1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <spawn.h>
30
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <linux/close_range.h>
34 #include <signal.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <sys/resource.h>
38 #include <sys/syscall.h>
39 #include <unistd.h>
40
41 #include <android/fdsan.h>
42
43 #include "private/ScopedSignalBlocker.h"
44 #include "private/SigSetConverter.h"
45
set_cloexec(int i)46 static int set_cloexec(int i) {
47 int v = fcntl(i, F_GETFD);
48 if (v == -1) return -1; // almost certainly: errno == EBADF
49 return fcntl(i, F_SETFD, v | FD_CLOEXEC);
50 }
51
52 // mark all open fds except stdin/out/err as close-on-exec
cloexec_except_stdioe()53 static int cloexec_except_stdioe() {
54 // requires 5.11+ or ACK 5.10-T kernel, otherwise returns ENOSYS or EINVAL
55 if (!syscall(SYS_close_range, 3, ~0U, CLOSE_RANGE_CLOEXEC)) return 0;
56
57 // unfortunately getrlimit can lie:
58 // - both soft and hard limits can be lowered to 0, with fds still open, so it can underestimate
59 // - in practice it usually is some really large value (like 32K or more)
60 // even though only a handful of small fds are actually open (ie. < 500),
61 // this results in poor performance when trying to act on all possibly open fds
62 struct rlimit m;
63 int max = getrlimit(RLIMIT_NOFILE, &m) ? 1000000 : m.rlim_max;
64 for (int i = 3; i < max; ++i) set_cloexec(i);
65 return 0;
66 }
67
68 enum Action {
69 kOpen,
70 kClose,
71 kDup2
72 };
73
74 struct __posix_spawn_file_action {
75 __posix_spawn_file_action* next;
76
77 Action what;
78 int fd;
79 int new_fd;
80 char* path;
81 int flags;
82 mode_t mode;
83
Do__posix_spawn_file_action84 void Do() {
85 if (what == kOpen) {
86 fd = open(path, flags, mode);
87 if (fd == -1) _exit(127);
88 // If it didn't land where we wanted it, move it.
89 if (fd != new_fd) {
90 if (dup2(fd, new_fd) == -1) _exit(127);
91 close(fd);
92 }
93 } else if (what == kClose) {
94 // Failure to close is ignored.
95 close(fd);
96 } else {
97 // It's a dup2.
98 if (fd == new_fd) {
99 // dup2(2) is a no-op if fd == new_fd, but POSIX suggests that we should
100 // manually remove the O_CLOEXEC flag in that case (because otherwise
101 // what use is the dup?).
102 // See https://www.austingroupbugs.net/view.php?id=411 for details.
103 int flags = fcntl(fd, F_GETFD, 0);
104 if (flags == -1 || fcntl(fd, F_SETFD, flags & ~FD_CLOEXEC) == -1) _exit(127);
105 } else {
106 if (dup2(fd, new_fd) == -1) _exit(127);
107 }
108 }
109 }
110 };
111
112 struct __posix_spawn_file_actions {
113 __posix_spawn_file_action* head;
114 __posix_spawn_file_action* last;
115
Do__posix_spawn_file_actions116 void Do() {
117 for (__posix_spawn_file_action* action = head; action != nullptr; action = action->next) {
118 action->Do();
119 }
120 }
121 };
122
123 struct __posix_spawnattr {
124 short flags;
125 pid_t pgroup;
126 sched_param schedparam;
127 int schedpolicy;
128 SigSetConverter sigmask;
129 SigSetConverter sigdefault;
130 };
131
ApplyAttrs(short flags,const posix_spawnattr_t * attr)132 static void ApplyAttrs(short flags, const posix_spawnattr_t* attr) {
133 // POSIX: "If POSIX_SPAWN_SETSIGDEF is set ... signals in sigdefault ...
134 // shall be set to their default actions in the child process."
135 // POSIX: "Signals set to be caught by the calling process shall be
136 // set to the default action in the child process."
