
added to all targets.
NB: Sandbox will return ENOSYS on clone3 in both Chromium:
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/218438259dd795456f0a48f67cbe5b4e520db88b
commit 218438259dd795456f0a48f67cbe5b4e520db88b
Author: Matthew Denton <mpdenton@chromium.org>
Date: Thu Jun 03 20:06:13 2021
Linux sandbox: return ENOSYS for clone3
Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.
Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}
[modify] https://crrev.com/218438259dd795456f0a48f67cbe5b4e520db88b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
and Firefox:
https://hg.mozilla.org/integration/autoland/rev/ecb4011a0c76
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-02-13 19:47:46 +00:00
|
|
|
.exit_signal = SIGCHLD,
|
|
|
|
.stack = (uintptr_t) stack,
|
|
|
|
.stack_size = stack_size,
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
.cgroup = (set_cgroup ? attrp->__cgroup : 0),
|
|
|
|
.pidfd = use_pidfd ? (uintptr_t) &args.pidfd : 0,
|
|
|
|
/* This is require for clone fallback, where pidfd is returned
|
|
|
|
on parent_tid. */
|
|
|
|
.parent_tid = use_pidfd ? (uintptr_t) &args.pidfd : 0,
|
Add an internal wrapper for clone, clone2 and clone3
The clone3 system call (since Linux 5.3) provides a superset of the
functionality of clone and clone2. It also provides a number of API
improvements, including the ability to specify the size of the child's
stack area which can be used by kernel to compute the shadow stack size
when allocating the shadow stack. Add:
extern int __clone_internal (struct clone_args *__cl_args,
int (*__func) (void *__arg), void *__arg);
to provide an abstract interface for clone, clone2 and clone3.
1. Simplify stack management for thread creation by passing both stack
base and size to create_thread.
2. Consolidate clone vs clone2 differences into a single file.
3. Call __clone3 if HAVE_CLONE3_WAPPER is defined. If __clone3 returns
-1 with ENOSYS, fall back to clone or clone2.
4. Use only __clone_internal to clone a thread. Since the stack size
argument for create_thread is now unconditional, always pass stack size
to create_thread.
5. Enable the public clone3 wrapper in the future after it has been
added to all targets.
NB: Sandbox will return ENOSYS on clone3 in both Chromium:
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/218438259dd795456f0a48f67cbe5b4e520db88b
commit 218438259dd795456f0a48f67cbe5b4e520db88b
Author: Matthew Denton <mpdenton@chromium.org>
Date: Thu Jun 03 20:06:13 2021
Linux sandbox: return ENOSYS for clone3
Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.
Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}
[modify] https://crrev.com/218438259dd795456f0a48f67cbe5b4e520db88b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
and Firefox:
https://hg.mozilla.org/integration/autoland/rev/ecb4011a0c76
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-02-13 19:47:46 +00:00
|
|
|
};
|
2023-01-12 13:58:51 +00:00
|
|
|
#ifdef HAVE_CLONE3_WRAPPER
|
|
|
|
args.use_clone3 = true;
|
|
|
|
new_pid = __clone3 (&clone_args, sizeof (clone_args), __spawni_child,
|
|
|
|
&args);
|
|
|
|
/* clone3 was added in 5.3 and CLONE_CLEAR_SIGHAND in 5.5. */
|
|
|
|
if (new_pid == -1 && (errno == ENOSYS || errno == EINVAL))
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
args.use_clone3 = false;
|
2023-08-24 16:42:17 +00:00
|
|
|
if (!set_cgroup)
|
|
|
|
new_pid = __clone_internal_fallback (&clone_args, __spawni_child,
|
|
|
|
&args);
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* No fallback for POSIX_SPAWN_SETCGROUP if clone3 is not
|
|
|
|
supported. */
|
|
|
|
new_pid = -1;
|
|
|
|
#ifdef HAVE_CLONE3_WRAPPER
|
|
|
|
if (errno == ENOSYS)
|
|
|
|
#endif
|
|
|
|
errno = ENOTSUP;
|
|
|
|
}
|
2023-01-12 13:58:51 +00:00
|
|
|
}
|
2016-01-19 19:33:32 +00:00
|
|
|
|
posix: Fix improper assert in Linux posix_spawn (BZ#22273)
As noted by Florian Weimer, current Linux posix_spawn implementation
can trigger an assert if the auxiliary process is terminated before
actually setting the err member:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
[...]
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size), stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
Another possible issue is killing the child between setting the err and
actually calling execve. In this case the process will not ran, but
posix_spawn also will not report any error:
269
270 args->err = 0;
271 args->exec (args->file, args->argv, args->envp);
As suggested by Andreas Schwab, this patch removes the faulty assert
and also handles any signal that happens before fork and execve as the
spawn was successful (and thus relaying the handling to the caller to
figure this out). Different than Florian, I can not see why using
atomics to set err would help here, essentially the code runs
sequentially (due CLONE_VFORK) and I think it would not be legal the
compiler evaluate ec without checking for new_pid result (thus there
is no need to compiler barrier).
