1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/process/launch.h"
6
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sched.h>
11 #include <setjmp.h>
12 #include <signal.h>
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <stdlib.h>
16 #include <sys/resource.h>
17 #include <sys/syscall.h>
18 #include <sys/time.h>
19 #include <sys/types.h>
20 #include <sys/wait.h>
21 #include <unistd.h>
22
23 #include <iterator>
24 #include <limits>
25 #include <memory>
26 #include <set>
27
28 #include "base/command_line.h"
29 #include "base/compiler_specific.h"
30 #include "base/debug/debugger.h"
31 #include "base/debug/stack_trace.h"
32 #include "base/files/dir_reader_posix.h"
33 #include "base/files/file_util.h"
34 #include "base/files/scoped_file.h"
35 #include "base/logging.h"
36 #include "base/metrics/histogram_macros.h"
37 #include "base/posix/eintr_wrapper.h"
38 #include "base/process/process.h"
39 #include "base/process/process_metrics.h"
40 #include "base/strings/stringprintf.h"
41 #include "base/synchronization/waitable_event.h"
42 #include "base/threading/platform_thread.h"
43 #include "base/threading/thread_restrictions.h"
44 #include "base/time/time.h"
45 #include "base/trace_event/trace_event.h"
46 #include "build/build_config.h"
47
48 #if defined(OS_LINUX) || defined(OS_AIX)
49 #include <sys/prctl.h>
50 #endif
51
52 #if defined(OS_CHROMEOS)
53 #include <sys/ioctl.h>
54 #endif
55
56 #if defined(OS_FREEBSD)
57 #include <sys/event.h>
58 #include <sys/ucontext.h>
59 #endif
60
61 #if defined(OS_MACOSX)
62 #include <crt_externs.h>
63 #include <sys/event.h>
64
65 #include "base/feature_list.h"
66 #else
67 extern char** environ;
68 #endif
69
70 namespace base {
71
72 // Friend and derived class of ScopedAllowBaseSyncPrimitives which allows
73 // GetAppOutputInternal() to join a process. GetAppOutputInternal() can't itself
74 // be a friend of ScopedAllowBaseSyncPrimitives because it is in the anonymous
75 // namespace.
76 class GetAppOutputScopedAllowBaseSyncPrimitives
77 : public base::ScopedAllowBaseSyncPrimitives {};
78
79 #if !defined(OS_NACL_NONSFI)
80
81 namespace {
82
83 #if defined(OS_MACOSX)
84 const Feature kMacLaunchProcessPosixSpawn{"MacLaunchProcessPosixSpawn",
85 FEATURE_ENABLED_BY_DEFAULT};
86 #endif
87
88 // Get the process's "environment" (i.e. the thing that setenv/getenv
89 // work with).
GetEnvironment()90 char** GetEnvironment() {
91 #if defined(OS_MACOSX)
92 return *_NSGetEnviron();
93 #else
94 return environ;
95 #endif
96 }
97
98 // Set the process's "environment" (i.e. the thing that setenv/getenv
99 // work with).
SetEnvironment(char ** env)100 void SetEnvironment(char** env) {
101 #if defined(OS_MACOSX)
102 *_NSGetEnviron() = env;
103 #else
104 environ = env;
105 #endif
106 }
107
108 // Set the calling thread's signal mask to new_sigmask and return
109 // the previous signal mask.
SetSignalMask(const sigset_t & new_sigmask)110 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
111 sigset_t old_sigmask;
112 #if defined(OS_ANDROID)
113 // POSIX says pthread_sigmask() must be used in multi-threaded processes,
114 // but Android's pthread_sigmask() was broken until 4.1:
115 // https://code.google.com/p/android/issues/detail?id=15337
116 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
117 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
118 #else
119 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
120 #endif
121 return old_sigmask;
122 }
123
124 #if (!defined(OS_LINUX) && !defined(OS_AIX)) || \
125 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
ResetChildSignalHandlersToDefaults()126 void ResetChildSignalHandlersToDefaults() {
127 // The previous signal handlers are likely to be meaningless in the child's
128 // context so we reset them to the defaults for now. http://crbug.com/44953
129 // These signal handlers are set up at least in browser_main_posix.cc:
130 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
131 // EnableInProcessStackDumping.
