1 /* Authors: Gregory P. Smith & Jeffrey Yasskin */
2 #include "Python.h"
3 #if defined(HAVE_PIPE2) && !defined(_GNU_SOURCE)
4 # define _GNU_SOURCE
5 #endif
6 #include <unistd.h>
7 #include <fcntl.h>
8 #ifdef HAVE_SYS_TYPES_H
9 #include <sys/types.h>
10 #endif
11 #if defined(HAVE_SYS_STAT_H)
12 #include <sys/stat.h>
13 #endif
14 #ifdef HAVE_SYS_SYSCALL_H
15 #include <sys/syscall.h>
16 #endif
17 #if defined(HAVE_SYS_RESOURCE_H)
18 #include <sys/resource.h>
19 #endif
20 #ifdef HAVE_DIRENT_H
21 #include <dirent.h>
22 #endif
23 #ifdef HAVE_GRP_H
24 #include <grp.h>
25 #endif /* HAVE_GRP_H */
26
27 #include "posixmodule.h"
28
29 #ifdef _Py_MEMORY_SANITIZER
30 # include <sanitizer/msan_interface.h>
31 #endif
32
33 #if defined(__ANDROID__) && __ANDROID_API__ < 21 && !defined(SYS_getdents64)
34 # include <sys/linux-syscalls.h>
35 # define SYS_getdents64 __NR_getdents64
36 #endif
37
38 #if defined(__sun) && defined(__SVR4)
39 /* readdir64 is used to work around Solaris 9 bug 6395699. */
40 # define readdir readdir64
41 # define dirent dirent64
42 # if !defined(HAVE_DIRFD)
43 /* Some versions of Solaris lack dirfd(). */
44 # define dirfd(dirp) ((dirp)->dd_fd)
45 # define HAVE_DIRFD
46 # endif
47 #endif
48
49 #if defined(__FreeBSD__) || (defined(__APPLE__) && defined(__MACH__))
50 # define FD_DIR "/dev/fd"
51 #else
52 # define FD_DIR "/proc/self/fd"
53 #endif
54
55 #ifdef NGROUPS_MAX
56 #define MAX_GROUPS NGROUPS_MAX
57 #else
58 #define MAX_GROUPS 64
59 #endif
60
61 #define POSIX_CALL(call) do { if ((call) == -1) goto error; } while (0)
62
63 typedef struct {
64 PyObject* disable;
65 PyObject* enable;
66 PyObject* isenabled;
67 } _posixsubprocessstate;
68
69 static struct PyModuleDef _posixsubprocessmodule;
70
71 static inline _posixsubprocessstate*
get_posixsubprocess_state(PyObject * module)72 get_posixsubprocess_state(PyObject *module)
73 {
74 void *state = PyModule_GetState(module);
75 assert(state != NULL);
76 return (_posixsubprocessstate *)state;
77 }
78
79 #define _posixsubprocessstate_global get_posixsubprocess_state(PyState_FindModule(&_posixsubprocessmodule))
80
81 /* If gc was disabled, call gc.enable(). Return 0 on success. */
82 static int
_enable_gc(int need_to_reenable_gc,PyObject * gc_module)83 _enable_gc(int need_to_reenable_gc, PyObject *gc_module)
84 {
85 PyObject *result;
86 PyObject *exctype, *val, *tb;
87
88 if (need_to_reenable_gc) {
89 PyErr_Fetch(&exctype, &val, &tb);
90 result = PyObject_CallMethodNoArgs(
91 gc_module, _posixsubprocessstate_global->enable);
92 if (exctype != NULL) {
93 PyErr_Restore(exctype, val, tb);
94 }
95 if (result == NULL) {
96 return 1;
97 }
98 Py_DECREF(result);
99 }
100 return 0;
101 }
102
103
104 /* Convert ASCII to a positive int, no libc call. no overflow. -1 on error. */
105 static int
_pos_int_from_ascii(const char * name)106 _pos_int_from_ascii(const char *name)
107 {
108 int num = 0;
109 while (*name >= '0' && *name <= '9') {
110 num = num * 10 + (*name - '0');
111 ++name;
112 }
113 if (*name)
114 return -1; /* Non digit found, not a number. */
115 return num;
116 }
117
118
119 #if defined(__FreeBSD__)
120 /* When /dev/fd isn't mounted it is often a static directory populated
121 * with 0 1 2 or entries for 0 .. 63 on FreeBSD, NetBSD and OpenBSD.
122 * NetBSD and OpenBSD have a /proc fs available (though not necessarily
123 * mounted) and do not have fdescfs for /dev/fd. MacOS X has a devfs
124 * that properly supports /dev/fd.