Summarizing the possible scenarios on posix_spawn execution, we
have:
1. For default case with a success execution, args.err will be 0, pid
will not be collected and it will be reported to caller.
2. For default failure case, args.err will be positive and the it will
be collected by the waitpid. An error will be reported to the
caller.
3. For the unlikely case where the process was terminated and not
collected by a caller signal handler, it will be reported as succeful
execution and not be collected by posix_spawn (since args.err will
be 0). The caller will need to actually handle this case.
4. For the unlikely case where the process was terminated and collected
by caller we have 3 other possible scenarios:
4.1. The auxiliary process was terminated with args.err equal to 0:
it will handled as 1. (so it does not matter if we hit the pid
reuse race since we won't possible collect an unexpected
process).
4.2. The auxiliary process was terminated after execve (due a failure
in calling it) and before setting args.err to -1: it will also
be handle as 1. but with the issue of not be able to report the
caller a possible execve failures.
4.3. The auxiliary process was terminated after args.err is set to -1:
this is the case where it will be possible to hit the pid reuse
case where we will need to collected the auxiliary pid but we
can not be sure if it will be expected one. I think for this
case we need to actually change waitpid to use WNOHANG to avoid
hanging indefinitely on the call and report an error to caller
since we can't differentiate between a default failure as 2.
and a possible pid reuse race issue.
Checked on x86_64-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawnix): Handle the case where
the auxiliary process is terminated by a signal before calling _exit
or execve.
2017-10-12 18:20:57 +00:00
|
|
|
/* It needs to collect the case where the auxiliary process was created
|
|
|
|
but failed to execute the file (due either any preparation step or
|
|
|
|
for execve itself). */
|
2016-01-19 19:33:32 +00:00
|
|
|
if (new_pid > 0)
|
|
|
|
{
|
posix: Fix improper assert in Linux posix_spawn (BZ#22273)
As noted by Florian Weimer, current Linux posix_spawn implementation
can trigger an assert if the auxiliary process is terminated before
actually setting the err member:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
[...]
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size), stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
Another possible issue is killing the child between setting the err and
actually calling execve. In this case the process will not ran, but
posix_spawn also will not report any error:
269
270 args->err = 0;
271 args->exec (args->file, args->argv, args->envp);
As suggested by Andreas Schwab, this patch removes the faulty assert
and also handles any signal that happens before fork and execve as the
spawn was successful (and thus relaying the handling to the caller to
figure this out). Different than Florian, I can not see why using
atomics to set err would help here, essentially the code runs
sequentially (due CLONE_VFORK) and I think it would not be legal the
compiler evaluate ec without checking for new_pid result (thus there
is no need to compiler barrier).
Summarizing the possible scenarios on posix_spawn execution, we
have:
1. For default case with a success execution, args.err will be 0, pid
will not be collected and it will be reported to caller.
2. For default failure case, args.err will be positive and the it will
be collected by the waitpid. An error will be reported to the
caller.
3. For the unlikely case where the process was terminated and not
collected by a caller signal handler, it will be reported as succeful
execution and not be collected by posix_spawn (since args.err will
be 0). The caller will need to actually handle this case.
4. For the unlikely case where the process was terminated and collected
by caller we have 3 other possible scenarios:
4.1. The auxiliary process was terminated with args.err equal to 0:
it will handled as 1. (so it does not matter if we hit the pid
reuse race since we won't possible collect an unexpected
process).
4.2. The auxiliary process was terminated after execve (due a failure
in calling it) and before setting args.err to -1: it will also
be handle as 1. but with the issue of not be able to report the
caller a possible execve failures.
4.3. The auxiliary process was terminated after args.err is set to -1:
this is the case where it will be possible to hit the pid reuse
case where we will need to collected the auxiliary pid but we
can not be sure if it will be expected one. I think for this
case we need to actually change waitpid to use WNOHANG to avoid
hanging indefinitely on the call and report an error to caller
since we can't differentiate between a default failure as 2.
and a possible pid reuse race issue.
Checked on x86_64-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawnix): Handle the case where
the auxiliary process is terminated by a signal before calling _exit
or execve.
2017-10-12 18:20:57 +00:00
|
|
|
/* Also, it handles the unlikely case where the auxiliary process was
|
|
|
|
terminated before calling execve as if it was successfully. The
|
|
|
|
args.err is set to 0 as default and changed to a positive value
|
|
|
|
only in case of failure, so in case of premature termination
|
|
|
|
due a signal args.err will remain zeroed and it will be up to
|
|
|
|
caller to actually collect it. */
|
2016-09-28 00:52:17 +00:00
|
|
|
ec = args.err;
|
posix: Fix improper assert in Linux posix_spawn (BZ#22273)
As noted by Florian Weimer, current Linux posix_spawn implementation
can trigger an assert if the auxiliary process is terminated before
actually setting the err member:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
[...]
