/* Authors: Gregory P. Smith & Jeffrey Yasskin */ #ifndef Py_BUILD_CORE_BUILTIN #define Py_BUILD_CORE_MODULE … #endif #include "Python.h" #include "pycore_fileutils.h" #include "pycore_pystate.h" #include "pycore_signal.h" // _Py_RestoreSignals() #if defined(HAVE_PIPE2) && !defined(_GNU_SOURCE) #define _GNU_SOURCE #endif #include <unistd.h> // close() #include <fcntl.h> // fcntl() #ifdef HAVE_SYS_TYPES_H # include <sys/types.h> #endif #if defined(HAVE_SYS_STAT_H) # include <sys/stat.h> // stat() #endif #ifdef HAVE_SYS_SYSCALL_H # include <sys/syscall.h> #endif #if defined(HAVE_SYS_RESOURCE_H) # include <sys/resource.h> #endif #ifdef HAVE_DIRENT_H # include <dirent.h> // opendir() #endif #if defined(HAVE_SETGROUPS) # include <grp.h> // setgroups() #endif #include "posixmodule.h" #ifdef _Py_MEMORY_SANITIZER # include <sanitizer/msan_interface.h> #endif #if defined(__ANDROID__) && __ANDROID_API__ < 21 && !defined(SYS_getdents64) # include <sys/linux-syscalls.h> #define SYS_getdents64 … #endif #if defined(__linux__) && defined(HAVE_VFORK) && defined(HAVE_SIGNAL_H) && \ defined(HAVE_PTHREAD_SIGMASK) && !defined(HAVE_BROKEN_PTHREAD_SIGMASK) /* If this is ever expanded to non-Linux platforms, verify what calls are * allowed after vfork(). Ex: setsid() may be disallowed on macOS? */ # include <signal.h> #define VFORK_USABLE … #endif #if defined(__sun) && defined(__SVR4) /* readdir64 is used to work around Solaris 9 bug 6395699. */ #define readdir … #define dirent … # if !defined(HAVE_DIRFD) /* Some versions of Solaris lack dirfd(). */ #define dirfd … #define HAVE_DIRFD # endif #endif #if defined(__FreeBSD__) || (defined(__APPLE__) && defined(__MACH__)) || defined(__DragonFly__) #define FD_DIR … #else #define FD_DIR … #endif #ifdef NGROUPS_MAX #define MAX_GROUPS … #else #define MAX_GROUPS … #endif #define POSIX_CALL(call) … static struct PyModuleDef _posixsubprocessmodule; /*[clinic input] module _posixsubprocess [clinic start generated code]*/ /*[clinic end generated code: output=da39a3ee5e6b4b0d input=c62211df27cf7334]*/ /*[python input] class pid_t_converter(CConverter): type = 'pid_t' format_unit = '" _Py_PARSE_PID "' def parse_arg(self, argname, displayname, *, limited_capi): return self.format_code(""" {paramname} = PyLong_AsPid({argname}); if ({paramname} == -1 && PyErr_Occurred()) {{{{ goto exit; }}}} """, argname=argname) [python start generated code]*/ /*[python end generated code: output=da39a3ee5e6b4b0d input=c94349aa1aad151d]*/ #include "clinic/_posixsubprocess.c.h" /* Convert ASCII to a positive int, no libc call. no overflow. -1 on error. */ static int _pos_int_from_ascii(const char *name) { … } #if defined(__FreeBSD__) || defined(__DragonFly__) /* When /dev/fd isn't mounted it is often a static directory populated * with 0 1 2 or entries for 0 .. 63 on FreeBSD, NetBSD, OpenBSD and DragonFlyBSD. * NetBSD and OpenBSD have a /proc fs available (though not necessarily * mounted) and do not have fdescfs for /dev/fd. MacOS X has a devfs * that properly supports /dev/fd. */ static int _is_fdescfs_mounted_on_dev_fd(void) { struct stat dev_stat; struct stat dev_fd_stat; if (stat("/dev", &dev_stat) != 0) return 0; if (stat(FD_DIR, &dev_fd_stat) != 0) return 0; if (dev_stat.st_dev == dev_fd_stat.st_dev) return 0; /* / == /dev == /dev/fd means it is static. #fail */ return 1; } #endif /* Returns 1 if there is a problem with fd_sequence, 0 otherwise. */ static int _sanity_check_python_fd_sequence(PyObject *fd_sequence) { … } /* Is fd found in the sorted Python Sequence? */ static int _is_fd_in_sorted_fd_sequence(int fd, int *fd_sequence, Py_ssize_t fd_sequence_len) { … } // Forward declaration static void _Py_FreeCharPArray(char *const array[]); /* * Flatten a sequence of bytes() objects into a C array of * NULL terminated string pointers with a NULL char* terminating the array. * (ie: an argv or env list) * * Memory allocated for the returned