132 signal(SIGHUP, SIG_DFL);
133 signal(SIGINT, SIG_DFL);
134 signal(SIGILL, SIG_DFL);
135 signal(SIGABRT, SIG_DFL);
136 signal(SIGFPE, SIG_DFL);
137 signal(SIGBUS, SIG_DFL);
138 signal(SIGSEGV, SIG_DFL);
139 signal(SIGSYS, SIG_DFL);
140 signal(SIGTERM, SIG_DFL);
141 }
142
143 #else
144
145 // TODO(jln): remove the Linux special case once kernels are fixed.
146
147 // Internally the kernel makes sigset_t an array of long large enough to have
148 // one bit per signal.
149 typedef uint64_t kernel_sigset_t;
150
151 // This is what struct sigaction looks like to the kernel at least on X86 and
152 // ARM. MIPS, for instance, is very different.
153 struct kernel_sigaction {
154 void* k_sa_handler; // For this usage it only needs to be a generic pointer.
155 unsigned long k_sa_flags;
156 void* k_sa_restorer; // For this usage it only needs to be a generic pointer.
157 kernel_sigset_t k_sa_mask;
158 };
159
160 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
161 // our own.
sys_rt_sigaction(int sig,const struct kernel_sigaction * act,struct kernel_sigaction * oact)162 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
163 struct kernel_sigaction* oact) {
164 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
165 }
166
167 // This function is intended to be used in between fork() and execve() and will
168 // reset all signal handlers to the default.
169 // The motivation for going through all of them is that sa_restorer can leak
170 // from parents and help defeat ASLR on buggy kernels. We reset it to null.
171 // See crbug.com/177956.
ResetChildSignalHandlersToDefaults(void)172 void ResetChildSignalHandlersToDefaults(void) {
173 for (int signum = 1; ; ++signum) {
174 struct kernel_sigaction act = {nullptr};
175 int sigaction_get_ret = sys_rt_sigaction(signum, nullptr, &act);
176 if (sigaction_get_ret && errno == EINVAL) {
177 #if !defined(NDEBUG)
178 // Linux supports 32 real-time signals from 33 to 64.
179 // If the number of signals in the Linux kernel changes, someone should
180 // look at this code.
181 const int kNumberOfSignals = 64;
182 RAW_CHECK(signum == kNumberOfSignals + 1);
183 #endif // !defined(NDEBUG)
184 break;
185 }
186 // All other failures are fatal.
187 if (sigaction_get_ret) {
188 RAW_LOG(FATAL, "sigaction (get) failed.");
189 }
190
191 // The kernel won't allow to re-set SIGKILL or SIGSTOP.
192 if (signum != SIGSTOP && signum != SIGKILL) {
193 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
194 act.k_sa_restorer = nullptr;
195 if (sys_rt_sigaction(signum, &act, nullptr)) {
196 RAW_LOG(FATAL, "sigaction (set) failed.");
197 }
198 }
199 #if !defined(NDEBUG)
200 // Now ask the kernel again and check that no restorer will leak.
201 if (sys_rt_sigaction(signum, nullptr, &act) || act.k_sa_restorer) {
202 RAW_LOG(FATAL, "Cound not fix sa_restorer.");
203 }
204 #endif // !defined(NDEBUG)
205 }
206 }
207 #endif // !defined(OS_LINUX) ||
208 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
209 } // anonymous namespace
210
211 // Functor for |ScopedDIR| (below).
212 struct ScopedDIRClose {
operator ()base::ScopedDIRClose213 inline void operator()(DIR* x) const {
214 if (x)
215 closedir(x);
216 }
217 };
218
219 // Automatically closes |DIR*|s.