125 */
126 static int
_is_fdescfs_mounted_on_dev_fd(void)127 _is_fdescfs_mounted_on_dev_fd(void)
128 {
129 struct stat dev_stat;
130 struct stat dev_fd_stat;
131 if (stat("/dev", &dev_stat) != 0)
132 return 0;
133 if (stat(FD_DIR, &dev_fd_stat) != 0)
134 return 0;
135 if (dev_stat.st_dev == dev_fd_stat.st_dev)
136 return 0; /* / == /dev == /dev/fd means it is static. #fail */
137 return 1;
138 }
139 #endif
140
141
142 /* Returns 1 if there is a problem with fd_sequence, 0 otherwise. */
143 static int
_sanity_check_python_fd_sequence(PyObject * fd_sequence)144 _sanity_check_python_fd_sequence(PyObject *fd_sequence)
145 {
146 Py_ssize_t seq_idx;
147 long prev_fd = -1;
148 for (seq_idx = 0; seq_idx < PyTuple_GET_SIZE(fd_sequence); ++seq_idx) {
149 PyObject* py_fd = PyTuple_GET_ITEM(fd_sequence, seq_idx);
150 long iter_fd;
151 if (!PyLong_Check(py_fd)) {
152 return 1;
153 }
154 iter_fd = PyLong_AsLong(py_fd);
155 if (iter_fd < 0 || iter_fd <= prev_fd || iter_fd > INT_MAX) {
156 /* Negative, overflow, unsorted, too big for a fd. */
157 return 1;
158 }
159 prev_fd = iter_fd;
160 }
161 return 0;
162 }
163
164
165 /* Is fd found in the sorted Python Sequence? */
166 static int
_is_fd_in_sorted_fd_sequence(int fd,PyObject * fd_sequence)167 _is_fd_in_sorted_fd_sequence(int fd, PyObject *fd_sequence)
168 {
169 /* Binary search. */
170 Py_ssize_t search_min = 0;
171 Py_ssize_t search_max = PyTuple_GET_SIZE(fd_sequence) - 1;
172 if (search_max < 0)
173 return 0;
174 do {
175 long middle = (search_min + search_max) / 2;
176 long middle_fd = PyLong_AsLong(PyTuple_GET_ITEM(fd_sequence, middle));
177 if (fd == middle_fd)
178 return 1;
179 if (fd > middle_fd)
180 search_min = middle + 1;
181 else
182 search_max = middle - 1;
183 } while (search_min <= search_max);
184 return 0;
185 }
186
187 static int
make_inheritable(PyObject * py_fds_to_keep,int errpipe_write)188 make_inheritable(PyObject *py_fds_to_keep, int errpipe_write)
189 {
190 Py_ssize_t i, len;
191
192 len = PyTuple_GET_SIZE(py_fds_to_keep);
193 for (i = 0; i < len; ++i) {
194 PyObject* fdobj = PyTuple_GET_ITEM(py_fds_to_keep, i);
195 long fd = PyLong_AsLong(fdobj);
196 assert(!PyErr_Occurred());
197 assert(0 <= fd && fd <= INT_MAX);
198 if (fd == errpipe_write) {
199 /* errpipe_write is part of py_fds_to_keep. It must be closed at
200 exec(), but kept open in the child process until exec() is
201 called. */
202 continue;
203 }
204 if (_Py_set_inheritable_async_safe((int)fd, 1, NULL) < 0)
205 return -1;
206 }
207 return 0;
208 }
209
210
211 /* Get the maximum file descriptor that could be opened by this process.
212 * This function is async signal safe for use between fork() and exec().
213 */
214 static long
safe_get_max_fd(void)215 safe_get_max_fd(void)
216 {
217 long local_max_fd;
218 #if defined(__NetBSD__)
219 local_max_fd = fcntl(0, F_MAXFD);
220 if (local_max_fd >= 0)
221 return local_max_fd;
222 #endif
223 #if defined(HAVE_SYS_RESOURCE_H) && defined(__OpenBSD__)
224 struct rlimit rl;
225 /* Not on the POSIX async signal safe functions list but likely
226 * safe. TODO - Someone should audit OpenBSD to make sure. */
227 if (getrlimit(RLIMIT_NOFILE, &rl) >= 0)
228 return (long) rl.rlim_max;
229 #endif
230 #ifdef _SC_OPEN_MAX
231 local_max_fd = sysconf(_SC_OPEN_MAX);
232 if (local_max_fd == -1)
233 #endif
234 local_max_fd = 256; /* Matches legacy Lib/subprocess.py behavior. */
235 return local_max_fd;
236 }
237
238
239 /* Close all file descriptors in the range from start_fd and higher
240 * except for those in py_fds_to_keep. If the range defined by
241 * [start_fd, safe_get_max_fd()) is large this will take a long
242 * time as it calls close() on EVERY possible fd.
243 *
244 * It isn't possible to know for sure what the max fd to go up to
245 * is for processes with the capability of raising their maximum.
