1/*
2 * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26#include <dirent.h>
27#include <errno.h>
28#include <fcntl.h>
29#include <stdlib.h>
30#include <string.h>
31#include <unistd.h>
32#include <limits.h>
33
34#include "childproc.h"
35
36
37ssize_t
38restartableWrite(int fd, const void *buf, size_t count)
39{
40 ssize_t result;
41 RESTARTABLE(write(fd, buf, count), result);
42 return result;
43}
44
45int
46restartableDup2(int fd_from, int fd_to)
47{
48 int err;
49 RESTARTABLE(dup2(fd_from, fd_to), err);
50 return err;
51}
52
53int
54closeSafely(int fd)
55{
56 return (fd == -1) ? 0 : close(fd);
57}
58
59int
60isAsciiDigit(char c)
61{
62 return c >= '0' && c <= '9';
63}
64
65#if defined(_AIX)
66 /* AIX does not understand '/proc/self' - it requires the real process ID */
67 #define FD_DIR aix_fd_dir
68 #define DIR DIR64
69 #define dirent dirent64
70 #define opendir opendir64
71 #define readdir readdir64
72 #define closedir closedir64
73#elif defined(_ALLBSD_SOURCE)
74 #define FD_DIR "/dev/fd"
75#else
76 #define FD_DIR "/proc/self/fd"
77#endif
78
79int
80closeDescriptors(void)
81{
82 DIR *dp;
83 struct dirent *dirp;
84 int from_fd = FAIL_FILENO + 1;
85
86 /* We're trying to close all file descriptors, but opendir() might
87 * itself be implemented using a file descriptor, and we certainly
88 * don't want to close that while it's in use. We assume that if
89 * opendir() is implemented using a file descriptor, then it uses
90 * the lowest numbered file descriptor, just like open(). So we
91 * close a couple explicitly. */
92
93 close(from_fd); /* for possible use by opendir() */
94 close(from_fd + 1); /* another one for good luck */
95
96#if defined(_AIX)
97 /* AIX does not understand '/proc/self' - it requires the real process ID */
98 char aix_fd_dir[32]; /* the pid has at most 19 digits */
99 snprintf(aix_fd_dir, 32, "/proc/%d/fd", getpid());
100#endif
101
102 if ((dp = opendir(FD_DIR)) == NULL)
103 return 0;
104
105 while ((dirp = readdir(dp)) != NULL) {
106 int fd;
107 if (isAsciiDigit(dirp->d_name[0]) &&
108 (fd = strtol(dirp->d_name, NULL, 10)) >= from_fd + 2)
109 close(fd);
110 }
111
112 closedir(dp);
113
114 return 1;
115}
116
117int
118moveDescriptor(int fd_from, int fd_to)
119{
120 if (fd_from != fd_to) {
121 if ((restartableDup2(fd_from, fd_to) == -1) ||
122 (close(fd_from) == -1))
123 return -1;
124 }
125 return 0;
126}
127
128int
129magicNumber() {
130 return 43110;
131}
132
133/*
134 * Reads nbyte bytes from file descriptor fd into buf,
135 * The read operation is retried in case of EINTR or partial reads.
136 *
137 * Returns number of bytes read (normally nbyte, but may be less in
138 * case of EOF). In case of read errors, returns -1 and sets errno.
139 */
140ssize_t
141readFully(int fd, void *buf, size_t nbyte)
142{
143 ssize_t remaining = nbyte;
144 for (;;) {
145 ssize_t n = read(fd, buf, remaining);
146 if (n == 0) {
147 return nbyte - remaining;
148 } else if (n > 0) {
149 remaining -= n;
150 if (remaining <= 0)
151 return nbyte;
152 /* We were interrupted in the middle of reading the bytes.
153 * Unlikely, but possible. */
154 buf = (void *) (((char *)buf) + n);
155 } else if (errno == EINTR) {
156 /* Strange signals like SIGJVM1 are possible at any time.
157 * See http://www.dreamsongs.com/WorseIsBetter.html */
158 } else {
159 return -1;
160 }
161 }
162}
163
164void
165initVectorFromBlock(const char**vector, const char* block, int count)
166{
167 int i;
168 const char *p;
169 for (i = 0, p = block; i < count; i++) {
170 /* Invariant: p always points to the start of a C string. */
171 vector[i] = p;
172 while (*(p++));
173 }
174 vector[count] = NULL;
175}
176
177/**
178 * Exec FILE as a traditional Bourne shell script (i.e. one without #!).
