1 /*
2 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 #include <dirent.h>
27 #include <errno.h>
28 #include <fcntl.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <unistd.h>
32 #include <limits.h>
33
34 #include "childproc.h"
35
36
37 ssize_t
38 restartableWrite(int fd, const void *buf, size_t count)
39 {
40 ssize_t result;
41 RESTARTABLE(write(fd, buf, count), result);
42 return result;
43 }
44
45 int
46 restartableDup2(int fd_from, int fd_to)
47 {
48 int err;
49 RESTARTABLE(dup2(fd_from, fd_to), err);
50 return err;
51 }
52
53 int
54 closeSafely(int fd)
55 {
56 return (fd == -1) ? 0 : close(fd);
57 }
58
59 int
60 isAsciiDigit(char c)
61 {
62 return c >= '0' && c <= '9';
63 }
64
65 #ifdef _ALLBSD_SOURCE
66 #define FD_DIR "/dev/fd"
67 #define dirent64 dirent
68 #define readdir64 readdir
69 #else
70 #define FD_DIR "/proc/self/fd"
71 #endif
72
73 int
74 closeDescriptors(void)
75 {
76 DIR *dp;
77 struct dirent64 *dirp;
78 int from_fd = FAIL_FILENO + 1;
79
80 /* We're trying to close all file descriptors, but opendir() might
81 * itself be implemented using a file descriptor, and we certainly
82 * don't want to close that while it's in use. We assume that if
83 * opendir() is implemented using a file descriptor, then it uses
84 * the lowest numbered file descriptor, just like open(). So we
85 * close a couple explicitly. */
86
87 close(from_fd); /* for possible use by opendir() */
88 close(from_fd + 1); /* another one for good luck */
89
90 if ((dp = opendir(FD_DIR)) == NULL)
91 return 0;
92
93 /* We use readdir64 instead of readdir to work around Solaris bug
94 * 6395699: /proc/self/fd fails to report file descriptors >= 1024 on Solaris 9
95 */
96 while ((dirp = readdir64(dp)) != NULL) {
97 int fd;
98 if (isAsciiDigit(dirp->d_name[0]) &&
99 (fd = strtol(dirp->d_name, NULL, 10)) >= from_fd + 2)
100 close(fd);
101 }
102
103 closedir(dp);
104
105 return 1;
106 }
107
108 int
109 moveDescriptor(int fd_from, int fd_to)
110 {
111 if (fd_from != fd_to) {
112 if ((restartableDup2(fd_from, fd_to) == -1) ||
113 (close(fd_from) == -1))
114 return -1;
115 }
116 return 0;
117 }
118
119 int
120 magicNumber() {
121 return 43110;
122 }
123
124 /*
125 * Reads nbyte bytes from file descriptor fd into buf,
126 * The read operation is retried in case of EINTR or partial reads.
127 *
128 * Returns number of bytes read (normally nbyte, but may be less in
129 * case of EOF). In case of read errors, returns -1 and sets errno.
130 */
131 ssize_t
132 readFully(int fd, void *buf, size_t nbyte)
133 {
134 ssize_t remaining = nbyte;
135 for (;;) {
136 ssize_t n = read(fd, buf, remaining);
137 if (n == 0) {
138 return nbyte - remaining;
139 } else if (n > 0) {
140 remaining -= n;
141 if (remaining <= 0)
142 return nbyte;
143 /* We were interrupted in the middle of reading the bytes.
144 * Unlikely, but possible. */
145 buf = (void *) (((char *)buf) + n);
146 } else if (errno == EINTR) {
147 /* Strange signals like SIGJVM1 are possible at any time.
148 * See http://www.dreamsongs.com/WorseIsBetter.html */
149 } else {
150 return -1;
151 }
152 }
153 }
154
155 void
156 initVectorFromBlock(const char**vector, const char* block, int count)
157 {
158 int i;
159 const char *p;
160 for (i = 0, p = block; i < count; i++) {
161 /* Invariant: p always points to the start of a C string. */
162 vector[i] = p;
163 while (*(p++));
164 }
165 vector[count] = NULL;
166 }
167
168 /**
169 * Exec FILE as a traditional Bourne shell script (i.e. one without #!).