246 */
247 static void
_close_fds_by_brute_force(long start_fd,PyObject * py_fds_to_keep)248 _close_fds_by_brute_force(long start_fd, PyObject *py_fds_to_keep)
249 {
250 long end_fd = safe_get_max_fd();
251 Py_ssize_t num_fds_to_keep = PyTuple_GET_SIZE(py_fds_to_keep);
252 Py_ssize_t keep_seq_idx;
253 int fd_num;
254 /* As py_fds_to_keep is sorted we can loop through the list closing
255 * fds in between any in the keep list falling within our range. */
256 for (keep_seq_idx = 0; keep_seq_idx < num_fds_to_keep; ++keep_seq_idx) {
257 PyObject* py_keep_fd = PyTuple_GET_ITEM(py_fds_to_keep, keep_seq_idx);
258 int keep_fd = PyLong_AsLong(py_keep_fd);
259 if (keep_fd < start_fd)
260 continue;
261 for (fd_num = start_fd; fd_num < keep_fd; ++fd_num) {
262 close(fd_num);
263 }
264 start_fd = keep_fd + 1;
265 }
266 if (start_fd <= end_fd) {
267 #if defined(__FreeBSD__)
268 /* Any errors encountered while closing file descriptors are ignored */
269 closefrom(start_fd);
270 #else
271 for (fd_num = start_fd; fd_num < end_fd; ++fd_num) {
272 /* Ignore errors */
273 (void)close(fd_num);
274 }
275 #endif
276 }
277 }
278
279
280 #if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)
281 /* It doesn't matter if d_name has room for NAME_MAX chars; we're using this
282 * only to read a directory of short file descriptor number names. The kernel
283 * will return an error if we didn't give it enough space. Highly Unlikely.
284 * This structure is very old and stable: It will not change unless the kernel
285 * chooses to break compatibility with all existing binaries. Highly Unlikely.
286 */
287 struct linux_dirent64 {
288 unsigned long long d_ino;
289 long long d_off;
290 unsigned short d_reclen; /* Length of this linux_dirent */
291 unsigned char d_type;
292 char d_name[256]; /* Filename (null-terminated) */
293 };
294
295 /* Close all open file descriptors in the range from start_fd and higher
296 * Do not close any in the sorted py_fds_to_keep list.
297 *
298 * This version is async signal safe as it does not make any unsafe C library
299 * calls, malloc calls or handle any locks. It is _unfortunate_ to be forced
300 * to resort to making a kernel system call directly but this is the ONLY api
301 * available that does no harm. opendir/readdir/closedir perform memory
302 * allocation and locking so while they usually work they are not guaranteed
303 * to (especially if you have replaced your malloc implementation). A version
304 * of this function that uses those can be found in the _maybe_unsafe variant.
305 *
306 * This is Linux specific because that is all I am ready to test it on. It
307 * should be easy to add OS specific dirent or dirent64 structures and modify
308 * it with some cpp #define magic to work on other OSes as well if you want.
309 */
310 static void
_close_open_fds_safe(int start_fd,PyObject * py_fds_to_keep)311 _close_open_fds_safe(int start_fd, PyObject* py_fds_to_keep)
312 {
313 int fd_dir_fd;
314
315 fd_dir_fd = _Py_open_noraise(FD_DIR, O_RDONLY);
316 if (fd_dir_fd == -1) {
317 /* No way to get a list of open fds. */
318 _close_fds_by_brute_force(start_fd, py_fds_to_keep);
319 return;
320 } else {
321 char buffer[sizeof(struct linux_dirent64)];
322 int bytes;
323 while ((bytes = syscall(SYS_getdents64, fd_dir_fd,
324 (struct linux_dirent64 *)buffer,
325 sizeof(buffer))) > 0) {
326 struct linux_dirent64 *entry;
327 int offset;
328 #ifdef _Py_MEMORY_SANITIZER
329 __msan_unpoison(buffer, bytes);
330 #endif
331 for (offset = 0; offset < bytes; offset += entry->d_reclen) {
332 int fd;
333 entry = (struct linux_dirent64 *)(buffer + offset);
334 if ((fd = _pos_int_from_ascii(entry->d_name)) < 0)
335 continue; /* Not a number. */
336 if (fd != fd_dir_fd && fd >= start_fd &&
337 !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
338 close(fd);
339 }
340 }
341 }
342 close(fd_dir_fd);
343 }
344 }
345
346 #define _close_open_fds _close_open_fds_safe
347
348 #else /* NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
349
350
351 /* Close all open file descriptors from start_fd and higher.
352 * Do not close any in the sorted py_fds_to_keep tuple.
353 *
354 * This function violates the strict use of async signal safe functions. :(
355 * It calls opendir(), readdir() and closedir(). Of these, the one most
356 * likely to ever cause a problem is opendir() as it performs an internal
357 * malloc(). Practically this should not be a problem. The Java VM makes the
358 * same calls between fork and exec in its own UNIXProcess_md.c implementation.
