1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
7 // Fork, exec, wait, etc.
17 //sysnb raw_fork() (pid Pid_t, err Errno)
20 //sysnb raw_getpid() (pid Pid_t)
23 //sysnb raw_getppid() (pid Pid_t)
26 //sysnb raw_setsid() (err Errno)
29 //sysnb raw_setpgid(pid int, pgid int) (err Errno)
30 //setpgid(pid Pid_t, pgid Pid_t) _C_int
32 //sysnb raw_chroot(path *byte) (err Errno)
33 //chroot(path *byte) _C_int
35 //sysnb raw_chdir(path *byte) (err Errno)
36 //chdir(path *byte) _C_int
38 //sysnb raw_fcntl(fd int, cmd int, arg int) (val int, err Errno)
39 //__go_fcntl(fd _C_int, cmd _C_int, arg _C_int) _C_int
41 //sysnb raw_close(fd int) (err Errno)
42 //close(fd _C_int) _C_int
44 //sysnb raw_ioctl(fd int, cmd uintptr, val int) (rval int, err Errno)
45 //__go_ioctl(fd _C_int, cmd _C_int, val _C_int) _C_int
47 //sysnb raw_ioctl_ptr(fd int, cmd uintptr, val unsafe.Pointer) (rval int, err Errno)
48 //__go_ioctl_ptr(fd _C_int, cmd _C_int, val unsafe.Pointer) _C_int
50 //sysnb raw_execve(argv0 *byte, argv **byte, envv **byte) (err Errno)
51 //execve(argv0 *byte, argv **byte, envv **byte) _C_int
53 //sysnb raw_write(fd int, buf *byte, count int) (err Errno)
54 //write(fd _C_int, buf *byte, count Size_t) Ssize_t
56 //sysnb raw_exit(status int)
57 //_exit(status _C_int)
59 //sysnb raw_dup2(oldfd int, newfd int) (err Errno)
60 //dup2(oldfd _C_int, newfd _C_int) _C_int
62 //sysnb raw_kill(pid Pid_t, sig Signal) (err Errno)
63 //kill(pid Pid_t, sig _C_int) _C_int
65 //sysnb raw_setgroups(size int, list unsafe.Pointer) (err Errno)
66 //setgroups(size Size_t, list *Gid_t) _C_int
68 // Lock synchronizing creation of new file descriptors with fork.
70 // We want the child in a fork/exec sequence to inherit only the
71 // file descriptors we intend. To do that, we mark all file
72 // descriptors close-on-exec and then, in the child, explicitly
73 // unmark the ones we want the exec'ed program to keep.
74 // Unix doesn't make this easy: there is, in general, no way to
75 // allocate a new file descriptor close-on-exec. Instead you
76 // have to allocate the descriptor and then mark it close-on-exec.
77 // If a fork happens between those two events, the child's exec
78 // will inherit an unwanted file descriptor.
80 // This lock solves that race: the create new fd/mark close-on-exec
81 // operation is done holding ForkLock for reading, and the fork itself
82 // is done holding ForkLock for writing. At least, that's the idea.
83 // There are some complications.
85 // Some system calls that create new file descriptors can block
86 // for arbitrarily long times: open on a hung NFS server or named
87 // pipe, accept on a socket, and so on. We can't reasonably grab
88 // the lock across those operations.
90 // It is worse to inherit some file descriptors than others.
91 // If a non-malicious child accidentally inherits an open ordinary file,
92 // that's not a big deal. On the other hand, if a long-lived child
93 // accidentally inherits the write end of a pipe, then the reader
94 // of that pipe will not see EOF until that child exits, potentially
95 // causing the parent program to hang. This is a common problem
96 // in threaded C programs that use popen.
98 // Luckily, the file descriptors that are most important not to
99 // inherit are not the ones that can take an arbitrarily long time
100 // to create: pipe returns instantly, and the net package uses
101 // non-blocking I/O to accept on a listening socket.
102 // The rules for which file descriptor-creating operations use the
103 // ForkLock are as follows:
105 // 1) Pipe. Does not block. Use the ForkLock.
106 // 2) Socket. Does not block. Use the ForkLock.
107 // 3) Accept. If using non-blocking mode, use the ForkLock.
108 // Otherwise, live with the race.
109 // 4) Open. Can block. Use O_CLOEXEC if available (GNU/Linux).
110 // Otherwise, live with the race.
111 // 5) Dup. Does not block. Use the ForkLock.
112 // On GNU/Linux, could use fcntl F_DUPFD_CLOEXEC
113 // instead of the ForkLock, but only for dup(fd, -1).
115 var ForkLock sync
.RWMutex
117 // StringSlicePtr converts a slice of strings to a slice of pointers
118 // to NUL-terminated byte arrays. If any string contains a NUL byte
119 // this function panics instead of returning an error.
