| blob | 73b4d3507c892638bbda59f6bf83917b8674dc8c |
1 /* spawn a new process running an executable. Hurd version.
2 Copyright (C) 2001,02 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public License as
7 published by the Free Software Foundation; either version 2.1 of the
8 License, or (at your option) any later version.
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; see the file COPYING.LIB. If not,
17 write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA. */
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <paths.h>
23 #include <spawn.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <unistd.h>
27 #include <hurd.h>
28 #include <hurd/signal.h>
29 #include <hurd/fd.h>
30 #include <hurd/id.h>
31 #include <hurd/lookup.h>
32 #include <hurd/resource.h>
33 #include <assert.h>
34 #include <argz.h>
37 /* Spawn a new process executing PATH with the attributes describes in *ATTRP.
38 Before running the process perform the actions described in FILE-ACTIONS. */
39 int
45 {
46 pid_t new_pid;
52 /* The generic POSIX.1 implementation of posix_spawn uses fork and exec.
53 In traditional POSIX systems (Unix, Linux, etc), the only way to
54 create a new process is by fork, which also copies all the things from
55 the parent process that will be immediately wiped and replaced by the
56 exec.
58 This Hurd implementation works by doing an exec on a fresh task,
59 without ever doing all the work of fork. The only work done by fork
60 that remains visible after an exec is registration with the proc
61 server, and the inheritance of various values and ports. All those
62 inherited values and ports are what get collected up and passed in the
63 file_exec RPC by an exec call. So we do the proc server registration
64 here, following the model of fork (see fork.c). We then collect up
65 the inherited values and ports from this (parent) process following
66 the model of exec (see hurd/hurdexec.c), modify or replace each value
67 that fork would (plus the specific changes demanded by ATTRP and
68 FILE_ACTIONS), and make the file_exec RPC on the requested executable
69 file with the child process's task port rather than our own. This
70 should be indistinguishable from the fork + exec implementation,
71 except that all errors will be detected here (in the parent process)
72 and return proper errno codes rather than the child dying with 127.
74 XXX The one exception to this supposed indistinguishableness is that
75 when posix_spawn_file_actions_addopen has been used, the parent
76 process can do various filesystem RPCs on the child's behalf, rather
77 than the child process doing it. If these block due to a broken or
78 malicious filesystem server or just a blocked network fs or a serial
79 port waiting for carrier detect (!!), the parent's posix_spawn call
80 can block arbitrarily rather than just the child blocking. Possible
81 solutions include:
82 * punt to plain fork + exec implementation if addopen was used
83 ** easy to do
84 ** gives up all benefits of this implementation in that case
85 * if addopen was used, don't do any file actions at all here;
86 instead, exec an installed helper program e.g.:
87 /libexec/spawn-helper close 3 dup2 1 2 open 0 /file 0x123 0666 exec /bin/foo foo a1 a2
88 ** extra exec might be more or less overhead than fork
89 * could do some weird half-fork thing where the child would inherit
90 our vm and run some code here, but not do the full work of fork
92 XXX Actually, the parent opens the executable file on behalf of
93 the child, and that has all the same issues.
95 I am favoring the half-fork solution. That is, we do task_create with
96 vm inheritance, and we setjmp/longjmp the child like fork does. But
97 rather than all the fork hair, the parent just packs up init/dtable
98 ports and does a single IPC to a receive right inserted in the child. */
100 error_t err;
101 task_t task;
102 file_t execfile;
103 process_t proc;
104 auth_t auth;
113 /* For POSIX_SPAWN_RESETIDS, this reauthenticates our root/current
114 directory ports with the new AUTH port. */
117 {
118 error_t err;
119 mach_port_t ref;
123 err = HURD_PORT_USE
125 ({
130 result);
131 err;
132 }));
135 }
137 /* Reauthenticate one of our file descriptors for the child. A null
138 element of DTABLE_CELLS indicates a descriptor that was already
139 reauthenticated, or was newly opened on behalf of the child. */
141 {
143 {
144 file_t newfile;
158 }
160 }
162 /* These callbacks are for looking up file names on behalf of the child. */
164 {
167 {
176 }
179 }
181 {
183 {
185 {
186 /* Reauthenticate this descriptor right now,
187 since it is going to be used on behalf of the child. */
191 }
195 }
198 }
201 {
204 }
207 /* Do this once. */
210 /* Generate the new process. We create a task that does not inherit our
211 memory, and then register it as our child like fork does. See fork.c
212 for comments about the sequencing of these proc operations. */
215 #ifdef KERN_INVALID_LEDGER
217 #endif
221 // From here down we must deallocate TASK and PROC before returning.
232 /* Load up the ints to give the new program. */
246 /* Unless we were asked to reset all handlers to SIG_DFL,
247 pass down the set of signals that were set to SIG_IGN. */
253 /* We hold the sigstate lock until the exec has failed so that no signal
254 can arrive between when we pack the blocked and ignored signals, and
255 when the exec actually happens. A signal handler could change what
256 signals are blocked and ignored. Either the change will be reflected
257 in the exec, or the signal will never be delivered. Setting the
258 critical section flag avoids anything we call trying to acquire the
259 sigstate lock. */
263 /* Set signal mask. */
267 #ifdef _POSIX_PRIORITY_SCHEDULING
268 /* Set the scheduling algorithm and parameters. */
269 # error implement me
272 {
275 }
277 {
282 }
283 #endif
285 /* Set the process group ID. */
289 /* Set the effective user and group IDs. */
291 {
292 /* We need a different auth port for the child. */
297 {
298 /* Set up _hurd_id.rid_auth. This is a special auth server port
299 which uses the real uid and gid (the first aux uid and gid) as
300 the only effective uid and gid. */
303 /* We do not have a real UID and GID. Lose, lose, lose! */
306 /* Create a new auth port using our real UID and GID (the first
307 auxiliary UID and GID) as the only effective IDs. */
319 }
321 {
322 /* Use the real-ID auth port in place of the normal one. */
327 }
329 }
330 else
331 /* Copy our existing auth port. */
339 /* Pack up the descriptor table to give the new program.