220 typedef std::unique_ptr<DIR, ScopedDIRClose> ScopedDIR;
221
222 #if defined(OS_LINUX) || defined(OS_AIX)
223 static const char kFDDir[] = "/proc/self/fd";
224 #elif defined(OS_MACOSX)
225 static const char kFDDir[] = "/dev/fd";
226 #elif defined(OS_SOLARIS)
227 static const char kFDDir[] = "/dev/fd";
228 #elif defined(OS_FREEBSD)
229 static const char kFDDir[] = "/dev/fd";
230 #elif defined(OS_OPENBSD)
231 static const char kFDDir[] = "/dev/fd";
232 #elif defined(OS_ANDROID)
233 static const char kFDDir[] = "/proc/self/fd";
234 #endif
235
CloseSuperfluousFds(const base::InjectiveMultimap & saved_mapping)236 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
237 // DANGER: no calls to malloc or locks are allowed from now on:
238 // http://crbug.com/36678
239
240 // Get the maximum number of FDs possible.
241 size_t max_fds = GetMaxFds();
242
243 DirReaderPosix fd_dir(kFDDir);
244 if (!fd_dir.IsValid()) {
245 // Fallback case: Try every possible fd.
246 for (size_t i = 0; i < max_fds; ++i) {
247 const int fd = static_cast<int>(i);
248 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
249 continue;
250 // Cannot use STL iterators here, since debug iterators use locks.
251 size_t j;
252 for (j = 0; j < saved_mapping.size(); j++) {
253 if (fd == saved_mapping[j].dest)
254 break;
255 }
256 if (j < saved_mapping.size())
257 continue;
258
259 // Since we're just trying to close anything we can find,
260 // ignore any error return values of close().
261 close(fd);
262 }
263 return;
264 }
265
266 const int dir_fd = fd_dir.fd();
267
268 for ( ; fd_dir.Next(); ) {
269 // Skip . and .. entries.
270 if (fd_dir.name()[0] == '.')
271 continue;
272
273 char *endptr;
274 errno = 0;
275 const long int fd = strtol(fd_dir.name(), &endptr, 10);
276 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
277 continue;
278 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
279 continue;
280 // Cannot use STL iterators here, since debug iterators use locks.
281 size_t i;
282 for (i = 0; i < saved_mapping.size(); i++) {
283 if (fd == saved_mapping[i].dest)
284 break;
285 }
286 if (i < saved_mapping.size())
287 continue;
288 if (fd == dir_fd)
289 continue;
290
291 int ret = IGNORE_EINTR(close(fd));
292 DPCHECK(ret == 0);
293 }
294 }
295
LaunchProcess(const CommandLine & cmdline,const LaunchOptions & options)296 Process LaunchProcess(const CommandLine& cmdline,
297 const LaunchOptions& options) {
298 return LaunchProcess(cmdline.argv(), options);
299 }
300
LaunchProcess(const std::vector<std::string> & argv,const LaunchOptions & options)301 Process LaunchProcess(const std::vector<std::string>& argv,
302 const LaunchOptions& options) {
303 TRACE_EVENT0("base", "LaunchProcess");
304 #if defined(OS_MACOSX)
305 if (FeatureList::IsEnabled(kMacLaunchProcessPosixSpawn)) {
306 // TODO(rsesek): Do this unconditionally. There is one user for each of
307 // these two options. https://crbug.com/179923.