121 // Deprecated: Use SlicePtrFromStrings instead.
122 func StringSlicePtr(ss
[]string) []*byte {
123 bb
:= make([]*byte, len(ss
)+1)
124 for i
:= 0; i
< len(ss
); i
++ {
125 bb
[i
] = StringBytePtr(ss
[i
])
131 // SlicePtrFromStrings converts a slice of strings to a slice of
132 // pointers to NUL-terminated byte arrays. If any string contains
133 // a NUL byte, it returns (nil, EINVAL).
134 func SlicePtrFromStrings(ss
[]string) ([]*byte, error
) {
136 bb
:= make([]*byte, len(ss
)+1)
137 for i
:= 0; i
< len(ss
); i
++ {
138 bb
[i
], err
= BytePtrFromString(ss
[i
])
147 func CloseOnExec(fd
int) { fcntl(fd
, F_SETFD
, FD_CLOEXEC
) }
149 func SetNonblock(fd
int, nonblocking
bool) (err error
) {
150 flag
, err
:= fcntl(fd
, F_GETFL
, 0)
159 _
, err
= fcntl(fd
, F_SETFL
, flag
)
163 // Credential holds user and group identities to be assumed
164 // by a child process started by StartProcess.
165 type Credential
struct {
166 Uid
uint32 // User ID.
167 Gid
uint32 // Group ID.
168 Groups
[]uint32 // Supplementary group IDs.
169 NoSetGroups
bool // If true, don't set supplementary groups
172 // ProcAttr holds attributes that will be applied to a new process started
174 type ProcAttr
struct {
175 Dir
string // Current working directory.
176 Env
[]string // Environment.
177 Files
[]uintptr // File descriptors.
181 var zeroProcAttr ProcAttr
182 var zeroSysProcAttr SysProcAttr
184 func forkExec(argv0
string, argv
[]string, attr
*ProcAttr
) (pid
int, err error
) {
188 var wstatus WaitStatus
195 sys
= &zeroSysProcAttr
201 // Convert args to C form.
202 argv0p
, err
:= BytePtrFromString(argv0
)
206 argvp
, err
:= SlicePtrFromStrings(argv
)
210 envvp
, err
:= SlicePtrFromStrings(attr
.Env
)
215 if (runtime
.GOOS
== "freebsd" || runtime
.GOOS
== "dragonfly") && len(argv
[0]) > len(argv0
) {
220 if sys
.Chroot
!= "" {
221 chroot
, err
= BytePtrFromString(sys
.Chroot
)
228 dir
, err
= BytePtrFromString(attr
.Dir
)
234 // Acquire the fork lock so that no other threads
235 // create new fds that are not yet close-on-exec
239 // Allocate child status pipe close on exec.
240 if err
= forkExecPipe(p
[:]); err
!= nil {
245 pid
, err1
= forkAndExecInChild(argv0p
, argvp
, envvp
, chroot
, dir
, attr
, sys
, p
[1])
252 // Read child error status from pipe.
254 n
, err
= readlen(p
[0], (*byte)(unsafe
.Pointer(&err1
)), int(unsafe
.Sizeof(err1
)))
256 if err
!= nil || n
!= 0 {
257 if n
== int(unsafe
.Sizeof(err1
)) {
264 // Child failed; wait for it to exit, to make sure
265 // the zombies don't accumulate.
266 _
, err1
:= Wait4(pid
, &wstatus
, 0, nil)
268 _
, err1
= Wait4(pid
, &wstatus
, 0, nil)
273 // Read got EOF, so pipe closed on exec, so exec succeeded.
285 // Combination of fork and exec, careful to be thread safe.
286 func ForkExec(argv0
string, argv
[]string, attr
*ProcAttr
) (pid
int, err error
) {
287 return forkExec(argv0
, argv
, attr
)
290 // StartProcess wraps ForkExec for package os.
291 func StartProcess(argv0
string, argv
[]string, attr
*ProcAttr
) (pid
int, handle
uintptr, err error
) {
292 pid
, err
= forkExec(argv0
, argv
, attr
)
296 // Implemented in runtime package.
297 func runtime_BeforeExec()
298 func runtime_AfterExec()
300 // execveSolaris is non-nil on Solaris, set to execve in exec_solaris.go; this
301 // avoids a build dependency for other platforms.
302 var execveSolaris
func(path
uintptr, argv
uintptr, envp
uintptr) (err Errno
)
304 // Exec invokes the execve(2) system call.
305 func Exec(argv0
string, argv
[]string, envv
[]string) (err error
) {
306 argv0p
, err
:= BytePtrFromString(argv0
)
310 argvp
, err
:= SlicePtrFromStrings(argv
)
314 envvp
, err
:= SlicePtrFromStrings(envv
)
320 err1
:= raw_execve(argv0p
, &argvp
[0], &envvp
[0])