137 bool use_sigdefault = ((flags & POSIX_SPAWN_SETSIGDEF) != 0);
138 const struct sigaction64 default_sa = { .sa_handler = SIG_DFL };
139 for (int s = 1; s < _NSIG; ++s) {
140 bool reset = false;
141 if (use_sigdefault && sigismember64(&(*attr)->sigdefault.sigset64, s)) {
142 reset = true;
143 } else {
144 struct sigaction64 current;
145 if (sigaction64(s, nullptr, ¤t) == -1) _exit(127);
146 reset = (current.sa_handler != SIG_IGN && current.sa_handler != SIG_DFL);
147 }
148 if (reset && sigaction64(s, &default_sa, nullptr) == -1) _exit(127);
149 }
150
151 if ((flags & POSIX_SPAWN_SETPGROUP) != 0 && setpgid(0, (*attr)->pgroup) == -1) _exit(127);
152 if ((flags & POSIX_SPAWN_SETSID) != 0 && setsid() == -1) _exit(127);
153
154 // POSIX_SPAWN_SETSCHEDULER overrides POSIX_SPAWN_SETSCHEDPARAM, but it is not an error
155 // to set both.
156 if ((flags & POSIX_SPAWN_SETSCHEDULER) != 0) {
157 if (sched_setscheduler(0, (*attr)->schedpolicy, &(*attr)->schedparam) == -1) _exit(127);
158 } else if ((flags & POSIX_SPAWN_SETSCHEDPARAM) != 0) {
159 if (sched_setparam(0, &(*attr)->schedparam) == -1) _exit(127);
160 }
161
162 if ((flags & POSIX_SPAWN_RESETIDS) != 0) {
163 if (seteuid(getuid()) == -1 || setegid(getgid()) == -1) _exit(127);
164 }
165
166 if ((flags & POSIX_SPAWN_SETSIGMASK) != 0) {
167 if (sigprocmask64(SIG_SETMASK, &(*attr)->sigmask.sigset64, nullptr)) _exit(127);
168 }
169
170 if ((flags & POSIX_SPAWN_CLOEXEC_DEFAULT) != 0) {
171 if (cloexec_except_stdioe()) _exit(127);
172 }
173 }
174
posix_spawn(pid_t * pid_ptr,const char * path,const posix_spawn_file_actions_t * actions,const posix_spawnattr_t * attr,char * const argv[],char * const env[],int exec_fn (const char * path,char * const argv[],char * const env[]))175 static int posix_spawn(pid_t* pid_ptr,
176 const char* path,
177 const posix_spawn_file_actions_t* actions,
178 const posix_spawnattr_t* attr,
179 char* const argv[],
180 char* const env[],
181 int exec_fn(const char* path, char* const argv[], char* const env[])) {
182 // See http://man7.org/linux/man-pages/man3/posix_spawn.3.html
183 // and http://pubs.opengroup.org/onlinepubs/9699919799/functions/posix_spawn.html
184
185 ScopedSignalBlocker ssb;
186
187 short flags = attr ? (*attr)->flags : 0;
188 bool use_vfork = ((flags & POSIX_SPAWN_USEVFORK) != 0) || (actions == nullptr && flags == 0);
189
190 pid_t pid = use_vfork ? vfork() : fork();
191 if (pid == -1) return errno;
192
193 if (pid == 0) {
194 // Child.
195 ApplyAttrs(flags, attr);
196 if (actions) (*actions)->Do();
197 if ((flags & POSIX_SPAWN_SETSIGMASK) == 0) ssb.reset();
198 exec_fn(path, argv, env ? env : environ);
199 _exit(127);
200 }
201
202 // Parent.
