1 /* 2 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 #include <dirent.h> 25 #include <errno.h> 26 #include <fcntl.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <unistd.h> 30 #include <limits.h> 31 32 #include "childproc.h" 33 34 35 ssize_t 36 restartableWrite(int fd, const void *buf, size_t count) 37 { 38 ssize_t result; 39 RESTARTABLE(write(fd, buf, count), result); 40 return result; 41 } 42 43 int 44 restartableDup2(int fd_from, int fd_to) 45 { 46 int err; 47 RESTARTABLE(dup2(fd_from, fd_to), err); 48 return err; 49 } 50 51 int 52 restartableClose(int fd) 53 { 54 int err; 55 RESTARTABLE(close(fd), err); 56 return err; 57 } 58 59 int 60 closeSafely(int fd) 61 { 62 return (fd == -1) ? 0 : restartableClose(fd); 63 } 64 65 int 66 isAsciiDigit(char c) 67 { 68 return c >= '0' && c <= '9'; 69 } 70 71 #ifdef _ALLBSD_SOURCE 72 #define FD_DIR "/dev/fd" 73 #define dirent64 dirent 74 #define readdir64 readdir 75 #else 76 #define FD_DIR "/proc/self/fd" 77 #endif 78 79 int 80 closeDescriptors(void) 81 { 82 DIR *dp; 83 struct dirent64 *dirp; 84 int from_fd = FAIL_FILENO + 1; 85 86 /* We're trying to close all file descriptors, but opendir() might 87 * itself be implemented using a file descriptor, and we certainly 88 * don't want to close that while it's in use. We assume that if 89 * opendir() is implemented using a file descriptor, then it uses 90 * the lowest numbered file descriptor, just like open(). So we 91 * close a couple explicitly. */ 92 93 restartableClose(from_fd); /* for possible use by opendir() */ 94 restartableClose(from_fd + 1); /* another one for good luck */ 95 96 if ((dp = opendir(FD_DIR)) == NULL) 97 return 0; 98 99 /* We use readdir64 instead of readdir to work around Solaris bug 100 * 6395699: /proc/self/fd fails to report file descriptors >= 1024 on Solaris 9 101 */ 102 while ((dirp = readdir64(dp)) != NULL) { 103 int fd; 104 if (isAsciiDigit(dirp->d_name[0]) && 105 (fd = strtol(dirp->d_name, NULL, 10)) >= from_fd + 2) 106 restartableClose(fd); 107 } 108 109 closedir(dp); 110 111 return 1; 112 } 113 114 int 115 moveDescriptor(int fd_from, int fd_to) 116 { 117 if (fd_from != fd_to) { 118 if ((restartableDup2(fd_from, fd_to) == -1) || 119 (restartableClose(fd_from) == -1)) 120 return -1; 121 } 122 return 0; 123 } 124 125 int 126 magicNumber() { 127 return 43110; 128 } 129 130 /* 131 * Reads nbyte bytes from file descriptor fd into buf, 132 * The read operation is retried in case of EINTR or partial reads. 133 * 134 * Returns number of bytes read (normally nbyte, but may be less in 135 * case of EOF). In case of read errors, returns -1 and sets errno. 136 */ 137 ssize_t 138 readFully(int fd, void *buf, size_t nbyte) 139 { 140 ssize_t remaining = nbyte; 141 for (;;) { 142 ssize_t n = read(fd, buf, remaining); 143 if (n == 0) { 144 return nbyte - remaining; 145 } else if (n > 0) { 146 remaining -= n; 147 if (remaining <= 0) 148 return nbyte; 149 /* We were interrupted in the middle of reading the bytes. 150 * Unlikely, but possible. */ 151 buf = (void *) (((char *)buf) + n); 152 } else if (errno == EINTR) { 153 /* Strange signals like SIGJVM1 are possible at any time. 154 * See http://www.dreamsongs.com/WorseIsBetter.html */ 155 } else { 156 return -1; 157 } 158 } 159 } 160 161 void 162 initVectorFromBlock(const char**vector, const char* block, int count) 163 { 164 int i; 165 const char *p; 166 for (i = 0, p = block; i < count; i++) { 167 /* Invariant: p always points to the start of a C string. */ 168 vector[i] = p; 169 while (*(p++)); 170 } 171 vector[count] = NULL; 172 } 173 174 /** 175 * Exec FILE as a traditional Bourne shell script (i.e. one without #!). 