170 * If we could do it over again, we would probably not support such an ancient
171 * misfeature, but compatibility wins over sanity. The original support for
172 * this was imported accidentally from execvp().
173 */
174 void
175 execve_as_traditional_shell_script(const char *file,
176 const char *argv[],
177 const char *const envp[])
178 {
179 /* Use the extra word of space provided for us in argv by caller. */
180 const char *argv0 = argv[0];
181 const char *const *end = argv;
182 while (*end != NULL)
183 ++end;
184 memmove(argv+2, argv+1, (end-argv) * sizeof(*end));
185 argv[0] = "/bin/sh";
186 argv[1] = file;
187 execve(argv[0], (char **) argv, (char **) envp);
188 /* Can't even exec /bin/sh? Big trouble, but let's soldier on... */
189 memmove(argv+1, argv+2, (end-argv) * sizeof(*end));
190 argv[0] = argv0;
191 }
192
193 /**
194 * Like execve(2), except that in case of ENOEXEC, FILE is assumed to
195 * be a shell script and the system default shell is invoked to run it.
196 */
197 void
198 execve_with_shell_fallback(int mode, const char *file,
199 const char *argv[],
200 const char *const envp[])
201 {
202 if (mode == MODE_CLONE || mode == MODE_VFORK) {
203 /* shared address space; be very careful. */
204 execve(file, (char **) argv, (char **) envp);
205 if (errno == ENOEXEC)
206 execve_as_traditional_shell_script(file, argv, envp);
207 } else {
208 /* unshared address space; we can mutate environ. */
209 environ = (char **) envp;
210 execvp(file, (char **) argv);
211 }
212 }
213
214 /**
215 * 'execvpe' should have been included in the Unix standards,
216 * and is a GNU extension in glibc 2.10.
217 *
218 * JDK_execvpe is identical to execvp, except that the child environment is
219 * specified via the 3rd argument instead of being inherited from environ.
220 */
221 void
222 JDK_execvpe(int mode, const char *file,
223 const char *argv[],
224 const char *const envp[])
225 {
226 if (envp == NULL || (char **) envp == environ) {
227 execvp(file, (char **) argv);
228 return;
229 }
230
231 if (*file == '\0') {
232 errno = ENOENT;
233 return;
234 }
235
236 if (strchr(file, '/') != NULL) {
237 execve_with_shell_fallback(mode, file, argv, envp);
238 } else {
239 /* We must search PATH (parent's, not child's) */
240 char expanded_file[PATH_MAX];
241 int filelen = strlen(file);
242 int sticky_errno = 0;
243 const char * const * dirs;
244 for (dirs = parentPathv; *dirs; dirs++) {
245 const char * dir = *dirs;
246 int dirlen = strlen(dir);
247 if (filelen + dirlen + 2 >= PATH_MAX) {
248 errno = ENAMETOOLONG;
249 continue;
250 }
251 memcpy(expanded_file, dir, dirlen);
252 if (expanded_file[dirlen - 1] != '/')
253 expanded_file[dirlen++] = '/';
254 memcpy(expanded_file + dirlen, file, filelen);
255 expanded_file[dirlen + filelen] = '\0';
256 execve_with_shell_fallback(mode, expanded_file, argv, envp);
257 /* There are 3 responses to various classes of errno:
258 * return immediately, continue (especially for ENOENT),
259 * or continue with "sticky" errno.
260 *
261 * From exec(3):
262 *
263 * If permission is denied for a file (the attempted
264 * execve returned EACCES), these functions will continue
265 * searching the rest of the search path. If no other
266 * file is found, however, they will return with the
267 * global variable errno set to EACCES.