203 if (pid_ptr) *pid_ptr = pid;
204 return 0;
205 }
206
posix_spawn(pid_t * pid,const char * path,const posix_spawn_file_actions_t * actions,const posix_spawnattr_t * attr,char * const argv[],char * const env[])207 int posix_spawn(pid_t* pid, const char* path, const posix_spawn_file_actions_t* actions,
208 const posix_spawnattr_t* attr, char* const argv[], char* const env[]) {
209 return posix_spawn(pid, path, actions, attr, argv, env, execve);
210 }
211
posix_spawnp(pid_t * pid,const char * file,const posix_spawn_file_actions_t * actions,const posix_spawnattr_t * attr,char * const argv[],char * const env[])212 int posix_spawnp(pid_t* pid, const char* file, const posix_spawn_file_actions_t* actions,
213 const posix_spawnattr_t* attr, char* const argv[], char* const env[]) {
214 return posix_spawn(pid, file, actions, attr, argv, env, execvpe);
215 }
216
posix_spawnattr_init(posix_spawnattr_t * attr)217 int posix_spawnattr_init(posix_spawnattr_t* attr) {
218 *attr = reinterpret_cast<__posix_spawnattr*>(calloc(1, sizeof(__posix_spawnattr)));
219 return (*attr == nullptr) ? errno : 0;
220 }
221
posix_spawnattr_destroy(posix_spawnattr_t * attr)222 int posix_spawnattr_destroy(posix_spawnattr_t* attr) {
223 free(*attr);
224 *attr = nullptr;
225 return 0;
226 }
227
posix_spawnattr_setflags(posix_spawnattr_t * attr,short flags)228 int posix_spawnattr_setflags(posix_spawnattr_t* attr, short flags) {
229 if ((flags & ~(POSIX_SPAWN_RESETIDS | POSIX_SPAWN_SETPGROUP | POSIX_SPAWN_SETSIGDEF |
230 POSIX_SPAWN_SETSIGMASK | POSIX_SPAWN_SETSCHEDPARAM | POSIX_SPAWN_SETSCHEDULER |
231 POSIX_SPAWN_USEVFORK | POSIX_SPAWN_SETSID | POSIX_SPAWN_CLOEXEC_DEFAULT)) != 0) {
232 return EINVAL;
233 }
234 (*attr)->flags = flags;
235 return 0;
236 }
237
posix_spawnattr_getflags(const posix_spawnattr_t * attr,short * flags)238 int posix_spawnattr_getflags(const posix_spawnattr_t* attr, short* flags) {
239 *flags = (*attr)->flags;
240 return 0;
241 }
242
posix_spawnattr_setpgroup(posix_spawnattr_t * attr,pid_t pgroup)243 int posix_spawnattr_setpgroup(posix_spawnattr_t* attr, pid_t pgroup) {
244 (*attr)->pgroup = pgroup;
245 return 0;
246 }
247
posix_spawnattr_getpgroup(const posix_spawnattr_t * attr,pid_t * pgroup)248 int posix_spawnattr_getpgroup(const posix_spawnattr_t* attr, pid_t* pgroup) {
249 *pgroup = (*attr)->pgroup;
250 return 0;
251 }
252
posix_spawnattr_setsigmask(posix_spawnattr_t * attr,const sigset_t * mask)253 int posix_spawnattr_setsigmask(posix_spawnattr_t* attr, const sigset_t* mask) {
254 (*attr)->sigmask.sigset = *mask;
255 return 0;
256 }
257
posix_spawnattr_setsigmask64(posix_spawnattr_t * attr,const sigset64_t * mask)258 int posix_spawnattr_setsigmask64(posix_spawnattr_t* attr, const sigset64_t* mask) {
259 (*attr)->sigmask.sigset64 = *mask;
260 return 0;
261 }
262
posix_spawnattr_getsigmask(const posix_spawnattr_t * attr,sigset_t * mask)263 int posix_spawnattr_getsigmask(const posix_spawnattr_t* attr, sigset_t* mask) {
264 *mask = (*attr)->sigmask.sigset;
265 return 0;
266 }
267
posix_spawnattr_getsigmask64(const posix_spawnattr_t * attr,sigset64_t * mask)268 int posix_spawnattr_getsigmask64(const posix_spawnattr_t* attr, sigset64_t* mask) {
269 *mask = (*attr)->sigmask.sigset64;
270 return 0;
271 }
272
posix_spawnattr_setsigdefault(posix_spawnattr_t * attr,const sigset_t * mask)273 int posix_spawnattr_setsigdefault(posix_spawnattr_t* attr, const sigset_t* mask) {
274 (*attr)->sigdefault.sigset = *mask;
275 return 0;
276 }
277
posix_spawnattr_setsigdefault64(posix_spawnattr_t * attr,const sigset64_t * mask)278 int posix_spawnattr_setsigdefault64(posix_spawnattr_t* attr, const sigset64_t* mask) {
279 (*attr)->sigdefault.sigset64 = *mask;
280 return 0;
281 }
282
posix_spawnattr_getsigdefault(const posix_spawnattr_t * attr,sigset_t * mask)283 int posix_spawnattr_getsigdefault(const posix_spawnattr_t* attr, sigset_t* mask) {