176 * If we could do it over again, we would probably not support such an ancient 177 * misfeature, but compatibility wins over sanity. The original support for 178 * this was imported accidentally from execvp(). 179 */ 180 void 181 execve_as_traditional_shell_script(const char *file, 182 const char *argv[], 183 const char *const envp[]) 184 { 185 /* Use the extra word of space provided for us in argv by caller. */ 186 const char *argv0 = argv[0]; 187 const char *const *end = argv; 188 while (*end != NULL) 189 ++end; 190 memmove(argv+2, argv+1, (end-argv) * sizeof (*end)); 191 argv[0] = "/bin/sh"; 192 argv[1] = file; 193 execve(argv[0], (char **) argv, (char **) envp); 194 /* Can't even exec /bin/sh? Big trouble, but let's soldier on... */ 195 memmove(argv+1, argv+2, (end-argv) * sizeof (*end)); 196 argv[0] = argv0; 197 } 198 199 /** 200 * Like execve(2), except that in case of ENOEXEC, FILE is assumed to 201 * be a shell script and the system default shell is invoked to run it. 202 */ 203 void 204 execve_with_shell_fallback(int mode, const char *file, 205 const char *argv[], 206 const char *const envp[]) 207 { 208 if (mode == MODE_CLONE || mode == MODE_VFORK) { 209 /* shared address space; be very careful. */ 210 execve(file, (char **) argv, (char **) envp); 211 if (errno == ENOEXEC) 212 execve_as_traditional_shell_script(file, argv, envp); 213 } else { 214 /* unshared address space; we can mutate environ. */ 215 environ = (char **) envp; 216 execvp(file, (char **) argv); 217 } 218 } 219 220 /** 221 * 'execvpe' should have been included in the Unix standards, 222 * and is a GNU extension in glibc 2.10. 223 * 224 * JDK_execvpe is identical to execvp, except that the child environment is 225 * specified via the 3rd argument instead of being inherited from environ. 226 */ 227 void 228 JDK_execvpe(int mode, const char *file, 229 const char *argv[], 230 const char *const envp[]) 231 { 232 if (envp == NULL || (char **) envp == environ) { 233 execvp(file, (char **) argv); 234 return; 235 } 236 237 if (*file == '\0') { 238 errno = ENOENT; 239 return; 240 } 241 242 if (strchr(file, '/') != NULL) { 243 execve_with_shell_fallback(mode, file, argv, envp); 244 } else { 245 /* We must search PATH (parent's, not child's) */ 246 char expanded_file[PATH_MAX]; 247 int filelen = strlen(file); 248 int sticky_errno = 0; 249 const char * const * dirs; 250 for (dirs = parentPathv; *dirs; dirs++) { 251 const char * dir = *dirs; 252 int dirlen = strlen(dir); 253 if (filelen + dirlen + 2 >= PATH_MAX) { 254 errno = ENAMETOOLONG; 255 continue; 256 } 257 memcpy(expanded_file, dir, dirlen); 258 if (expanded_file[dirlen - 1] != '/') 259 expanded_file[dirlen++] = '/'; 260 memcpy(expanded_file + dirlen, file, filelen); 261 expanded_file[dirlen + filelen] = '\0'; 262 execve_with_shell_fallback(mode, expanded_file, argv, envp); 263 /* There are 3 responses to various classes of errno: 264 * return immediately, continue (especially for ENOENT), 265 * or continue with "sticky" errno. 266 * 267 * From exec(3): 268 * 269 * If permission is denied for a file (the attempted 270 * execve returned EACCES), these functions will continue 271 * searching the rest of the search path. If no other 272 * file is found, however, they will return with the 273 * global variable errno set to EACCES. 