spawni.c

Glibc 2.3.2源代码(解压后有100多M)

/* spawn a new process running an executable.  Hurd version.
   Copyright (C) 2001,02 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public License as
   published by the Free Software Foundation; either version 2.1 of the
   License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; see the file COPYING.LIB.  If not,
   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
   Boston, MA 02111-1307, USA.  */

#include <errno.h>
#include <fcntl.h>
#include <paths.h>
#include <spawn.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <hurd.h>
#include <hurd/signal.h>
#include <hurd/fd.h>
#include <hurd/id.h>
#include <hurd/lookup.h>
#include <hurd/resource.h>
#include <assert.h>
#include <argz.h>
#include "spawn_int.h"

/* Spawn a new process executing PATH with the attributes describes in *ATTRP.
   Before running the process perform the actions described in FILE-ACTIONS. */
int
__spawni (pid_t *pid, const char *file,
	  const posix_spawn_file_actions_t *file_actions,
	  const posix_spawnattr_t *attrp,
	  char *const argv[], char *const envp[],
	  int use_path)
{
  pid_t new_pid;
  char *path, *p, *name;
  size_t len;
  size_t pathlen;
  short int flags;

  /* The generic POSIX.1 implementation of posix_spawn uses fork and exec.
     In traditional POSIX systems (Unix, Linux, etc), the only way to
     create a new process is by fork, which also copies all the things from
     the parent process that will be immediately wiped and replaced by the
     exec.

     This Hurd implementation works by doing an exec on a fresh task,
     without ever doing all the work of fork.  The only work done by fork
     that remains visible after an exec is registration with the proc
     server, and the inheritance of various values and ports.  All those
     inherited values and ports are what get collected up and passed in the
     file_exec RPC by an exec call.  So we do the proc server registration
     here, following the model of fork (see fork.c).  We then collect up
     the inherited values and ports from this (parent) process following
     the model of exec (see hurd/hurdexec.c), modify or replace each value
     that fork would (plus the specific changes demanded by ATTRP and
     FILE_ACTIONS), and make the file_exec RPC on the requested executable
     file with the child process's task port rather than our own.  This
     should be indistinguishable from the fork + exec implementation,
     except that all errors will be detected here (in the parent process)
     and return proper errno codes rather than the child dying with 127.

     XXX The one exception to this supposed indistinguishableness is that
     when posix_spawn_file_actions_addopen has been used, the parent
     process can do various filesystem RPCs on the child's behalf, rather
     than the child process doing it.  If these block due to a broken or
     malicious filesystem server or just a blocked network fs or a serial
     port waiting for carrier detect (!!), the parent's posix_spawn call
     can block arbitrarily rather than just the child blocking.  Possible
     solutions include:
     * punt to plain fork + exec implementation if addopen was used
     ** easy to do
     ** gives up all benefits of this implementation in that case
     * if addopen was used, don't do any file actions at all here;
       instead, exec an installed helper program e.g.:
	/libexec/spawn-helper close 3 dup2 1 2 open 0 /file 0x123 0666 exec /bin/foo foo a1 a2
     ** extra exec might be more or less overhead than fork
     * could do some weird half-fork thing where the child would inherit
       our vm and run some code here, but not do the full work of fork

     XXX Actually, the parent opens the executable file on behalf of
     the child, and that has all the same issues.

     I am favoring the half-fork solution.  That is, we do task_create with
     vm inheritance, and we setjmp/longjmp the child like fork does.  But
     rather than all the fork hair, the parent just packs up init/dtable
     ports and does a single IPC to a receive right inserted in the child.  */

  error_t err;
  task_t task;
  file_t execfile;
  process_t proc;
  auth_t auth;
  int ints[INIT_INT_MAX];
  file_t *dtable;
  unsigned int dtablesize, orig_dtablesize, i;
  struct hurd_port **dtable_cells;
  char *dtable_cloexec;
  struct hurd_userlink *ulink_dtable = NULL;
  struct hurd_sigstate *ss;

  /* For POSIX_SPAWN_RESETIDS, this reauthenticates our root/current
     directory ports with the new AUTH port.  */
  file_t rcrdir = MACH_PORT_NULL, rcwdir = MACH_PORT_NULL;
  error_t reauthenticate (int which, file_t *result)
    {
      error_t err;
      mach_port_t ref;
      if (*result != MACH_PORT_NULL)
	return 0;
      ref = __mach_reply_port ();
      err = HURD_PORT_USE
	(&_hurd_ports[which],
	 ({
	   err = __io_reauthenticate (port, ref, MACH_MSG_TYPE_MAKE_SEND);
	   if (!err)
	     err = __auth_user_authenticate (auth,
					     ref, MACH_MSG_TYPE_MAKE_SEND,
					     result);
	   err;
	 }));
      __mach_port_destroy (__mach_task_self (), ref);
      return err;
    }