308 if (!options.pre_exec_delegate && options.current_directory.empty())
309 return LaunchProcessPosixSpawn(argv, options);
310 }
311 #endif
312
313 InjectiveMultimap fd_shuffle1;
314 InjectiveMultimap fd_shuffle2;
315 fd_shuffle1.reserve(options.fds_to_remap.size());
316 fd_shuffle2.reserve(options.fds_to_remap.size());
317
318 std::vector<char*> argv_cstr;
319 argv_cstr.reserve(argv.size() + 1);
320 for (const auto& arg : argv)
321 argv_cstr.push_back(const_cast<char*>(arg.c_str()));
322 argv_cstr.push_back(nullptr);
323
324 std::unique_ptr<char* []> new_environ;
325 char* const empty_environ = nullptr;
326 char* const* old_environ = GetEnvironment();
327 if (options.clear_environ)
328 old_environ = &empty_environ;
329 if (!options.environ.empty())
330 new_environ = AlterEnvironment(old_environ, options.environ);
331
332 sigset_t full_sigset;
333 sigfillset(&full_sigset);
334 const sigset_t orig_sigmask = SetSignalMask(full_sigset);
335
336 const char* current_directory = nullptr;
337 if (!options.current_directory.empty()) {
338 current_directory = options.current_directory.value().c_str();
339 }
340
341 pid_t pid;
342 base::TimeTicks before_fork = TimeTicks::Now();
343 #if defined(OS_LINUX) || defined(OS_AIX)
344 if (options.clone_flags) {
345 // Signal handling in this function assumes the creation of a new
346 // process, so we check that a thread is not being created by mistake
347 // and that signal handling follows the process-creation rules.
348 RAW_CHECK(
349 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
350
351 // We specify a null ptid and ctid.
352 RAW_CHECK(
353 !(options.clone_flags &
354 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID)));
355
356 // Since we use waitpid, we do not support custom termination signals in the
357 // clone flags.
358 RAW_CHECK((options.clone_flags & 0xff) == 0);
359
360 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr);
361 } else
362 #endif
363 {
364 pid = fork();
365 }
366
367 // Always restore the original signal mask in the parent.
368 if (pid != 0) {
369 base::TimeTicks after_fork = TimeTicks::Now();
370 SetSignalMask(orig_sigmask);
371
372 base::TimeDelta fork_time = after_fork - before_fork;
373 UMA_HISTOGRAM_TIMES("MPArch.ForkTime", fork_time);
374 }
375
376 if (pid < 0) {
377 DPLOG(ERROR) << "fork";
378 return Process();
379 } else if (pid == 0) {
380 // Child process
381
382 // DANGER: no calls to malloc or locks are allowed from now on:
383 // http://crbug.com/36678
384
385 // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
386 // you call _exit() instead of exit(). This is because _exit() does not
387 // call any previously-registered (in the parent) exit handlers, which
388 // might do things like block waiting for threads that don't even exist
389 // in the child.
390
391 // If a child process uses the readline library, the process block forever.
392 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
393 // See http://crbug.com/56596.
394 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
395 if (!null_fd.is_valid()) {
396 RAW_LOG(ERROR, "Failed to open /dev/null");
397 _exit(127);
398 }
399
400 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
401 if (new_fd != STDIN_FILENO) {
402 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
403 _exit(127);
404 }
405
406 if (options.new_process_group) {
407 // Instead of inheriting the process group ID of the parent, the child
408 // starts off a new process group with pgid equal to its process ID.
409 if (setpgid(0, 0) < 0) {
410 RAW_LOG(ERROR, "setpgid failed");
411 _exit(127);
412 }
413 }
414
415 if (options.maximize_rlimits) {
416 // Some resource limits need to be maximal in this child.
417 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
418 const int resource = (*options.maximize_rlimits)[i];
419 struct rlimit limit;
420 if (getrlimit(resource, &limit) < 0) {
421 RAW_LOG(WARNING, "getrlimit failed");
422 } else if (limit.rlim_cur < limit.rlim_max) {
423 limit.rlim_cur = limit.rlim_max;
424 if (setrlimit(resource, &limit) < 0) {
425 RAW_LOG(WARNING, "setrlimit failed");
426 }
427 }
428 }
429 }
430
431 #if defined(OS_MACOSX)
432 RestoreDefaultExceptionHandler();
433 #endif // defined(OS_MACOSX)
434
435 ResetChildSignalHandlersToDefaults();
436 SetSignalMask(orig_sigmask);
437
438 #if 0
439 // When debugging it can be helpful to check that we really aren't making
440 // any hidden calls to malloc.
