1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/process/launch.h"
12 #include <sys/resource.h>
14 #include <sys/types.h>
22 #include "base/allocator/type_profiler_control.h"
23 #include "base/command_line.h"
24 #include "base/compiler_specific.h"
25 #include "base/debug/debugger.h"
26 #include "base/debug/stack_trace.h"
27 #include "base/file_util.h"
28 #include "base/files/dir_reader_posix.h"
29 #include "base/files/scoped_file.h"
30 #include "base/logging.h"
31 #include "base/memory/scoped_ptr.h"
32 #include "base/posix/eintr_wrapper.h"
33 #include "base/process/kill.h"
34 #include "base/process/process_metrics.h"
35 #include "base/strings/stringprintf.h"
36 #include "base/synchronization/waitable_event.h"
37 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
38 #include "base/threading/platform_thread.h"
39 #include "base/threading/thread_restrictions.h"
42 #include <sys/prctl.h>
45 #if defined(OS_CHROMEOS)
46 #include <sys/ioctl.h>
49 #if defined(OS_FREEBSD)
50 #include <sys/event.h>
51 #include <sys/ucontext.h>
54 #if defined(OS_MACOSX)
55 #include <crt_externs.h>
56 #include <sys/event.h>
58 extern char** environ;
65 // Get the process's "environment" (i.e. the thing that setenv/getenv
67 char** GetEnvironment() {
68 #if defined(OS_MACOSX)
69 return *_NSGetEnviron();
75 // Set the process's "environment" (i.e. the thing that setenv/getenv
77 void SetEnvironment(char** env) {
78 #if defined(OS_MACOSX)
79 *_NSGetEnviron() = env;
85 // Set the calling thread's signal mask to new_sigmask and return
86 // the previous signal mask.
87 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
89 #if defined(OS_ANDROID)
90 // POSIX says pthread_sigmask() must be used in multi-threaded processes,
91 // but Android's pthread_sigmask() was broken until 4.1:
92 // https://code.google.com/p/android/issues/detail?id=15337
93 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
94 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
96 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
101 #if !defined(OS_LINUX) || \
102 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
103 void ResetChildSignalHandlersToDefaults() {
104 // The previous signal handlers are likely to be meaningless in the child's
105 // context so we reset them to the defaults for now. http://crbug.com/44953
106 // These signal handlers are set up at least in browser_main_posix.cc:
107 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
108 // EnableInProcessStackDumping.
109 signal(SIGHUP, SIG_DFL);
110 signal(SIGINT, SIG_DFL);
111 signal(SIGILL, SIG_DFL);
112 signal(SIGABRT, SIG_DFL);
113 signal(SIGFPE, SIG_DFL);
114 signal(SIGBUS, SIG_DFL);
115 signal(SIGSEGV, SIG_DFL);
116 signal(SIGSYS, SIG_DFL);
117 signal(SIGTERM, SIG_DFL);
122 // TODO(jln): remove the Linux special case once kernels are fixed.
124 // Internally the kernel makes sigset_t an array of long large enough to have
125 // one bit per signal.
126 typedef uint64_t kernel_sigset_t;
128 // This is what struct sigaction looks like to the kernel at least on X86 and
129 // ARM. MIPS, for instance, is very different.
130 struct kernel_sigaction {
131 void* k_sa_handler; // For this usage it only needs to be a generic pointer.
132 unsigned long k_sa_flags;
133 void* k_sa_restorer; // For this usage it only needs to be a generic pointer.
134 kernel_sigset_t k_sa_mask;
137 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
139 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
140 struct kernel_sigaction* oact) {
141 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
144 // This function is intended to be used in between fork() and execve() and will
145 // reset all signal handlers to the default.
146 // The motivation for going through all of them is that sa_restorer can leak
147 // from parents and help defeat ASLR on buggy kernels. We reset it to NULL.
148 // See crbug.com/177956.
149 void ResetChildSignalHandlersToDefaults(void) {
150 for (int signum = 1; ; ++signum) {
151 struct kernel_sigaction act = {0};
152 int sigaction_get_ret = sys_rt_sigaction(signum, NULL, &act);
153 if (sigaction_get_ret && errno == EINVAL) {
155 // Linux supports 32 real-time signals from 33 to 64.
156 // If the number of signals in the Linux kernel changes, someone should
157 // look at this code.
158 const int kNumberOfSignals = 64;
159 RAW_CHECK(signum == kNumberOfSignals + 1);
160 #endif // !defined(NDEBUG)
163 // All other failures are fatal.
164 if (sigaction_get_ret) {
165 RAW_LOG(FATAL, "sigaction (get) failed.");
168 // The kernel won't allow to re-set SIGKILL or SIGSTOP.