  /* Reauthenticate one of our file descriptors for the child.  A null
     element of DTABLE_CELLS indicates a descriptor that was already
     reauthenticated, or was newly opened on behalf of the child.  */
  error_t reauthenticate_fd (int fd)
    {
      if (dtable_cells[fd] != NULL)
	{
	  file_t newfile;
	  mach_port_t ref = __mach_reply_port ();
	  error_t err = __io_reauthenticate (dtable[fd],
					     ref, MACH_MSG_TYPE_MAKE_SEND);
	  if (!err)
	    err = __auth_user_authenticate (auth,
					    ref, MACH_MSG_TYPE_MAKE_SEND,
					    &newfile);
	  __mach_port_destroy (__mach_task_self (), ref);
	  if (err)
	    return err;
	  _hurd_port_free (dtable_cells[fd], &ulink_dtable[fd], dtable[fd]);
	  dtable_cells[fd] = NULL;
	  dtable[fd] = newfile;
	}
      return 0;
    }

  /* These callbacks are for looking up file names on behalf of the child.  */
  error_t child_init_port (int which, error_t (*operate) (mach_port_t))
    {
      if (flags & POSIX_SPAWN_RESETIDS)
	switch (which)
	  {
	  case INIT_PORT_AUTH:
	    return (*operate) (auth);
	  case INIT_PORT_CRDIR:
	    return (reauthenticate (INIT_PORT_CRDIR, &rcrdir)
		    ?: (*operate) (rcrdir));
	  case INIT_PORT_CWDIR:
	    return (reauthenticate (INIT_PORT_CWDIR, &rcwdir)
		    ?: (*operate) (rcwdir));
	  }
      assert (which != INIT_PORT_PROC);
      return _hurd_ports_use (which, operate);
    }
  file_t child_fd (int fd)
    {
      if ((unsigned int) fd < dtablesize && dtable[fd] != MACH_PORT_NULL)
	{
	  if (flags & POSIX_SPAWN_RESETIDS)
	    {
	      /* Reauthenticate this descriptor right now,
		 since it is going to be used on behalf of the child.  */
	      errno = reauthenticate_fd (fd);
	      if (errno)
		return MACH_PORT_NULL;
	    }
	  __mach_port_mod_refs (__mach_task_self (), dtable[fd],
				MACH_PORT_RIGHT_SEND, +1);
	  return dtable[fd];
	}
      errno = EBADF;
      return MACH_PORT_NULL;
    }
  inline error_t child_lookup (const char *file, int oflag, mode_t mode,
			       file_t *result)
    {
      return __hurd_file_name_lookup (&child_init_port, &child_fd, 0,
				      file, oflag, mode, result);
    }


  /* Do this once.  */
  flags = attrp == NULL ? 0 : attrp->__flags;

  /* Generate the new process.  We create a task that does not inherit our
     memory, and then register it as our child like fork does.  See fork.c
     for comments about the sequencing of these proc operations.  */

  err = __task_create (__mach_task_self (),
#ifdef KERN_INVALID_LEDGER
		       NULL, 0,	/* OSF Mach */
#endif
		       0, &task);
  if (err)
    return __hurd_fail (err);
  // From here down we must deallocate TASK and PROC before returning.
  proc = MACH_PORT_NULL;
  auth = MACH_PORT_NULL;
  err = __USEPORT (PROC, __proc_task2pid (port, task, &new_pid));
  if (!err)
    err = __USEPORT (PROC, __proc_task2proc (port, task, &proc));
  if (!err)
    err = __USEPORT (PROC, __proc_child (port, task));
  if (err)
    goto out;

  /* Load up the ints to give the new program.  */
  memset (ints, 0, sizeof ints);
  ints[INIT_UMASK] = _hurd_umask;
  ints[INIT_TRACEMASK] = _hurdsig_traced;

  ss = _hurd_self_sigstate ();

  assert (! __spin_lock_locked (&ss->critical_section_lock));
  __spin_lock (&ss->critical_section_lock);

  __spin_lock (&ss->lock);
  ints[INIT_SIGMASK] = ss->blocked;
  ints[INIT_SIGPENDING] = ss->pending;
  ints[INIT_SIGIGN] = 0;
  /* Unless we were asked to reset all handlers to SIG_DFL,
     pass down the set of signals that were set to SIG_IGN.  */
  if ((flags & POSIX_SPAWN_SETSIGDEF) == 0)
    for (i = 1; i < NSIG; ++i)
      if (ss->actions[i].sa_handler == SIG_IGN)
	ints[INIT_SIGIGN] |= __sigmask (i);

  /* We hold the sigstate lock until the exec has failed so that no signal
     can arrive between when we pack the blocked and ignored signals, and
     when the exec actually happens.  A signal handler could change what
     signals are blocked and ignored.  Either the change will be reflected
     in the exec, or the signal will never be delivered.  Setting the
     critical section flag avoids anything we call trying to acquire the
     sigstate lock.  */