359 *
360 * readdir_r() is not used because it provides no benefit. It is typically
361 * implemented as readdir() followed by memcpy(). See also:
362 * http://womble.decadent.org.uk/readdir_r-advisory.html
363 */
364 static void
_close_open_fds_maybe_unsafe(long start_fd,PyObject * py_fds_to_keep)365 _close_open_fds_maybe_unsafe(long start_fd, PyObject* py_fds_to_keep)
366 {
367 DIR *proc_fd_dir;
368 #ifndef HAVE_DIRFD
369 while (_is_fd_in_sorted_fd_sequence(start_fd, py_fds_to_keep)) {
370 ++start_fd;
371 }
372 /* Close our lowest fd before we call opendir so that it is likely to
373 * reuse that fd otherwise we might close opendir's file descriptor in
374 * our loop. This trick assumes that fd's are allocated on a lowest
375 * available basis. */
376 close(start_fd);
377 ++start_fd;
378 #endif
379
380 #if defined(__FreeBSD__)
381 if (!_is_fdescfs_mounted_on_dev_fd())
382 proc_fd_dir = NULL;
383 else
384 #endif
385 proc_fd_dir = opendir(FD_DIR);
386 if (!proc_fd_dir) {
387 /* No way to get a list of open fds. */
388 _close_fds_by_brute_force(start_fd, py_fds_to_keep);
389 } else {
390 struct dirent *dir_entry;
391 #ifdef HAVE_DIRFD
392 int fd_used_by_opendir = dirfd(proc_fd_dir);
393 #else
394 int fd_used_by_opendir = start_fd - 1;
395 #endif
396 errno = 0;
397 while ((dir_entry = readdir(proc_fd_dir))) {
398 int fd;
399 if ((fd = _pos_int_from_ascii(dir_entry->d_name)) < 0)
400 continue; /* Not a number. */
401 if (fd != fd_used_by_opendir && fd >= start_fd &&
402 !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
403 close(fd);
404 }
405 errno = 0;
406 }
407 if (errno) {
408 /* readdir error, revert behavior. Highly Unlikely. */
409 _close_fds_by_brute_force(start_fd, py_fds_to_keep);
410 }
411 closedir(proc_fd_dir);
412 }
413 }
414
415 #define _close_open_fds _close_open_fds_maybe_unsafe
416
417 #endif /* else NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
418
419
420 /*
421 * This function is code executed in the child process immediately after fork
422 * to set things up and call exec().
423 *
424 * All of the code in this function must only use async-signal-safe functions,
425 * listed at `man 7 signal` or
426 * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
427 *
428 * This restriction is documented at
429 * http://www.opengroup.org/onlinepubs/009695399/functions/fork.html.
430 */
431 static void
child_exec(char * const exec_array[],char * const argv[],char * const envp[],const char * cwd,int p2cread,int p2cwrite,int c2pread,int c2pwrite,int errread,int errwrite,int errpipe_read,int errpipe_write,int close_fds,int restore_signals,int call_setsid,int call_setgid,gid_t gid,int call_setgroups,size_t groups_size,const gid_t * groups,int call_setuid,uid_t uid,int child_umask,PyObject * py_fds_to_keep,PyObject * preexec_fn,PyObject * preexec_fn_args_tuple)432 child_exec(char *const exec_array[],
433 char *const argv[],
434 char *const envp[],
435 const char *cwd,
436 int p2cread, int p2cwrite,
437 int c2pread, int c2pwrite,
438 int errread, int errwrite,
439 int errpipe_read, int errpipe_write,
440 int close_fds, int restore_signals,
441 int call_setsid,
442 int call_setgid, gid_t gid,
443 int call_setgroups, size_t groups_size, const gid_t *groups,
444 int call_setuid, uid_t uid, int child_umask,
445 PyObject *py_fds_to_keep,
446 PyObject *preexec_fn,
447 PyObject *preexec_fn_args_tuple)
448 {
449 int i, saved_errno, reached_preexec = 0;
450 PyObject *result;
451 const char* err_msg = "";
452 /* Buffer large enough to hold a hex integer. We can't malloc. */
453 char hex_errno[sizeof(saved_errno)*2+1];
454
455 if (make_inheritable(py_fds_to_keep, errpipe_write) < 0)
456 goto error;
457
458 /* Close parent's pipe ends. */
459 if (p2cwrite != -1)
460 POSIX_CALL(close(p2cwrite));
461 if (c2pread != -1)
462 POSIX_CALL(close(c2pread));
463 if (errread != -1)
464 POSIX_CALL(close(errread));
465 POSIX_CALL(close(errpipe_read));
466
467 /* When duping fds, if there arises a situation where one of the fds is
468 either 0, 1 or 2, it is possible that it is overwritten (#12607). */
469 if (c2pwrite == 0) {
470 POSIX_CALL(c2pwrite = dup(c2pwrite));
471 /* issue32270 */
472 if (_Py_set_inheritable_async_safe(c2pwrite, 0, NULL) < 0) {
473 goto error;
474 }
475 }
476 while (errwrite == 0 || errwrite == 1) {
477 POSIX_CALL(errwrite = dup(errwrite));
478 /* issue32270 */
479 if (_Py_set_inheritable_async_safe(errwrite, 0, NULL) < 0) {
480 goto error;
481 }
482 }
483
484 /* Dup fds for child.