441 void *malloc_thunk =
442 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
443 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
444 memset(reinterpret_cast<void*>(malloc), 0xff, 8);
445 #endif // 0
446
447 #if defined(OS_CHROMEOS)
448 if (options.ctrl_terminal_fd >= 0) {
449 // Set process' controlling terminal.
450 if (HANDLE_EINTR(setsid()) != -1) {
451 if (HANDLE_EINTR(
452 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, nullptr)) == -1) {
453 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
454 }
455 } else {
456 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
457 }
458 }
459 #endif // defined(OS_CHROMEOS)
460
461 // Cannot use STL iterators here, since debug iterators use locks.
462 for (size_t i = 0; i < options.fds_to_remap.size(); ++i) {
463 const FileHandleMappingVector::value_type& value =
464 options.fds_to_remap[i];
465 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
466 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
467 }
468
469 if (!options.environ.empty() || options.clear_environ)
470 SetEnvironment(new_environ.get());
471
472 // fd_shuffle1 is mutated by this call because it cannot malloc.
473 if (!ShuffleFileDescriptors(&fd_shuffle1))
474 _exit(127);
475
476 CloseSuperfluousFds(fd_shuffle2);
477
478 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
479 // 3.5+, do not check the return value of prctl here.
480 #if defined(OS_LINUX) || defined(OS_AIX)
481 #ifndef PR_SET_NO_NEW_PRIVS
482 #define PR_SET_NO_NEW_PRIVS 38
483 #endif
484 if (!options.allow_new_privs) {
485 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
486 // Only log if the error is not EINVAL (i.e. not supported).
487 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
488 }
489 }
490
491 if (options.kill_on_parent_death) {
492 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) {
493 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed");
494 _exit(127);
495 }
496 }
497 #endif
498
499 if (current_directory != nullptr) {
500 RAW_CHECK(chdir(current_directory) == 0);
501 }
502
503 if (options.pre_exec_delegate != nullptr) {
504 options.pre_exec_delegate->RunAsyncSafe();
505 }
506
507 const char* executable_path = !options.real_path.empty() ?
508 options.real_path.value().c_str() : argv_cstr[0];
509
510 execvp(executable_path, argv_cstr.data());
511
512 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
513 RAW_LOG(ERROR, argv_cstr[0]);
514 _exit(127);
515 } else {
516 // Parent process
517 if (options.wait) {
518 // While this isn't strictly disk IO, waiting for another process to
519 // finish is the sort of thing ThreadRestrictions is trying to prevent.
520 base::AssertBlockingAllowed();
521 pid_t ret = HANDLE_EINTR(waitpid(pid, nullptr, 0));
522 DPCHECK(ret > 0);
523 }
524 }
525
526 return Process(pid);
527 }
528
RaiseProcessToHighPriority()529 void RaiseProcessToHighPriority() {
530 // On POSIX, we don't actually do anything here. We could try to nice() or
531 // setpriority() or sched_getscheduler, but these all require extra rights.
532 }
533
534 // Executes the application specified by |argv| and wait for it to exit. Stores
535 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
536 // path for the application; in that case, |envp| must be null, and it will use
537 // the current environment. If |do_search_path| is false, |argv[0]| should fully
538 // specify the path of the application, and |envp| will be used as the
539 // environment. If |include_stderr| is true, includes stderr otherwise redirects
540 // it to /dev/null.
541 // The return value of the function indicates success or failure. In the case of
542 // success, the application exit code will be returned in |*exit_code|, which
543 // should be checked to determine if the application ran successfully.
GetAppOutputInternal(const std::vector<std::string> & argv,char * const envp[],bool include_stderr,std::string * output,bool do_search_path,int * exit_code)544 static bool GetAppOutputInternal(
545 const std::vector<std::string>& argv,
546 char* const envp[],
547 bool include_stderr,
548 std::string* output,
549 bool do_search_path,
550 int* exit_code) {
551 base::AssertBlockingAllowed();
552 // exit_code must be supplied so calling function can determine success.