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size), stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
Another possible issue is killing the child between setting the err and
actually calling execve. In this case the process will not ran, but
posix_spawn also will not report any error:
269
270 args->err = 0;
271 args->exec (args->file, args->argv, args->envp);
As suggested by Andreas Schwab, this patch removes the faulty assert
and also handles any signal that happens before fork and execve as the
spawn was successful (and thus relaying the handling to the caller to
figure this out). Different than Florian, I can not see why using
atomics to set err would help here, essentially the code runs
sequentially (due CLONE_VFORK) and I think it would not be legal the
compiler evaluate ec without checking for new_pid result (thus there
is no need to compiler barrier).
Summarizing the possible scenarios on posix_spawn execution, we
have:
1. For default case with a success execution, args.err will be 0, pid
will not be collected and it will be reported to caller.
2. For default failure case, args.err will be positive and the it will
be collected by the waitpid. An error will be reported to the
caller.
3. For the unlikely case where the process was terminated and not
collected by a caller signal handler, it will be reported as succeful
execution and not be collected by posix_spawn (since args.err will
be 0). The caller will need to actually handle this case.
4. For the unlikely case where the process was terminated and collected
by caller we have 3 other possible scenarios:
4.1. The auxiliary process was terminated with args.err equal to 0:
it will handled as 1. (so it does not matter if we hit the pid
reuse race since we won't possible collect an unexpected
process).
4.2. The auxiliary process was terminated after execve (due a failure
in calling it) and before setting args.err to -1: it will also
be handle as 1. but with the issue of not be able to report the
caller a possible execve failures.
4.3. The auxiliary process was terminated after args.err is set to -1:
this is the case where it will be possible to hit the pid reuse
case where we will need to collected the auxiliary pid but we
can not be sure if it will be expected one. I think for this
case we need to actually change waitpid to use WNOHANG to avoid
hanging indefinitely on the call and report an error to caller
since we can't differentiate between a default failure as 2.
and a possible pid reuse race issue.
Checked on x86_64-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawnix): Handle the case where
the auxiliary process is terminated by a signal before calling _exit
or execve.
2017-10-12 18:20:57 +00:00
|
|
|
if (ec > 0)
|
|
|
|
/* There still an unlikely case where the child is cancelled after
|
2017-10-21 13:33:27 +00:00
|
|
|
setting args.err, due to a positive error value. Also there is
|
posix: Fix improper assert in Linux posix_spawn (BZ#22273)
As noted by Florian Weimer, current Linux posix_spawn implementation
can trigger an assert if the auxiliary process is terminated before
actually setting the err member:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
[...]
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size), stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
Another possible issue is killing the child between setting the err and
actually calling execve. In this case the process will not ran, but
posix_spawn also will not report any error:
269
270 args->err = 0;
271 args->exec (args->file, args->argv, args->envp);
As suggested by Andreas Schwab, this patch removes the faulty assert
and also handles any signal that happens before fork and execve as the
spawn was successful (and thus relaying the handling to the caller to
figure this out). Different than Florian, I can not see why using
atomics to set err would help here, essentially the code runs
sequentially (due CLONE_VFORK) and I think it would not be legal the
compiler evaluate ec without checking for new_pid result (thus there
is no need to compiler barrier).
Summarizing the possible scenarios on posix_spawn execution, we
have:
1. For default case with a success execution, args.err will be 0, pid
will not be collected and it will be reported to caller.
2. For default failure case, args.err will be positive and the it will
be collected by the waitpid. An error will be reported to the
caller.
3. For the unlikely case where the process was terminated and not
collected by a caller signal handler, it will be reported as succeful
execution and not be collected by posix_spawn (since args.err will
be 0). The caller will need to actually handle this case.
4. For the unlikely case where the process was terminated and collected
by caller we have 3 other possible scenarios:
4.1. The auxiliary process was terminated with args.err equal to 0:
it will handled as 1. (so it does not matter if we hit the pid
reuse race since we won't possible collect an unexpected
process).
4.2. The auxiliary process was terminated after execve (due a failure
in calling it) and before setting args.err to -1: it will also
be handle as 1. but with the issue of not be able to report the
caller a possible execve failures.
4.3. The auxiliary process was terminated after args.err is set to -1:
this is the case where it will be possible to hit the pid reuse
case where we will need to collected the auxiliary pid but we
can not be sure if it will be expected one. I think for this
case we need to actually change waitpid to use WNOHANG to avoid
hanging indefinitely on the call and report an error to caller
since we can't differentiate between a default failure as 2.
and a possible pid reuse race issue.