169 if (signum != SIGSTOP && signum != SIGKILL) {
170 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
171 act.k_sa_restorer = NULL;
172 if (sys_rt_sigaction(signum, &act, NULL)) {
173 RAW_LOG(FATAL, "sigaction (set) failed.");
177 // Now ask the kernel again and check that no restorer will leak.
178 if (sys_rt_sigaction(signum, NULL, &act) || act.k_sa_restorer) {
179 RAW_LOG(FATAL, "Cound not fix sa_restorer.");
181 #endif // !defined(NDEBUG)
184 #endif // !defined(OS_LINUX) ||
185 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
187 } // anonymous namespace
189 // Functor for |ScopedDIR| (below).
190 struct ScopedDIRClose {
191 inline void operator()(DIR* x) const {
197 // Automatically closes |DIR*|s.
198 typedef scoped_ptr<DIR, ScopedDIRClose> ScopedDIR;
200 #if defined(OS_LINUX)
201 static const char kFDDir[] = "/proc/self/fd";
202 #elif defined(OS_MACOSX)
203 static const char kFDDir[] = "/dev/fd";
204 #elif defined(OS_SOLARIS)
205 static const char kFDDir[] = "/dev/fd";
206 #elif defined(OS_FREEBSD)
207 static const char kFDDir[] = "/dev/fd";
208 #elif defined(OS_OPENBSD)
209 static const char kFDDir[] = "/dev/fd";
210 #elif defined(OS_ANDROID)
211 static const char kFDDir[] = "/proc/self/fd";
214 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
215 // DANGER: no calls to malloc or locks are allowed from now on:
216 // http://crbug.com/36678
218 // Get the maximum number of FDs possible.
219 size_t max_fds = GetMaxFds();
221 DirReaderPosix fd_dir(kFDDir);
222 if (!fd_dir.IsValid()) {
223 // Fallback case: Try every possible fd.
224 for (size_t i = 0; i < max_fds; ++i) {
225 const int fd = static_cast<int>(i);
226 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
228 // Cannot use STL iterators here, since debug iterators use locks.
230 for (j = 0; j < saved_mapping.size(); j++) {
231 if (fd == saved_mapping[j].dest)
234 if (j < saved_mapping.size())
237 // Since we're just trying to close anything we can find,
238 // ignore any error return values of close().
244 const int dir_fd = fd_dir.fd();
246 for ( ; fd_dir.Next(); ) {
247 // Skip . and .. entries.
248 if (fd_dir.name()[0] == '.')
253 const long int fd = strtol(fd_dir.name(), &endptr, 10);
254 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
256 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
258 // Cannot use STL iterators here, since debug iterators use locks.
260 for (i = 0; i < saved_mapping.size(); i++) {
261 if (fd == saved_mapping[i].dest)
264 if (i < saved_mapping.size())
269 // When running under Valgrind, Valgrind opens several FDs for its
270 // own use and will complain if we try to close them. All of
271 // these FDs are >= |max_fds|, so we can check against that here
272 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758
273 if (fd < static_cast<int>(max_fds)) {
274 int ret = IGNORE_EINTR(close(fd));
280 bool LaunchProcess(const std::vector<std::string>& argv,
281 const LaunchOptions& options,
282 ProcessHandle* process_handle) {
283 size_t fd_shuffle_size = 0;
284 if (options.fds_to_remap) {
285 fd_shuffle_size = options.fds_to_remap->size();
288 InjectiveMultimap fd_shuffle1;
289 InjectiveMultimap fd_shuffle2;
290 fd_shuffle1.reserve(fd_shuffle_size);
291 fd_shuffle2.reserve(fd_shuffle_size);
293 scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
294 scoped_ptr<char*[]> new_environ;
295 if (!options.environ.empty())
296 new_environ = AlterEnvironment(GetEnvironment(), options.environ);
298 sigset_t full_sigset;
299 sigfillset(&full_sigset);
300 const sigset_t orig_sigmask = SetSignalMask(full_sigset);
303 #if defined(OS_LINUX)
304 if (options.clone_flags) {
305 // Signal handling in this function assumes the creation of a new
306 // process, so we check that a thread is not being created by mistake
307 // and that signal handling follows the process-creation rules.
309 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
310 pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
317 // Always restore the original signal mask in the parent.
319 SetSignalMask(orig_sigmask);
323 DPLOG(ERROR) << "fork";
325 } else if (pid == 0) {
328 // DANGER: no calls to malloc or locks are allowed from now on:
329 // http://crbug.com/36678
331 // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
332 // you call _exit() instead of exit(). This is because _exit() does not
333 // call any previously-registered (in the parent) exit handlers, which
334 // might do things like block waiting for threads that don't even exist
337 // If a child process uses the readline library, the process block forever.