485 dup2() removes the CLOEXEC flag but we must do it ourselves if dup2()
486 would be a no-op (issue #10806). */
487 if (p2cread == 0) {
488 if (_Py_set_inheritable_async_safe(p2cread, 1, NULL) < 0)
489 goto error;
490 }
491 else if (p2cread != -1)
492 POSIX_CALL(dup2(p2cread, 0)); /* stdin */
493
494 if (c2pwrite == 1) {
495 if (_Py_set_inheritable_async_safe(c2pwrite, 1, NULL) < 0)
496 goto error;
497 }
498 else if (c2pwrite != -1)
499 POSIX_CALL(dup2(c2pwrite, 1)); /* stdout */
500
501 if (errwrite == 2) {
502 if (_Py_set_inheritable_async_safe(errwrite, 1, NULL) < 0)
503 goto error;
504 }
505 else if (errwrite != -1)
506 POSIX_CALL(dup2(errwrite, 2)); /* stderr */
507
508 /* We no longer manually close p2cread, c2pwrite, and errwrite here as
509 * _close_open_fds takes care when it is not already non-inheritable. */
510
511 if (cwd)
512 POSIX_CALL(chdir(cwd));
513
514 if (child_umask >= 0)
515 umask(child_umask); /* umask() always succeeds. */
516
517 if (restore_signals)
518 _Py_RestoreSignals();
519
520 #ifdef HAVE_SETSID
521 if (call_setsid)
522 POSIX_CALL(setsid());
523 #endif
524
525 #ifdef HAVE_SETGROUPS
526 if (call_setgroups)
527 POSIX_CALL(setgroups(groups_size, groups));
528 #endif /* HAVE_SETGROUPS */
529
530 #ifdef HAVE_SETREGID
531 if (call_setgid)
532 POSIX_CALL(setregid(gid, gid));
533 #endif /* HAVE_SETREGID */
534
535 #ifdef HAVE_SETREUID
536 if (call_setuid)
537 POSIX_CALL(setreuid(uid, uid));
538 #endif /* HAVE_SETREUID */
539
540
541 reached_preexec = 1;
542 if (preexec_fn != Py_None && preexec_fn_args_tuple) {
543 /* This is where the user has asked us to deadlock their program. */
544 result = PyObject_Call(preexec_fn, preexec_fn_args_tuple, NULL);
545 if (result == NULL) {
546 /* Stringifying the exception or traceback would involve
547 * memory allocation and thus potential for deadlock.
548 * We've already faced potential deadlock by calling back
549 * into Python in the first place, so it probably doesn't
550 * matter but we avoid it to minimize the possibility. */
551 err_msg = "Exception occurred in preexec_fn.";
552 errno = 0; /* We don't want to report an OSError. */
553 goto error;
554 }
555 /* Py_DECREF(result); - We're about to exec so why bother? */
556 }
557
558 /* close FDs after executing preexec_fn, which might open FDs */
559 if (close_fds) {
560 /* TODO HP-UX could use pstat_getproc() if anyone cares about it. */
561 _close_open_fds(3, py_fds_to_keep);
562 }
563
564 /* This loop matches the Lib/os.py _execvpe()'s PATH search when */
565 /* given the executable_list generated by Lib/subprocess.py. */
566 saved_errno = 0;
567 for (i = 0; exec_array[i] != NULL; ++i) {
568 const char *executable = exec_array[i];
569 if (envp) {
570 execve(executable, argv, envp);
571 } else {
572 execv(executable, argv);
573 }
574 if (errno != ENOENT && errno != ENOTDIR && saved_errno == 0) {
575 saved_errno = errno;
576 }
577 }
578 /* Report the first exec error, not the last. */
579 if (saved_errno)
580 errno = saved_errno;
581
582 error:
583 saved_errno = errno;
584 /* Report the posix error to our parent process. */
585 /* We ignore all write() return values as the total size of our writes is
586 less than PIPEBUF and we cannot do anything about an error anyways.
587 Use _Py_write_noraise() to retry write() if it is interrupted by a
588 signal (fails with EINTR). */
589 if (saved_errno) {
590 char *cur;
591 _Py_write_noraise(errpipe_write, "OSError:", 8);
592 cur = hex_errno + sizeof(hex_errno);
593 while (saved_errno != 0 && cur != hex_errno) {
594 *--cur = Py_hexdigits[saved_errno % 16];
595 saved_errno /= 16;
596 }
597 _Py_write_noraise(errpipe_write, cur, hex_errno + sizeof(hex_errno) - cur);
598 _Py_write_noraise(errpipe_write, ":", 1);
599 if (!reached_preexec) {
600 /* Indicate to the parent that the error happened before exec(). */
601 _Py_write_noraise(errpipe_write, "noexec", 6);
602 }
603 /* We can't call strerror(saved_errno). It is not async signal safe.