268 */
269 switch (errno) {
270 case EACCES:
271 sticky_errno = errno;
272 /* FALLTHRU */
273 case ENOENT:
274 case ENOTDIR:
275 #ifdef ELOOP
276 case ELOOP:
277 #endif
278 #ifdef ESTALE
279 case ESTALE:
280 #endif
281 #ifdef ENODEV
282 case ENODEV:
283 #endif
284 #ifdef ETIMEDOUT
285 case ETIMEDOUT:
286 #endif
287 break; /* Try other directories in PATH */
288 default:
289 return;
290 }
291 }
292 if (sticky_errno != 0)
293 errno = sticky_errno;
294 }
295 }
296
297 /**
298 * Child process after a successful fork() or clone().
299 * This function must not return, and must be prepared for either all
300 * of its address space to be shared with its parent, or to be a copy.
301 * It must not modify global variables such as "environ".
302 */
303 int
304 childProcess(void *arg)
305 {
306 const ChildStuff* p = (const ChildStuff*) arg;
307
308 /* Close the parent sides of the pipes.
309 Closing pipe fds here is redundant, since closeDescriptors()
310 would do it anyways, but a little paranoia is a good thing. */
311 if ((closeSafely(p->in[1]) == -1) ||
312 (closeSafely(p->out[0]) == -1) ||
313 (closeSafely(p->err[0]) == -1) ||
314 (closeSafely(p->childenv[0]) == -1) ||
315 (closeSafely(p->childenv[1]) == -1) ||
316 (closeSafely(p->fail[0]) == -1))
317 goto WhyCantJohnnyExec;
318
319 /* Give the child sides of the pipes the right fileno's. */
320 /* Note: it is possible for in[0] == 0 */
321 if ((moveDescriptor(p->in[0] != -1 ? p->in[0] : p->fds[0],
322 STDIN_FILENO) == -1) ||
323 (moveDescriptor(p->out[1]!= -1 ? p->out[1] : p->fds[1],
324 STDOUT_FILENO) == -1))
325 goto WhyCantJohnnyExec;
326
327 if (p->redirectErrorStream) {
328 if ((closeSafely(p->err[1]) == -1) ||
329 (restartableDup2(STDOUT_FILENO, STDERR_FILENO) == -1))
330 goto WhyCantJohnnyExec;
331 } else {
332 if (moveDescriptor(p->err[1] != -1 ? p->err[1] : p->fds[2],
333 STDERR_FILENO) == -1)
334 goto WhyCantJohnnyExec;
335 }
336
337 if (moveDescriptor(p->fail[1], FAIL_FILENO) == -1)
338 goto WhyCantJohnnyExec;
339
340 /* close everything */
341 if (closeDescriptors() == 0) { /* failed, close the old way */
342 int max_fd = (int)sysconf(_SC_OPEN_MAX);
343 int fd;
344 for (fd = FAIL_FILENO + 1; fd < max_fd; fd++)
345 if (close(fd) == -1 && errno != EBADF)
346 goto WhyCantJohnnyExec;
347 }
348
349 /* change to the new working directory */
350 if (p->pdir != NULL && chdir(p->pdir) < 0)
351 goto WhyCantJohnnyExec;
352
353 if (fcntl(FAIL_FILENO, F_SETFD, FD_CLOEXEC) == -1)
354 goto WhyCantJohnnyExec;
355
356 JDK_execvpe(p->mode, p->argv[0], p->argv, p->envv);
357
358 WhyCantJohnnyExec:
359 /* We used to go to an awful lot of trouble to predict whether the
360 * child would fail, but there is no reliable way to predict the
361 * success of an operation without *trying* it, and there's no way
362 * to try a chdir or exec in the parent. Instead, all we need is a
363 * way to communicate any failure back to the parent. Easy; we just
364 * send the errno back to the parent over a pipe in case of failure.
365 * The tricky thing is, how do we communicate the *success* of exec?
366 * We use FD_CLOEXEC together with the fact that a read() on a pipe
367 * yields EOF when the write ends (we have two of them!) are closed.
368 */
369 {
370 int errnum = errno;
371 restartableWrite(FAIL_FILENO, &errnum, sizeof(errnum));
372 }
373 close(FAIL_FILENO);
374 _exit(-1);
375 return 0; /* Suppress warning "no return value from function" */
376 }