338 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
339 // See http://crbug.com/56596.
340 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
341 if (!null_fd.is_valid()) {
342 RAW_LOG(ERROR, "Failed to open /dev/null");
346 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
347 if (new_fd != STDIN_FILENO) {
348 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
352 if (options.new_process_group) {
353 // Instead of inheriting the process group ID of the parent, the child
354 // starts off a new process group with pgid equal to its process ID.
355 if (setpgid(0, 0) < 0) {
356 RAW_LOG(ERROR, "setpgid failed");
361 // Stop type-profiler.
362 // The profiler should be stopped between fork and exec since it inserts
363 // locks at new/delete expressions. See http://crbug.com/36678.
364 base::type_profiler::Controller::Stop();
366 if (options.maximize_rlimits) {
367 // Some resource limits need to be maximal in this child.
368 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
369 const int resource = (*options.maximize_rlimits)[i];
371 if (getrlimit(resource, &limit) < 0) {
372 RAW_LOG(WARNING, "getrlimit failed");
373 } else if (limit.rlim_cur < limit.rlim_max) {
374 limit.rlim_cur = limit.rlim_max;
375 if (setrlimit(resource, &limit) < 0) {
376 RAW_LOG(WARNING, "setrlimit failed");
382 #if defined(OS_MACOSX)
383 RestoreDefaultExceptionHandler();
384 #endif // defined(OS_MACOSX)
386 ResetChildSignalHandlersToDefaults();
387 SetSignalMask(orig_sigmask);
390 // When debugging it can be helpful to check that we really aren't making
391 // any hidden calls to malloc.
393 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
394 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
395 memset(reinterpret_cast<void*>(malloc), 0xff, 8);
398 #if defined(OS_CHROMEOS)
399 if (options.ctrl_terminal_fd >= 0) {
400 // Set process' controlling terminal.
401 if (HANDLE_EINTR(setsid()) != -1) {
403 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) {
404 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
407 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
410 #endif // defined(OS_CHROMEOS)
412 if (options.fds_to_remap) {
413 // Cannot use STL iterators here, since debug iterators use locks.
414 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) {
415 const FileHandleMappingVector::value_type& value =
416 (*options.fds_to_remap)[i];
417 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
418 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
422 if (!options.environ.empty())
423 SetEnvironment(new_environ.get());
425 // fd_shuffle1 is mutated by this call because it cannot malloc.
426 if (!ShuffleFileDescriptors(&fd_shuffle1))
429 CloseSuperfluousFds(fd_shuffle2);
431 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
432 // 3.5+, do not check the return value of prctl here.
433 #if defined(OS_LINUX)
434 #ifndef PR_SET_NO_NEW_PRIVS
435 #define PR_SET_NO_NEW_PRIVS 38
437 if (!options.allow_new_privs) {
438 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
439 // Only log if the error is not EINVAL (i.e. not supported).
440 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
445 for (size_t i = 0; i < argv.size(); i++)
446 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
447 argv_cstr[argv.size()] = NULL;
448 execvp(argv_cstr[0], argv_cstr.get());
450 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
451 RAW_LOG(ERROR, argv_cstr[0]);
456 // While this isn't strictly disk IO, waiting for another process to
457 // finish is the sort of thing ThreadRestrictions is trying to prevent.
458 base::ThreadRestrictions::AssertIOAllowed();
459 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0));
464 *process_handle = pid;
471 bool LaunchProcess(const CommandLine& cmdline,
472 const LaunchOptions& options,
473 ProcessHandle* process_handle) {
474 return LaunchProcess(cmdline.argv(), options, process_handle);
477 void RaiseProcessToHighPriority() {
478 // On POSIX, we don't actually do anything here. We could try to nice() or
479 // setpriority() or sched_getscheduler, but these all require extra rights.
482 // Return value used by GetAppOutputInternal to encapsulate the various exit
483 // scenarios from the function.
484 enum GetAppOutputInternalResult {
490 // Executes the application specified by |argv| and wait for it to exit. Stores
491 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
492 // path for the application; in that case, |envp| must be null, and it will use
493 // the current environment. If |do_search_path| is false, |argv[0]| should fully
494 // specify the path of the application, and |envp| will be used as the
495 // environment. Redirects stderr to /dev/null.
496 // If we successfully start the application and get all requested output, we
497 // return GOT_MAX_OUTPUT, or if there is a problem starting or exiting
498 // the application we return RUN_FAILURE. Otherwise we return EXECUTE_SUCCESS.
499 // The GOT_MAX_OUTPUT return value exists so a caller that asks for limited
500 // output can treat this as a success, despite having an exit code of SIG_PIPE
501 // due to us closing the output pipe.