list is allocated using PyMem_Malloc() * and MUST be freed by _Py_FreeCharPArray(). */ static char *const * _PySequence_BytesToCharpArray(PyObject* self) { … } /* Free's a NULL terminated char** array of C strings. */ static void _Py_FreeCharPArray(char *const array[]) { … } /* * Do all the Python C API calls in the parent process to turn the pass_fds * "py_fds_to_keep" tuple into a C array. The caller owns allocation and * freeing of the array. * * On error an unknown number of array elements may have been filled in. * A Python exception has been set when an error is returned. * * Returns: -1 on error, 0 on success. */ static int convert_fds_to_keep_to_c(PyObject *py_fds_to_keep, int *c_fds_to_keep) { … } /* This function must be async-signal-safe as it is called from child_exec() * after fork() or vfork(). */ static int make_inheritable(int *c_fds_to_keep, Py_ssize_t len, int errpipe_write) { … } /* Get the maximum file descriptor that could be opened by this process. * This function is async signal safe for use between fork() and exec(). */ static long safe_get_max_fd(void) { … } /* Close all file descriptors in the given range except for those in * fds_to_keep by invoking closer on each subrange. * * If end_fd == -1, it's guessed via safe_get_max_fd(), but it isn't * possible to know for sure what the max fd to go up to is for * processes with the capability of raising their maximum, or in case * a process opened a high fd and then lowered its maximum. */ static int _close_range_except(int start_fd, int end_fd, int *fds_to_keep, Py_ssize_t fds_to_keep_len, int (*closer)(int, int)) { … } #if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H) /* It doesn't matter if d_name has room for NAME_MAX chars; we're using this * only to read a directory of short file descriptor number names. The kernel * will return an error if we didn't give it enough space. Highly Unlikely. * This structure is very old and stable: It will not change unless the kernel * chooses to break compatibility with all existing binaries. Highly Unlikely. */ struct linux_dirent64 { … }; static int _brute_force_closer(int first, int last) { … } /* Close all open file descriptors in the range from start_fd and higher * Do not close any in the sorted fds_to_keep list. * * This version is async signal safe as it does not make any unsafe C library * calls, malloc calls or handle any locks. It is _unfortunate_ to be forced * to resort to making a kernel system call directly but this is the ONLY api * available that does no harm. opendir/readdir/closedir perform memory * allocation and locking so while they usually work they are not guaranteed * to (especially if you have replaced your malloc implementation). A version * of this function that uses those can be found in the _maybe_unsafe variant. * * This is Linux specific because that is all I am ready to test it on. It * should be easy to add OS specific dirent or dirent64 structures and modify * it with some cpp #define magic to work on other OSes as well if you want. */ static void _close_open_fds_safe(int start_fd, int *fds_to_keep, Py_ssize_t fds_to_keep_len) { … } #define _close_open_fds_fallback … #else /* NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */ static int _unsafe_closer(int first, int last) { _Py_closerange(first, last); return 0; } /* Close all open file descriptors from start_fd and higher. * Do not close any in the sorted fds_to_keep tuple. * * This function violates the strict use of async signal safe functions. :( * It calls opendir(), readdir() and closedir(). Of these, the one most * likely to ever cause a problem is opendir() as it performs an internal * malloc(). Practically this should not be a problem. The Java VM makes the * same calls between fork and exec in its own UNIXProcess_md.c implementation. * * readdir_r() is not used because it provides no benefit. It is typically * implemented