274 */ 275 switch (errno) { 276 case EACCES: 277 sticky_errno = errno; 278 /* FALLTHRU */ 279 case ENOENT: 280 case ENOTDIR: 281 #ifdef ELOOP 282 case ELOOP: 283 #endif 284 #ifdef ESTALE 285 case ESTALE: 286 #endif 287 #ifdef ENODEV 288 case ENODEV: 289 #endif 290 #ifdef ETIMEDOUT 291 case ETIMEDOUT: 292 #endif 293 break; /* Try other directories in PATH */ 294 default: 295 return; 296 } 297 } 298 if (sticky_errno != 0) 299 errno = sticky_errno; 300 } 301 } 302 303 /** 304 * Child process after a successful fork() or clone(). 305 * This function must not return, and must be prepared for either all 306 * of its address space to be shared with its parent, or to be a copy. 307 * It must not modify global variables such as "environ". 308 */ 309 int 310 childProcess(void *arg) 311 { 312 const ChildStuff* p = (const ChildStuff*) arg; 313 314 /* Close the parent sides of the pipes. 315 Closing pipe fds here is redundant, since closeDescriptors() 316 would do it anyways, but a little paranoia is a good thing. */ 317 if ((closeSafely(p->in[1]) == -1) || 318 (closeSafely(p->out[0]) == -1) || 319 (closeSafely(p->err[0]) == -1) || 320 (closeSafely(p->childenv[0]) == -1) || 321 (closeSafely(p->childenv[1]) == -1) || 322 (closeSafely(p->fail[0]) == -1)) 323 goto WhyCantJohnnyExec; 324 325 /* Give the child sides of the pipes the right fileno's. */ 326 /* Note: it is possible for in[0] == 0 */ 327 if ((moveDescriptor(p->in[0] != -1 ? p->in[0] : p->fds[0], 328 STDIN_FILENO) == -1) || 329 (moveDescriptor(p->out[1]!= -1 ? p->out[1] : p->fds[1], 330 STDOUT_FILENO) == -1)) 331 goto WhyCantJohnnyExec; 332 333 if (p->redirectErrorStream) { 334 if ((closeSafely(p->err[1]) == -1) || 335 (restartableDup2(STDOUT_FILENO, STDERR_FILENO) == -1)) 336 goto WhyCantJohnnyExec; 337 } else { 338 if (moveDescriptor(p->err[1] != -1 ? p->err[1] : p->fds[2], 339 STDERR_FILENO) == -1) 340 goto WhyCantJohnnyExec; 341 } 342 343 if (moveDescriptor(p->fail[1], FAIL_FILENO) == -1) 344 goto WhyCantJohnnyExec; 345 346 /* close everything */ 347 if (closeDescriptors() == 0) { /* failed, close the old way */ 348 int max_fd = (int)sysconf(_SC_OPEN_MAX); 349 int fd; 350 for (fd = FAIL_FILENO + 1; fd < max_fd; fd++) 351 if (restartableClose(fd) == -1 && errno != EBADF) 352 goto WhyCantJohnnyExec; 353 } 354 355 /* change to the new working directory */ 356 if (p->pdir != NULL && chdir(p->pdir) < 0) 357 goto WhyCantJohnnyExec; 358 359 if (fcntl(FAIL_FILENO, F_SETFD, FD_CLOEXEC) == -1) 360 goto WhyCantJohnnyExec; 361 362 JDK_execvpe(p->mode, p->argv[0], p->argv, p->envv); 363 364 WhyCantJohnnyExec: 365 /* We used to go to an awful lot of trouble to predict whether the 366 * child would fail, but there is no reliable way to predict the 367 * success of an operation without *trying* it, and there's no way 368 * to try a chdir or exec in the parent. Instead, all we need is a 369 * way to communicate any failure back to the parent. Easy; we just 370 * send the errno back to the parent over a pipe in case of failure. 371 * The tricky thing is, how do we communicate the *success* of exec? 372 * We use FD_CLOEXEC together with the fact that a read() on a pipe 373 * yields EOF when the write ends (we have two of them!) are closed. 374 */ 375 { 376 int errnum = errno; 377 restartableWrite(FAIL_FILENO, &errnum, sizeof(errnum)); 378 } 379 restartableClose(FAIL_FILENO); 380 _exit(-1); 381 return 0; /* Suppress warning "no return value from function" */ 382 }