340 These descriptors will need to be reauthenticated below
341 if POSIX_SPAWN_RESETIDS is set. */
350 {
353 {
357 }
358 /* Note that this might return MACH_PORT_NULL. */
362 }
365 /* Safe to let signals happen now. */
368 /* Execute the file actions. */
371 {
372 /* Close a file descriptor in the child. */
374 {
377 {
380 else
381 {
384 }
388 }
390 }
392 /* Make sure the dtable can hold NEWFD. */
393 #define EXPAND_DTABLE(newfd) \
394 ({ \
395 if ((unsigned int)newfd >= dtablesize \
396 && newfd < _hurd_rlimits[RLIMIT_OFILE].rlim_cur) \
397 { \
399 NEW_TABLE (dtable, newfd); \
400 NEW_TABLE (ulink_dtable, newfd); \
401 NEW_TABLE (dtable_cells, newfd); \
402 } \
403 ((unsigned int)newfd < dtablesize ? 0 : EMFILE); \
404 })
405 #define NEW_TABLE(x, newfd) \
406 do { __typeof (x) new_##x = __alloca ((newfd + 1) * sizeof (x[0])); \
407 memcpy (new_##x, x, dtablesize * sizeof (x[0])); \
408 memset (&new_##x[dtablesize], 0, (newfd + 1 - dtablesize) * sizeof (x[0])); \
409 x = new_##x; } while (0)
414 {
422 {
425 // dup2 always clears any old FD_CLOEXEC flag on the new fd.
429 // Same is same as same was.
433 {
434 /* Close the old NEWFD and replace it with FD's
435 contents, which can be either an original
436 descriptor (DTABLE_CELLS[FD] != 0) or a new
437 right that we acquired in this function. */
443 else
444 {
449 }
450 }
451 }
452 else
453 // The old FD specified was bogus.
458 /* Open a file on behalf of the child.
460 XXX note that this can subject the parent to arbitrary
461 delays waiting for the files to open. I don't know what the
462 spec says about this. If it's not permissible, then this
463 whole forkless implementation is probably untenable. */
464 {
480 }
481 }
485 }
487 /* Only now can we perform FD_CLOEXEC. We had to leave the descriptors
488 unmolested for the file actions to use. Note that the DTABLE_CLOEXEC
489 array is never expanded by file actions, so it might now have fewer
490 than DTABLESIZE elements. */
493 {
497 }
499 /* Prune trailing null ports from the descriptor table. */
504 {
505 /* Reauthenticate all the child's ports with its new auth handle. */
507 mach_port_t ref;
508 process_t newproc;
510 /* Reauthenticate with the proc server. */
519 {
522 }
529 /* We must reauthenticate all the fds except those that came from
530 `spawn_do_open' file actions, which were opened using the child's
531 auth port to begin with. */
534 }
538 /* Now we are ready to open the executable file using the child's ports.
539 We do this after performing all the file actions so the order of
540 events is the same as for a fork, exec sequence. This affects things
541 like the meaning of a /dev/fd file name, as well as which error
542 conditions are diagnosed first and what side effects (file creation,
543 etc) can be observed before what errors. */
546 /* The FILE parameter is actually a path. */
548 else
549 {
550 /* We have to search for FILE on the path. */
553 {
554 /* There is no `PATH' in the environment.
555 The default search path is the current directory
556 followed by the path `confstr' returns for `_CS_PATH'. */
561 }
566 /* Copy the file name at the top. */
568 /* And add the slash. */
572 do
573 {
580 /* Two adjacent colons, or a colon at the beginning or the end
581 of `PATH' means to search the current directory. */
583 else
586 /* Try to open this file name. */
589 {
594 /* Those errors indicate the file is missing or not executable
595 v by us, in which case we want to just try the next path
596 directory. */
601 /* Some other error means we found an executable file, but
602 something went wrong executing it; return the error to our
603 caller. */
605 }
607 // We only get here when we are done looking for the file.
609 }
611 }
615 /* Almost there! */
616 {
623 {
632 }
634 /* Now we are out of things that can fail before the file_exec RPC,
635 for which everything else must be prepared. The only thing left
636 to do is packing up the argument and environment strings,
637 and the array of init ports. */
644 /* Load up the ports to give to the new program.
645 Note the loop/switch below must parallel exactly to release refs. */
647 {
649 {
658 {
661 }
665 {
668 }
670 }
672 }
674 /* Finally, try executing the file we opened. */
680 {
681 /* The file is accessible but it is not an executable file.
682 Invoke the shell to interpret it as a script. */
687 {
690 }
691 }
693 /* Release the references just packed up in PORTS.
694 This switch must always parallel the one above that fills PORTS. */
696 {
698 {
710 }
712 }
716 }
718 /* We did it! We have a child! */
722 out:
723 /* Clean up all the references we are now holding. */
726 {
728 /* We failed after creating the task, so kill it. */
731 }
740 /* Release references to the file descriptor ports. */
743 {
746 else
748 }
751 /* This hack canonicalizes the error code that we return. */
755 }