  __spin_unlock (&ss->lock);

  /* Set signal mask.  */
  if ((flags & POSIX_SPAWN_SETSIGMASK) != 0)
    ints[INIT_SIGMASK] = attrp->__ss;

#ifdef _POSIX_PRIORITY_SCHEDULING
  /* Set the scheduling algorithm and parameters.  */
# error implement me
  if ((flags & (POSIX_SPAWN_SETSCHEDPARAM | POSIX_SPAWN_SETSCHEDULER))
      == POSIX_SPAWN_SETSCHEDPARAM)
    {
      if (__sched_setparam (0, &attrp->__sp) == -1)
	_exit (SPAWN_ERROR);
    }
  else if ((flags & POSIX_SPAWN_SETSCHEDULER) != 0)
    {
      if (__sched_setscheduler (0, attrp->__policy,
				(flags & POSIX_SPAWN_SETSCHEDPARAM) != 0
				? &attrp->__sp : NULL) == -1)
	_exit (SPAWN_ERROR);
    }
#endif

  /* Set the process group ID.  */
  if (!err && (flags & POSIX_SPAWN_SETPGROUP) != 0)
    err = __proc_setpgrp (proc, new_pid, attrp->__pgrp);

  /* Set the effective user and group IDs.  */
  if (!err && (flags & POSIX_SPAWN_RESETIDS) != 0)
    {
      /* We need a different auth port for the child.  */

      __mutex_lock (&_hurd_id.lock);
      err = _hurd_check_ids (); /* Get _hurd_id up to date.  */
      if (!err && _hurd_id.rid_auth == MACH_PORT_NULL)
	{
	  /* Set up _hurd_id.rid_auth.  This is a special auth server port
	     which uses the real uid and gid (the first aux uid and gid) as
	     the only effective uid and gid.  */

	  if (_hurd_id.aux.nuids < 1 || _hurd_id.aux.ngids < 1)
	    /* We do not have a real UID and GID.  Lose, lose, lose!  */
	    err = EGRATUITOUS;

	  /* Create a new auth port using our real UID and GID (the first
	     auxiliary UID and GID) as the only effective IDs.  */
	  if (!err)
	    err = __USEPORT (AUTH,
			     __auth_makeauth (port,
					      NULL, MACH_MSG_TYPE_COPY_SEND, 0,
					      _hurd_id.aux.uids, 1,
					      _hurd_id.aux.uids,
					      _hurd_id.aux.nuids,
					      _hurd_id.aux.gids, 1,
					      _hurd_id.aux.gids,
					      _hurd_id.aux.ngids,
					      &_hurd_id.rid_auth));
	}
      if (!err)
	{
	  /* Use the real-ID auth port in place of the normal one.  */
	  assert (_hurd_id.rid_auth != MACH_PORT_NULL);
	  auth = _hurd_id.rid_auth;
	  __mach_port_mod_refs (__mach_task_self (), auth,
				MACH_PORT_RIGHT_SEND, +1);
	}
      __mutex_unlock (&_hurd_id.lock);
    }
  else
    /* Copy our existing auth port.  */
    err = __USEPORT (AUTH, __mach_port_mod_refs (__mach_task_self (),
						 (auth = port),
						 MACH_PORT_RIGHT_SEND, +1));

  if (err)
    goto out;

  /* Pack up the descriptor table to give the new program.
     These descriptors will need to be reauthenticated below
     if POSIX_SPAWN_RESETIDS is set.  */
  __mutex_lock (&_hurd_dtable_lock);
  dtablesize = _hurd_dtablesize;
  orig_dtablesize = _hurd_dtablesize;
  dtable = __alloca (dtablesize * sizeof (dtable[0]));
  ulink_dtable = __alloca (dtablesize * sizeof (ulink_dtable[0]));
  dtable_cells = __alloca (dtablesize * sizeof (dtable_cells[0]));
  dtable_cloexec = __alloca (dtablesize);
  for (i = 0; i < dtablesize; ++i)
    {
      struct hurd_fd *const d = _hurd_dtable[i];
      if (d == NULL)
	{
	  dtable[i] = MACH_PORT_NULL;
	  dtable_cells[i] = NULL;
	  continue;
	}
      /* Note that this might return MACH_PORT_NULL.  */
      dtable[i] = _hurd_port_get (&d->port, &ulink_dtable[i]);
      dtable_cells[i] = &d->port;
      dtable_cloexec[i] = (d->flags & FD_CLOEXEC) != 0;
    }
  __mutex_unlock (&_hurd_dtable_lock);

  /* Safe to let signals happen now.  */
  _hurd_critical_section_unlock (ss);

  /* Execute the file actions.  */
  if (file_actions != NULL)
    for (i = 0; i < file_actions->__used; ++i)
      {
	/* Close a file descriptor in the child.  */
	error_t do_close (int fd)
	  {
	    if ((unsigned int)fd < dtablesize
		&& dtable[fd] != MACH_PORT_NULL)
	      {
		if (dtable_cells[fd] == NULL)