502 // In the case of EXECUTE_SUCCESS, the application exit code will be returned
503 // in |*exit_code|, which should be checked to determine if the application
505 static GetAppOutputInternalResult GetAppOutputInternal(
506 const std::vector<std::string>& argv,
512 // Doing a blocking wait for another command to finish counts as IO.
513 base::ThreadRestrictions::AssertIOAllowed();
514 // exit_code must be supplied so calling function can determine success.
516 *exit_code = EXIT_FAILURE;
520 InjectiveMultimap fd_shuffle1, fd_shuffle2;
521 scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
523 fd_shuffle1.reserve(3);
524 fd_shuffle2.reserve(3);
526 // Either |do_search_path| should be false or |envp| should be null, but not
528 DCHECK(!do_search_path ^ !envp);
530 if (pipe(pipe_fd) < 0)
531 return EXECUTE_FAILURE;
533 switch (pid = fork()) {
537 return EXECUTE_FAILURE;
540 // DANGER: no calls to malloc or locks are allowed from now on:
541 // http://crbug.com/36678
543 #if defined(OS_MACOSX)
544 RestoreDefaultExceptionHandler();
547 // Obscure fork() rule: in the child, if you don't end up doing exec*(),
548 // you call _exit() instead of exit(). This is because _exit() does not
549 // call any previously-registered (in the parent) exit handlers, which
550 // might do things like block waiting for threads that don't even exist
552 int dev_null = open("/dev/null", O_WRONLY);
556 // Stop type-profiler.
557 // The profiler should be stopped between fork and exec since it inserts
558 // locks at new/delete expressions. See http://crbug.com/36678.
559 base::type_profiler::Controller::Stop();
561 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
562 fd_shuffle1.push_back(InjectionArc(dev_null, STDERR_FILENO, true));
563 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
564 // Adding another element here? Remeber to increase the argument to
567 for (size_t i = 0; i < fd_shuffle1.size(); ++i)
568 fd_shuffle2.push_back(fd_shuffle1[i]);
570 if (!ShuffleFileDescriptors(&fd_shuffle1))
573 CloseSuperfluousFds(fd_shuffle2);
575 for (size_t i = 0; i < argv.size(); i++)
576 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
577 argv_cstr[argv.size()] = NULL;
579 execvp(argv_cstr[0], argv_cstr.get());
581 execve(argv_cstr[0], argv_cstr.get(), envp);
586 // Close our writing end of pipe now. Otherwise later read would not
587 // be able to detect end of child's output (in theory we could still
588 // write to the pipe).
593 size_t output_buf_left = max_output;
594 ssize_t bytes_read = 1; // A lie to properly handle |max_output == 0|
595 // case in the logic below.
597 while (output_buf_left > 0) {
598 bytes_read = HANDLE_EINTR(read(pipe_fd[0], buffer,
599 std::min(output_buf_left, sizeof(buffer))));
602 output->append(buffer, bytes_read);
603 output_buf_left -= static_cast<size_t>(bytes_read);
607 // Always wait for exit code (even if we know we'll declare
609 bool success = WaitForExitCode(pid, exit_code);
611 // If we stopped because we read as much as we wanted, we return
612 // GOT_MAX_OUTPUT (because the child may exit due to |SIGPIPE|).
613 if (!output_buf_left && bytes_read > 0)
614 return GOT_MAX_OUTPUT;
616 return EXECUTE_SUCCESS;
617 return EXECUTE_FAILURE;
622 bool GetAppOutput(const CommandLine& cl, std::string* output) {
623 return GetAppOutput(cl.argv(), output);
626 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
627 // Run |execve()| with the current environment and store "unlimited" data.
629 GetAppOutputInternalResult result = GetAppOutputInternal(
630 argv, NULL, output, std::numeric_limits<std::size_t>::max(), true,
632 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS;
635 // TODO(viettrungluu): Conceivably, we should have a timeout as well, so we
636 // don't hang if what we're calling hangs.
637 bool GetAppOutputRestricted(const CommandLine& cl,
638 std::string* output, size_t max_output) {
639 // Run |execve()| with the empty environment.
640 char* const empty_environ = NULL;
642 GetAppOutputInternalResult result = GetAppOutputInternal(
643 cl.argv(), &empty_environ, output, max_output, false, &exit_code);
644 return result == GOT_MAX_OUTPUT || (result == EXECUTE_SUCCESS &&
645 exit_code == EXIT_SUCCESS);
648 bool GetAppOutputWithExitCode(const CommandLine& cl,
651 // Run |execve()| with the current environment and store "unlimited" data.
652 GetAppOutputInternalResult result = GetAppOutputInternal(
653 cl.argv(), NULL, output, std::numeric_limits<std::size_t>::max(), true,
655 return result == EXECUTE_SUCCESS;