604 * The parent process will look the error message up. */
605 } else {
606 _Py_write_noraise(errpipe_write, "SubprocessError:0:", 18);
607 _Py_write_noraise(errpipe_write, err_msg, strlen(err_msg));
608 }
609 }
610
611
612 static PyObject *
subprocess_fork_exec(PyObject * self,PyObject * args)613 subprocess_fork_exec(PyObject* self, PyObject *args)
614 {
615 PyObject *gc_module = NULL;
616 PyObject *executable_list, *py_fds_to_keep;
617 PyObject *env_list, *preexec_fn;
618 PyObject *process_args, *converted_args = NULL, *fast_args = NULL;
619 PyObject *preexec_fn_args_tuple = NULL;
620 PyObject *groups_list;
621 PyObject *uid_object, *gid_object;
622 int p2cread, p2cwrite, c2pread, c2pwrite, errread, errwrite;
623 int errpipe_read, errpipe_write, close_fds, restore_signals;
624 int call_setsid;
625 int call_setgid = 0, call_setgroups = 0, call_setuid = 0;
626 uid_t uid;
627 gid_t gid, *groups = NULL;
628 int child_umask;
629 PyObject *cwd_obj, *cwd_obj2 = NULL;
630 const char *cwd;
631 pid_t pid;
632 int need_to_reenable_gc = 0;
633 char *const *exec_array, *const *argv = NULL, *const *envp = NULL;
634 Py_ssize_t arg_num, num_groups = 0;
635 int need_after_fork = 0;
636 int saved_errno = 0;
637
638 if (!PyArg_ParseTuple(
639 args, "OOpO!OOiiiiiiiiiiOOOiO:fork_exec",
640 &process_args, &executable_list,
641 &close_fds, &PyTuple_Type, &py_fds_to_keep,
642 &cwd_obj, &env_list,
643 &p2cread, &p2cwrite, &c2pread, &c2pwrite,
644 &errread, &errwrite, &errpipe_read, &errpipe_write,
645 &restore_signals, &call_setsid,
646 &gid_object, &groups_list, &uid_object, &child_umask,
647 &preexec_fn))
648 return NULL;
649
650 if ((preexec_fn != Py_None) &&
651 (PyInterpreterState_Get() != PyInterpreterState_Main())) {
652 PyErr_SetString(PyExc_RuntimeError,
653 "preexec_fn not supported within subinterpreters");
654 return NULL;
655 }
656
657 if (close_fds && errpipe_write < 3) { /* precondition */
658 PyErr_SetString(PyExc_ValueError, "errpipe_write must be >= 3");
659 return NULL;
660 }
661 if (_sanity_check_python_fd_sequence(py_fds_to_keep)) {
662 PyErr_SetString(PyExc_ValueError, "bad value(s) in fds_to_keep");
663 return NULL;
664 }
665
666 PyInterpreterState *interp = PyInterpreterState_Get();
667 const PyConfig *config = _PyInterpreterState_GetConfig(interp);
668 if (config->_isolated_interpreter) {
669 PyErr_SetString(PyExc_RuntimeError,
670 "subprocess not supported for isolated subinterpreters");
671 return NULL;
672 }
673
674 /* We need to call gc.disable() when we'll be calling preexec_fn */
675 if (preexec_fn != Py_None) {
676 PyObject *result;
677
678 gc_module = PyImport_ImportModule("gc");
679 if (gc_module == NULL)
680 return NULL;
681 result = PyObject_CallMethodNoArgs(
682 gc_module, _posixsubprocessstate_global->isenabled);
683 if (result == NULL) {
684 Py_DECREF(gc_module);
685 return NULL;
686 }
687 need_to_reenable_gc = PyObject_IsTrue(result);
688 Py_DECREF(result);
689 if (need_to_reenable_gc == -1) {
690 Py_DECREF(gc_module);
691 return NULL;
692 }
693 result = PyObject_CallMethodNoArgs(
694 gc_module, _posixsubprocessstate_global->disable);
695 if (result == NULL) {
696 Py_DECREF(gc_module);
697 return NULL;
698 }
699 Py_DECREF(result);
700 }
701
702 exec_array = _PySequence_BytesToCharpArray(executable_list);
703 if (!exec_array)
704 goto cleanup;
705
706 /* Convert args and env into appropriate arguments for exec() */
707 /* These conversions are done in the parent process to avoid allocating
708 or freeing memory in the child process. */
709 if (process_args != Py_None) {
710 Py_ssize_t num_args;
711 /* Equivalent to: */
712 /* tuple(PyUnicode_FSConverter(arg) for arg in process_args) */
713 fast_args = PySequence_Fast(process_args, "argv must be a tuple");
714 if (fast_args == NULL)
715 goto cleanup;
716 num_args = PySequence_Fast_GET_SIZE(fast_args);