as readdir() followed by memcpy(). See also: * http://womble.decadent.org.uk/readdir_r-advisory.html */ static void _close_open_fds_maybe_unsafe(int start_fd, int *fds_to_keep, Py_ssize_t fds_to_keep_len) { DIR *proc_fd_dir; #ifndef HAVE_DIRFD while (_is_fd_in_sorted_fd_sequence(start_fd, fds_to_keep, fds_to_keep_len)) { ++start_fd; } /* Close our lowest fd before we call opendir so that it is likely to * reuse that fd otherwise we might close opendir's file descriptor in * our loop. This trick assumes that fd's are allocated on a lowest * available basis. */ close(start_fd); ++start_fd; #endif #if defined(__FreeBSD__) || defined(__DragonFly__) if (!_is_fdescfs_mounted_on_dev_fd()) proc_fd_dir = NULL; else #endif proc_fd_dir = opendir(FD_DIR); if (!proc_fd_dir) { /* No way to get a list of open fds. */ _close_range_except(start_fd, -1, fds_to_keep, fds_to_keep_len, _unsafe_closer); } else { struct dirent *dir_entry; #ifdef HAVE_DIRFD int fd_used_by_opendir = dirfd(proc_fd_dir); #else int fd_used_by_opendir = start_fd - 1; #endif errno = 0; while ((dir_entry = readdir(proc_fd_dir))) { int fd; if ((fd = _pos_int_from_ascii(dir_entry->d_name)) < 0) continue; /* Not a number. */ if (fd != fd_used_by_opendir && fd >= start_fd && !_is_fd_in_sorted_fd_sequence(fd, fds_to_keep, fds_to_keep_len)) { close(fd); } errno = 0; } if (errno) { /* readdir error, revert behavior. Highly Unlikely. */ _close_range_except(start_fd, -1, fds_to_keep, fds_to_keep_len, _unsafe_closer); } closedir(proc_fd_dir); } } #define _close_open_fds_fallback … #endif /* else NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */ /* We can use close_range() library function only if it's known to be * async-signal-safe. * * On Linux, glibc explicitly documents it to be a thin wrapper over * the system call, and other C libraries are likely to follow glibc. */ #if defined(HAVE_CLOSE_RANGE) && \ (defined(__linux__) || defined(__FreeBSD__)) #define HAVE_ASYNC_SAFE_CLOSE_RANGE static int _close_range_closer(int first, int last) { … } #endif static void _close_open_fds(int start_fd, int *fds_to_keep, Py_ssize_t fds_to_keep_len) { … } #ifdef VFORK_USABLE /* Reset dispositions for all signals to SIG_DFL except for ignored * signals. This way we ensure that no signal handlers can run * after we unblock signals in a child created by vfork(). */ static void reset_signal_handlers(const sigset_t *child_sigmask) { … } #endif /* VFORK_USABLE */ /* * This function is code executed in the child process immediately after * (v)fork to set things up and call exec(). * * All of the code in this function must only use async-signal-safe functions, * listed at `man 7 signal` or * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html. * * This restriction is documented at * http://www.opengroup.org/onlinepubs/009695399/functions/fork.html. * * If this function is called after vfork(), even more care must be taken. * The lack of preparations that C libraries normally take on fork(), * as well as sharing the address space with the parent, might make even * async-signal-safe functions vfork-unsafe. In particular, on Linux, * set*id() and setgroups() library functions must not be called, since * they have to interact with the library-level thread list and send * library-internal signals to implement per-process credentials semantics * required by POSIX but not supported natively on Linux. Another reason to * avoid this family of functions is that sharing an address space between * processes running with different privileges is inherently insecure. * See https://bugs.python.org/issue35823 for discussion and references. * * In some C libraries, setrlimit() has the same thread list/signalling * behavior since resource limits were per-thread attributes before * Linux 2.6.10. Musl, as of 1.2.1, is known to have this issue * (https://www.openwall.com/lists/musl/2020/10/15/6). * * If vfork-unsafe