553 DCHECK(exit_code);
554 *exit_code = EXIT_FAILURE;
555
556 // Declare and call reserve() here before calling fork() because the child
557 // process cannot allocate memory.
558 std::vector<char*> argv_cstr;
559 argv_cstr.reserve(argv.size() + 1);
560 InjectiveMultimap fd_shuffle1;
561 InjectiveMultimap fd_shuffle2;
562 fd_shuffle1.reserve(3);
563 fd_shuffle2.reserve(3);
564
565 // Either |do_search_path| should be false or |envp| should be null, but not
566 // both.
567 DCHECK(!do_search_path ^ !envp);
568
569 int pipe_fd[2];
570 if (pipe(pipe_fd) < 0)
571 return false;
572
573 pid_t pid = fork();
574 switch (pid) {
575 case -1: {
576 // error
577 close(pipe_fd[0]);
578 close(pipe_fd[1]);
579 return false;
580 }
581 case 0: {
582 // child
583 //
584 // DANGER: no calls to malloc or locks are allowed from now on:
585 // http://crbug.com/36678
586
587 #if defined(OS_MACOSX)
588 RestoreDefaultExceptionHandler();
589 #endif
590
591 // Obscure fork() rule: in the child, if you don't end up doing exec*(),
592 // you call _exit() instead of exit(). This is because _exit() does not
593 // call any previously-registered (in the parent) exit handlers, which
594 // might do things like block waiting for threads that don't even exist
595 // in the child.
596 int dev_null = open("/dev/null", O_WRONLY);
597 if (dev_null < 0)
598 _exit(127);
599
600 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
601 fd_shuffle1.push_back(InjectionArc(include_stderr ? pipe_fd[1] : dev_null,
602 STDERR_FILENO, true));
603 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
604 // Adding another element here? Remeber to increase the argument to
605 // reserve(), above.
606
607 for (size_t i = 0; i < fd_shuffle1.size(); ++i)
608 fd_shuffle2.push_back(fd_shuffle1[i]);
609
610 if (!ShuffleFileDescriptors(&fd_shuffle1))
611 _exit(127);
612
613 CloseSuperfluousFds(fd_shuffle2);
614
615 for (const auto& arg : argv)
616 argv_cstr.push_back(const_cast<char*>(arg.c_str()));
617 argv_cstr.push_back(nullptr);
618
619 if (do_search_path)
620 execvp(argv_cstr[0], argv_cstr.data());
621 else
622 execve(argv_cstr[0], argv_cstr.data(), envp);
623 _exit(127);
624 }
625 default: {
626 // parent
627 //
628 // Close our writing end of pipe now. Otherwise later read would not
629 // be able to detect end of child's output (in theory we could still
630 // write to the pipe).
631 close(pipe_fd[1]);
632
633 output->clear();
634
635 while (true) {
636 char buffer[256];
637 ssize_t bytes_read =
638 HANDLE_EINTR(read(pipe_fd[0], buffer, sizeof(buffer)));
639 if (bytes_read <= 0)
640 break;
641 output->append(buffer, bytes_read);
642 }
643 close(pipe_fd[0]);
644
645 // Always wait for exit code (even if we know we'll declare
646 // GOT_MAX_OUTPUT).
647 Process process(pid);
648 // A process launched with GetAppOutput*() usually doesn't wait on the
649 // process that launched it and thus chances of deadlock are low.
650 GetAppOutputScopedAllowBaseSyncPrimitives allow_base_sync_primitives;
651 return process.WaitForExit(exit_code);
652 }
653 }
654 }
655
GetAppOutput(const CommandLine & cl,std::string * output)656 bool GetAppOutput(const CommandLine& cl, std::string* output) {
657 return GetAppOutput(cl.argv(), output);
658 }
659
GetAppOutput(const std::vector<std::string> & argv,std::string * output)660 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
661 // Run |execve()| with the current environment.