717 converted_args = PyTuple_New(num_args);
718 if (converted_args == NULL)
719 goto cleanup;
720 for (arg_num = 0; arg_num < num_args; ++arg_num) {
721 PyObject *borrowed_arg, *converted_arg;
722 if (PySequence_Fast_GET_SIZE(fast_args) != num_args) {
723 PyErr_SetString(PyExc_RuntimeError, "args changed during iteration");
724 goto cleanup;
725 }
726 borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
727 if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
728 goto cleanup;
729 PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
730 }
731
732 argv = _PySequence_BytesToCharpArray(converted_args);
733 Py_CLEAR(converted_args);
734 Py_CLEAR(fast_args);
735 if (!argv)
736 goto cleanup;
737 }
738
739 if (env_list != Py_None) {
740 envp = _PySequence_BytesToCharpArray(env_list);
741 if (!envp)
742 goto cleanup;
743 }
744
745 if (cwd_obj != Py_None) {
746 if (PyUnicode_FSConverter(cwd_obj, &cwd_obj2) == 0)
747 goto cleanup;
748 cwd = PyBytes_AsString(cwd_obj2);
749 } else {
750 cwd = NULL;
751 }
752
753 if (groups_list != Py_None) {
754 #ifdef HAVE_SETGROUPS
755 Py_ssize_t i;
756 unsigned long gid;
757
758 if (!PyList_Check(groups_list)) {
759 PyErr_SetString(PyExc_TypeError,
760 "setgroups argument must be a list");
761 goto cleanup;
762 }
763 num_groups = PySequence_Size(groups_list);
764
765 if (num_groups < 0)
766 goto cleanup;
767
768 if (num_groups > MAX_GROUPS) {
769 PyErr_SetString(PyExc_ValueError, "too many groups");
770 goto cleanup;
771 }
772
773 if ((groups = PyMem_RawMalloc(num_groups * sizeof(gid_t))) == NULL) {
774 PyErr_SetString(PyExc_MemoryError,
775 "failed to allocate memory for group list");
776 goto cleanup;
777 }
778
779 for (i = 0; i < num_groups; i++) {
780 PyObject *elem;
781 elem = PySequence_GetItem(groups_list, i);
782 if (!elem)
783 goto cleanup;
784 if (!PyLong_Check(elem)) {
785 PyErr_SetString(PyExc_TypeError,
786 "groups must be integers");
787 Py_DECREF(elem);
788 goto cleanup;
789 } else {
790 /* In posixmodule.c UnsignedLong is used as a fallback value
791 * if the value provided does not fit in a Long. Since we are
792 * already doing the bounds checking on the Python side, we
793 * can go directly to an UnsignedLong here. */
794 if (!_Py_Gid_Converter(elem, &gid)) {
795 Py_DECREF(elem);
796 PyErr_SetString(PyExc_ValueError, "invalid group id");
797 goto cleanup;
798 }
799 groups[i] = gid;
800 }
801 Py_DECREF(elem);
802 }
803 call_setgroups = 1;
804
805 #else /* HAVE_SETGROUPS */
806 PyErr_BadInternalCall();
807 goto cleanup;
808 #endif /* HAVE_SETGROUPS */
809 }
810
811 if (gid_object != Py_None) {
812 #ifdef HAVE_SETREGID
813 if (!_Py_Gid_Converter(gid_object, &gid))
814 goto cleanup;
815
816 call_setgid = 1;
817
818 #else /* HAVE_SETREGID */
819 PyErr_BadInternalCall();
820 goto cleanup;
821 #endif /* HAVE_SETREUID */
822 }
823
824 if (uid_object != Py_None) {
825 #ifdef HAVE_SETREUID
826 if (!_Py_Uid_Converter(uid_object, &uid))
827 goto cleanup;
828
829 call_setuid = 1;
830
831 #else /* HAVE_SETREUID */
832 PyErr_BadInternalCall();
833 goto cleanup;
834 #endif /* HAVE_SETREUID */
835 }
836
837 /* This must be the last thing done before fork() because we do not
838 * want to call PyOS_BeforeFork() if there is any chance of another
839 * error leading to the cleanup: code without calling fork(). */
840 if (preexec_fn != Py_None) {
841 preexec_fn_args_tuple = PyTuple_New(0);
842 if (!preexec_fn_args_tuple)
843 goto cleanup;
844 PyOS_BeforeFork();
845 need_after_fork = 1;
846 }
847
848 pid = fork();
849 if (pid == 0) {
850 /* Child process */
851 /*
852 * Code from here to _exit() must only use async-signal-safe functions,
853 * listed at `man 7 signal` or
854 * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
855 */
856
857 if (preexec_fn != Py_None) {
858 /* We'll be calling back into Python later so we need to do this.