functionality is desired after vfork(), consider using * syscall() to obtain it. */ Py_NO_INLINE static void child_exec(char *const exec_array[], char *const argv[], char *const envp[], const char *cwd, int p2cread, int p2cwrite, int c2pread, int c2pwrite, int errread, int errwrite, int errpipe_read, int errpipe_write, int close_fds, int restore_signals, int call_setsid, pid_t pgid_to_set, gid_t gid, Py_ssize_t extra_group_size, const gid_t *extra_groups, uid_t uid, int child_umask, const void *child_sigmask, int *fds_to_keep, Py_ssize_t fds_to_keep_len, PyObject *preexec_fn, PyObject *preexec_fn_args_tuple) { … } /* The main purpose of this wrapper function is to isolate vfork() from both * subprocess_fork_exec() and child_exec(). A child process created via * vfork() executes on the same stack as the parent process while the latter is * suspended, so this function should not be inlined to avoid compiler bugs * that might clobber data needed by the parent later. Additionally, * child_exec() should not be inlined to avoid spurious -Wclobber warnings from * GCC (see bpo-35823). */ Py_NO_INLINE static pid_t do_fork_exec(char *const exec_array[], char *const argv[], char *const envp[], const char *cwd, int p2cread, int p2cwrite, int c2pread, int c2pwrite, int errread, int errwrite, int errpipe_read, int errpipe_write, int close_fds, int restore_signals, int call_setsid, pid_t pgid_to_set, gid_t gid, Py_ssize_t extra_group_size, const gid_t *extra_groups, uid_t uid, int child_umask, const void *child_sigmask, int *fds_to_keep, Py_ssize_t fds_to_keep_len, PyObject *preexec_fn, PyObject *preexec_fn_args_tuple) { … } /*[clinic input] _posixsubprocess.fork_exec as subprocess_fork_exec args as process_args: object executable_list: object close_fds: bool pass_fds as py_fds_to_keep: object(subclass_of='&PyTuple_Type') cwd as cwd_obj: object env as env_list: object p2cread: int p2cwrite: int c2pread: int c2pwrite: int errread: int errwrite: int errpipe_read: int errpipe_write: int restore_signals: bool call_setsid: bool pgid_to_set: pid_t gid as gid_object: object extra_groups as extra_groups_packed: object uid as uid_object: object child_umask: int preexec_fn: object / Spawn a fresh new child process. Fork a child process, close parent file descriptors as appropriate in the child and duplicate the few that are needed before calling exec() in the child process. If close_fds is True, close file descriptors 3 and higher, except those listed in the sorted tuple pass_fds. The preexec_fn, if supplied, will be called immediately before closing file descriptors and exec. WARNING: preexec_fn is NOT SAFE if your application uses threads. It may trigger infrequent, difficult to debug deadlocks. If an error occurs in the child process before the exec, it is serialized and written to the errpipe_write fd per subprocess.py. Returns: the child process's PID. Raises: Only on an error in the parent process. [clinic start generated code]*/ static PyObject * subprocess_fork_exec_impl(PyObject *module, PyObject *process_args, PyObject *executable_list, int close_fds, PyObject *py_fds_to_keep, PyObject *cwd_obj, PyObject *env_list, int p2cread, int p2cwrite, int c2pread, int c2pwrite, int errread, int errwrite, int errpipe_read, int errpipe_write, int restore_signals, int call_setsid, pid_t pgid_to_set, PyObject *gid_object, PyObject *extra_groups_packed, PyObject *uid_object, int child_umask, PyObject *preexec_fn) /*[clinic end generated code: output=288464dc56e373c7 input=f311c3bcb5dd55c8]*/ { … } /* module level code ********************************************************/ PyDoc_STRVAR(module_doc, "A POSIX helper for the subprocess module."); static PyMethodDef module_methods[] = …; static PyModuleDef_Slot _posixsubprocess_slots[] = …; static struct PyModuleDef _posixsubprocessmodule = …; PyMODINIT_FUNC PyInit__posixsubprocess(void) { … }
Codebase Browser
cpython