Checked on x86_64-linux-gnu.
* sysdeps/unix/sysv/linux/spawni.c (__spawnix): Handle the case where
the auxiliary process is terminated by a signal before calling _exit
or execve.
2017-10-12 18:20:57 +00:00
|
|
|
possible pid reuse race (where the kernel allocated the same pid
|
2017-10-21 13:33:27 +00:00
|
|
|
to an unrelated process). Unfortunately due synchronization
|
|
|
|
issues where the kernel might not have the process collected
|
|
|
|
the waitpid below can not use WNOHANG. */
|
|
|
|
__waitpid (new_pid, NULL, 0);
|
2016-01-19 19:33:32 +00:00
|
|
|
}
|
|
|
|
else
|
2022-05-02 15:39:43 +00:00
|
|
|
ec = errno;
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
__munmap (stack, stack_size);
|
|
|
|
|
2016-03-21 15:10:20 +00:00
|
|
|
if ((ec == 0) && (pid != NULL))
|
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
Returning a pidfd allows a process to keep a race-free handle for a
child process, otherwise, the caller will need to either use pidfd_open
(which still might be subject to TOCTOU) or keep the old racy interface
base on pid_t.
To correct use pifd_spawn, the kernel must support not only returning
the pidfd with clone/clone3 but also waitid (P_PIDFD) (added on Linux
5.4). If kernel does not support the waitid, pidfd return ENOSYS.
It avoids the need to racy workarounds, such as reading the procfs
fdinfo to get the pid to use along with other wait interfaces.
These interfaces are similar to the posix_spawn and posix_spawnp, with
the only difference being it returns a process file descriptor (int)
instead of a process ID (pid_t). Their prototypes are:
int pidfd_spawn (int *restrict pidfd,
const char *restrict file,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict],
char *const envp[restrict])
int pidfd_spawnp (int *restrict pidfd,
const char *restrict path,
const posix_spawn_file_actions_t *restrict facts,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict_arr],
char *const envp[restrict_arr]);
A new symbol is used instead of a posix_spawn extension to avoid
possible issues with language bindings that might track the return
argument lifetime. Although on Linux pid_t and int are interchangeable,
POSIX only states that pid_t should be a signed integer.
Both symbols reuse the posix_spawn posix_spawn_file_actions_t and
posix_spawnattr_t, to void rehash posix_spawn API or add a new one. It
also means that both interfaces support the same attribute and file
actions, and a new flag or file action on posix_spawn is also added
automatically for pidfd_spawn.
Also, using posix_spawn plumbing allows the reusing of most of the
current testing with some changes:
- waitid is used instead of waitpid since it is a more generic
interface.
- tst-posix_spawn-setsid.c is adapted to take into consideration that
the caller can check for session id directly. The test now spawns
itself and writes the session id as a file instead.
- tst-spawn3.c need to know where pidfd_spawn is used so it keeps an
extra file description unused.
Checked on x86_64-linux-gnu on Linux 4.15 (no CLONE_PIDFD or waitid
support), Linux 5.4 (full support), and Linux 6.2.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-24 16:42:18 +00:00
|
|
|
*pid = use_pidfd ? args.pidfd : new_pid;
|
2016-01-19 19:33:32 +00:00
|
|
|
|
2022-04-21 12:41:59 +00:00
|
|
|
internal_signal_restore_set (&args.oldmask);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
2021-04-21 17:49:50 +00:00
|
|
|
__pthread_setcancelstate (state, NULL);
|
2016-01-19 19:33:32 +00:00
|
|
|
|
|
|
|
return ec;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Spawn a new process executing PATH with the attributes describes in *ATTRP.
|
|
|
|
Before running the process perform the actions described in FILE-ACTIONS. */
|
|
|
|
int
|
|
|
|
__spawni (pid_t * pid, const char *file,
|
|
|
|
const posix_spawn_file_actions_t * acts,
|
|
|
|
const posix_spawnattr_t * attrp, char *const argv[],
|
|
|
|
char *const envp[], int xflags)
|
|
|
|
{
|
2018-06-06 17:07:34 +00:00
|
|
|
/* It uses __execvpex to avoid run ENOEXEC in non compatibility mode (it
|
|
|
|
will be handled by maybe_script_execute). */
|
2016-01-19 19:33:32 +00:00
|
|
|
return __spawnix (pid, file, acts, attrp, argv, envp, xflags,
|
2018-06-06 17:07:34 +00:00
|
|
|
xflags & SPAWN_XFLAGS_USE_PATH ? __execvpex :__execve);
|
2016-01-19 19:33:32 +00:00
|
|
|
}
|