859 * This call may not be async-signal-safe but neither is calling
860 * back into Python. The user asked us to use hope as a strategy
861 * to avoid deadlock... */
862 PyOS_AfterFork_Child();
863 }
864
865 child_exec(exec_array, argv, envp, cwd,
866 p2cread, p2cwrite, c2pread, c2pwrite,
867 errread, errwrite, errpipe_read, errpipe_write,
868 close_fds, restore_signals, call_setsid,
869 call_setgid, gid, call_setgroups, num_groups, groups,
870 call_setuid, uid, child_umask,
871 py_fds_to_keep, preexec_fn, preexec_fn_args_tuple);
872 _exit(255);
873 return NULL; /* Dead code to avoid a potential compiler warning. */
874 }
875 /* Parent (original) process */
876 if (pid == -1) {
877 /* Capture errno for the exception. */
878 saved_errno = errno;
879 }
880
881 Py_XDECREF(cwd_obj2);
882
883 if (need_after_fork)
884 PyOS_AfterFork_Parent();
885 if (envp)
886 _Py_FreeCharPArray(envp);
887 if (argv)
888 _Py_FreeCharPArray(argv);
889 _Py_FreeCharPArray(exec_array);
890
891 /* Reenable gc in the parent process (or if fork failed). */
892 if (_enable_gc(need_to_reenable_gc, gc_module)) {
893 pid = -1;
894 }
895 PyMem_RawFree(groups);
896 Py_XDECREF(preexec_fn_args_tuple);
897 Py_XDECREF(gc_module);
898
899 if (pid == -1) {
900 errno = saved_errno;
901 /* We can't call this above as PyOS_AfterFork_Parent() calls back
902 * into Python code which would see the unreturned error. */
903 PyErr_SetFromErrno(PyExc_OSError);
904 return NULL; /* fork() failed. */
905 }
906
907 return PyLong_FromPid(pid);
908
909 cleanup:
910 Py_XDECREF(cwd_obj2);
911 if (envp)
912 _Py_FreeCharPArray(envp);
913 if (argv)
914 _Py_FreeCharPArray(argv);
915 if (exec_array)
916 _Py_FreeCharPArray(exec_array);
917
918 PyMem_RawFree(groups);
919 Py_XDECREF(converted_args);
920 Py_XDECREF(fast_args);
921 Py_XDECREF(preexec_fn_args_tuple);
922 _enable_gc(need_to_reenable_gc, gc_module);
923 Py_XDECREF(gc_module);
924 return NULL;
925 }
926
927
928 PyDoc_STRVAR(subprocess_fork_exec_doc,
929 "fork_exec(args, executable_list, close_fds, pass_fds, cwd, env,\n\
930 p2cread, p2cwrite, c2pread, c2pwrite,\n\
931 errread, errwrite, errpipe_read, errpipe_write,\n\
932 restore_signals, call_setsid,\n\
933 gid, groups_list, uid,\n\
934 preexec_fn)\n\
935 \n\
936 Forks a child process, closes parent file descriptors as appropriate in the\n\
937 child and dups the few that are needed before calling exec() in the child\n\
938 process.\n\
939 \n\
940 If close_fds is true, close file descriptors 3 and higher, except those listed\n\
941 in the sorted tuple pass_fds.\n\
942 \n\
943 The preexec_fn, if supplied, will be called immediately before closing file\n\
944 descriptors and exec.\n\
945 WARNING: preexec_fn is NOT SAFE if your application uses threads.\n\
946 It may trigger infrequent, difficult to debug deadlocks.\n\
947 \n\
948 If an error occurs in the child process before the exec, it is\n\
949 serialized and written to the errpipe_write fd per subprocess.py.\n\
950 \n\
951 Returns: the child process's PID.\n\
952 \n\
953 Raises: Only on an error in the parent process.\n\
954 ");
955
956 /* module level code ********************************************************/
957
958 PyDoc_STRVAR(module_doc,
959 "A POSIX helper for the subprocess module.");
960
961
962 static PyMethodDef module_methods[] = {
963 {"fork_exec", subprocess_fork_exec, METH_VARARGS, subprocess_fork_exec_doc},
964 {NULL, NULL} /* sentinel */
965 };
966
967
_posixsubprocess_traverse(PyObject * m,visitproc visit,void * arg)968 static int _posixsubprocess_traverse(PyObject *m, visitproc visit, void *arg) {
969 Py_VISIT(get_posixsubprocess_state(m)->disable);
970 Py_VISIT(get_posixsubprocess_state(m)->enable);
971 Py_VISIT(get_posixsubprocess_state(m)->isenabled);
972 return 0;
973 }
974
_posixsubprocess_clear(PyObject * m)975 static int _posixsubprocess_clear(PyObject *m) {
976 Py_CLEAR(get_posixsubprocess_state(m)->disable);
977 Py_CLEAR(get_posixsubprocess_state(m)->enable);
978 Py_CLEAR(get_posixsubprocess_state(m)->isenabled);
979 return 0;
980 }
981
_posixsubprocess_free(void * m)982 static void _posixsubprocess_free(void *m) {
983 _posixsubprocess_clear((PyObject *)m);
984 }
985
986 static struct PyModuleDef _posixsubprocessmodule = {
987 PyModuleDef_HEAD_INIT,
988 "_posixsubprocess",
989 module_doc,
990 sizeof(_posixsubprocessstate),
991 module_methods,
992 NULL,
993 _posixsubprocess_traverse,
994 _posixsubprocess_clear,
995 _posixsubprocess_free,
996 };
997
998 PyMODINIT_FUNC
PyInit__posixsubprocess(void)999 PyInit__posixsubprocess(void)
1000 {
1001 PyObject* m;
1002
1003 m = PyState_FindModule(&_posixsubprocessmodule);
1004 if (m != NULL) {
1005 Py_INCREF(m);
1006 return m;
1007 }
1008
1009 m = PyModule_Create(&_posixsubprocessmodule);
1010 if (m == NULL) {
1011 return NULL;
1012 }
1013
1014 get_posixsubprocess_state(m)->disable = PyUnicode_InternFromString("disable");
1015 get_posixsubprocess_state(m)->enable = PyUnicode_InternFromString("enable");
1016 get_posixsubprocess_state(m)->isenabled = PyUnicode_InternFromString("isenabled");
1017
1018 PyState_AddModule(m, &_posixsubprocessmodule);
1019 return m;
1020 }
1021