662 int exit_code;
663 bool result =
664 GetAppOutputInternal(argv, nullptr, false, output, true, &exit_code);
665 return result && exit_code == EXIT_SUCCESS;
666 }
667
GetAppOutputAndError(const CommandLine & cl,std::string * output)668 bool GetAppOutputAndError(const CommandLine& cl, std::string* output) {
669 // Run |execve()| with the current environment.
670 int exit_code;
671 bool result =
672 GetAppOutputInternal(cl.argv(), nullptr, true, output, true, &exit_code);
673 return result && exit_code == EXIT_SUCCESS;
674 }
675
GetAppOutputAndError(const std::vector<std::string> & argv,std::string * output)676 bool GetAppOutputAndError(const std::vector<std::string>& argv,
677 std::string* output) {
678 int exit_code;
679 bool result =
680 GetAppOutputInternal(argv, nullptr, true, output, true, &exit_code);
681 return result && exit_code == EXIT_SUCCESS;
682 }
683
GetAppOutputWithExitCode(const CommandLine & cl,std::string * output,int * exit_code)684 bool GetAppOutputWithExitCode(const CommandLine& cl,
685 std::string* output,
686 int* exit_code) {
687 // Run |execve()| with the current environment.
688 return GetAppOutputInternal(cl.argv(), nullptr, false, output, true,
689 exit_code);
690 }
691
692 #endif // !defined(OS_NACL_NONSFI)
693
694 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI) || defined(OS_AIX)
695 namespace {
696
697 // This function runs on the stack specified on the clone call. It uses longjmp
698 // to switch back to the original stack so the child can return from sys_clone.
CloneHelper(void * arg)699 int CloneHelper(void* arg) {
700 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg);
701 longjmp(*env_ptr, 1);
702
703 // Should not be reached.
704 RAW_CHECK(false);
705 return 1;
706 }
707
708 // This function is noinline to ensure that stack_buf is below the stack pointer
709 // that is saved when setjmp is called below. This is needed because when
710 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved
711 // upwards. See crbug.com/442912 for more details.
712 #if defined(ADDRESS_SANITIZER)
713 // Disable AddressSanitizer instrumentation for this function to make sure
714 // |stack_buf| is allocated on thread stack instead of ASan's fake stack.
715 // Under ASan longjmp() will attempt to clean up the area between the old and
716 // new stack pointers and print a warning that may confuse the user.
717 __attribute__((no_sanitize_address))
718 #endif
CloneAndLongjmpInChild(unsigned long flags,pid_t * ptid,pid_t * ctid,jmp_buf * env)719 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags,
720 pid_t* ptid,
721 pid_t* ctid,
722 jmp_buf* env) {
723 // We use the libc clone wrapper instead of making the syscall
724 // directly because making the syscall may fail to update the libc's
725 // internal pid cache. The libc interface unfortunately requires
726 // specifying a new stack, so we use setjmp/longjmp to emulate
727 // fork-like behavior.
728 alignas(16) char stack_buf[PTHREAD_STACK_MIN];
729 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
730 defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_S390_FAMILY) || \
731 defined(ARCH_CPU_PPC64_FAMILY)
732 // The stack grows downward.
733 void* stack = stack_buf + sizeof(stack_buf);
734 #else
735 #error "Unsupported architecture"
736 #endif
737 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid);
738 }
739
740 } // anonymous namespace
741
ForkWithFlags(unsigned long flags,pid_t * ptid,pid_t * ctid)742 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) {
743 const bool clone_tls_used = flags & CLONE_SETTLS;
744 const bool invalid_ctid =
745 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
746 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
747
748 // We do not support CLONE_VM.
749 const bool clone_vm_used = flags & CLONE_VM;
750
751 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
752 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags");
753 }
754
755 jmp_buf env;
756 if (setjmp(env) == 0) {
757 return CloneAndLongjmpInChild(flags, ptid, ctid, &env);
758 }
759
760 return 0;
761 }
762 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI)
763
764 } // namespace base
765