284 *mask = (*attr)->sigdefault.sigset;
285 return 0;
286 }
287
posix_spawnattr_getsigdefault64(const posix_spawnattr_t * attr,sigset64_t * mask)288 int posix_spawnattr_getsigdefault64(const posix_spawnattr_t* attr, sigset64_t* mask) {
289 *mask = (*attr)->sigdefault.sigset64;
290 return 0;
291 }
292
posix_spawnattr_setschedparam(posix_spawnattr_t * attr,const struct sched_param * param)293 int posix_spawnattr_setschedparam(posix_spawnattr_t* attr, const struct sched_param* param) {
294 (*attr)->schedparam = *param;
295 return 0;
296 }
297
posix_spawnattr_getschedparam(const posix_spawnattr_t * attr,struct sched_param * param)298 int posix_spawnattr_getschedparam(const posix_spawnattr_t* attr, struct sched_param* param) {
299 *param = (*attr)->schedparam;
300 return 0;
301 }
302
posix_spawnattr_setschedpolicy(posix_spawnattr_t * attr,int policy)303 int posix_spawnattr_setschedpolicy(posix_spawnattr_t* attr, int policy) {
304 (*attr)->schedpolicy = policy;
305 return 0;
306 }
307
posix_spawnattr_getschedpolicy(const posix_spawnattr_t * attr,int * policy)308 int posix_spawnattr_getschedpolicy(const posix_spawnattr_t* attr, int* policy) {
309 *policy = (*attr)->schedpolicy;
310 return 0;
311 }
312
posix_spawn_file_actions_init(posix_spawn_file_actions_t * actions)313 int posix_spawn_file_actions_init(posix_spawn_file_actions_t* actions) {
314 *actions = reinterpret_cast<__posix_spawn_file_actions*>(calloc(1, sizeof(**actions)));
315 return (*actions == nullptr) ? errno : 0;
316 }
317
posix_spawn_file_actions_destroy(posix_spawn_file_actions_t * actions)318 int posix_spawn_file_actions_destroy(posix_spawn_file_actions_t* actions) {
319 __posix_spawn_file_action* a = (*actions)->head;
320 while (a) {
321 __posix_spawn_file_action* last = a;
322 a = a->next;
323 free(last->path);
324 free(last);
325 }
326 free(*actions);
327 *actions = nullptr;
328 return 0;
329 }
330
posix_spawn_add_file_action(posix_spawn_file_actions_t * actions,Action what,int fd,int new_fd,const char * path,int flags,mode_t mode)331 static int posix_spawn_add_file_action(posix_spawn_file_actions_t* actions,
332 Action what,
333 int fd,
334 int new_fd,
335 const char* path,
336 int flags,
337 mode_t mode) {
338 __posix_spawn_file_action* action =
339 reinterpret_cast<__posix_spawn_file_action*>(malloc(sizeof(*action)));
340 if (action == nullptr) return errno;
341
342 action->next = nullptr;
343 if (path != nullptr) {
344 action->path = strdup(path);
345 if (action->path == nullptr) {
346 free(action);
347 return errno;
348 }
349 } else {
350 action->path = nullptr;
351 }
352 action->what = what;
353 action->fd = fd;
354 action->new_fd = new_fd;
355 action->flags = flags;
356 action->mode = mode;
357
358 if ((*actions)->head == nullptr) {
359 (*actions)->head = (*actions)->last = action;
360 } else {
361 (*actions)->last->next = action;
362 (*actions)->last = action;
363 }
364
365 return 0;
366 }
367
posix_spawn_file_actions_addopen(posix_spawn_file_actions_t * actions,int fd,const char * path,int flags,mode_t mode)368 int posix_spawn_file_actions_addopen(posix_spawn_file_actions_t* actions,
369 int fd, const char* path, int flags, mode_t mode) {
370 if (fd < 0) return EBADF;
371 return posix_spawn_add_file_action(actions, kOpen, -1, fd, path, flags, mode);
372 }
373
posix_spawn_file_actions_addclose(posix_spawn_file_actions_t * actions,int fd)374 int posix_spawn_file_actions_addclose(posix_spawn_file_actions_t* actions, int fd) {
375 if (fd < 0) return EBADF;
376 return posix_spawn_add_file_action(actions, kClose, fd, -1, nullptr, 0, 0);
377 }
378
posix_spawn_file_actions_adddup2(posix_spawn_file_actions_t * actions,int fd,int new_fd)379 int posix_spawn_file_actions_adddup2(posix_spawn_file_actions_t* actions, int fd, int new_fd) {
380 if (fd < 0 || new_fd < 0) return EBADF;
381 return posix_spawn_add_file_action(actions, kDup2, fd, new_fd, nullptr, 0, 0);
382 }
383