179 * If we could do it over again, we would probably not support such an ancient
180 * misfeature, but compatibility wins over sanity. The original support for
181 * this was imported accidentally from execvp().
182 */
183void
184execve_as_traditional_shell_script(const char *file,
185 const char *argv[],
186 const char *const envp[])
187{
188 /* Use the extra word of space provided for us in argv by caller. */
189 const char *argv0 = argv[0];
190 const char *const *end = argv;
191 while (*end != NULL)
192 ++end;
193 memmove(argv+2, argv+1, (end-argv) * sizeof(*end));
194 argv[0] = "/bin/sh";
195 argv[1] = file;
196 execve(argv[0], (char **) argv, (char **) envp);
197 /* Can't even exec /bin/sh? Big trouble, but let's soldier on... */
198 memmove(argv+1, argv+2, (end-argv) * sizeof(*end));
199 argv[0] = argv0;
200}
201
202/**
203 * Like execve(2), except that in case of ENOEXEC, FILE is assumed to
204 * be a shell script and the system default shell is invoked to run it.
205 */
206void
207execve_with_shell_fallback(int mode, const char *file,
208 const char *argv[],
209 const char *const envp[])
210{
211 if (mode == MODE_CLONE || mode == MODE_VFORK) {
212 /* shared address space; be very careful. */
213 execve(file, (char **) argv, (char **) envp);
214 if (errno == ENOEXEC)
215 execve_as_traditional_shell_script(file, argv, envp);
216 } else {
217 /* unshared address space; we can mutate environ. */
218 environ = (char **) envp;
219 execvp(file, (char **) argv);
220 }
221}
222
223/**
224 * 'execvpe' should have been included in the Unix standards,
225 * and is a GNU extension in glibc 2.10.
226 *
227 * JDK_execvpe is identical to execvp, except that the child environment is
228 * specified via the 3rd argument instead of being inherited from environ.
229 */
230void
231JDK_execvpe(int mode, const char *file,
232 const char *argv[],
233 const char *const envp[])
234{
235 if (envp == NULL || (char **) envp == environ) {
236 execvp(file, (char **) argv);
237 return;
238 }
239
240 if (*file == '\0') {
241 errno = ENOENT;
242 return;
243 }
244
245 if (strchr(file, '/') != NULL) {
246 execve_with_shell_fallback(mode, file, argv, envp);
247 } else {
248 /* We must search PATH (parent's, not child's) */
249 char expanded_file[PATH_MAX];
250 int filelen = strlen(file);
251 int sticky_errno = 0;
252 const char * const * dirs;
253 for (dirs = parentPathv; *dirs; dirs++) {
254 const char * dir = *dirs;
255 int dirlen = strlen(dir);
256 if (filelen + dirlen + 2 >= PATH_MAX) {
257 errno = ENAMETOOLONG;
258 continue;
259 }
260 memcpy(expanded_file, dir, dirlen);
261 if (expanded_file[dirlen - 1] != '/')
262 expanded_file[dirlen++] = '/';
263 memcpy(expanded_file + dirlen, file, filelen);
264 expanded_file[dirlen + filelen] = '\0';
265 execve_with_shell_fallback(mode, expanded_file, argv, envp);
266 /* There are 3 responses to various classes of errno:
267 * return immediately, continue (especially for ENOENT),
268 * or continue with "sticky" errno.
269 *
270 * From exec(3):
271 *
272 * If permission is denied for a file (the attempted
273 * execve returned EACCES), these functions will continue
274 * searching the rest of the search path. If no other
275 * file is found, however, they will return with the
276 * global variable errno set to EACCES.
277 */
278 switch (errno) {
279 case EACCES:
280 sticky_errno = errno;
281 /* FALLTHRU */
282 case ENOENT:
283 case ENOTDIR:
284#ifdef ELOOP
285 case ELOOP:
286#endif
287#ifdef ESTALE
288 case ESTALE:
289#endif
290#ifdef ENODEV
291 case ENODEV:
292#endif
293#ifdef ETIMEDOUT
294 case ETIMEDOUT:
295#endif
296 break; /* Try other directories in PATH */
297 default:
298 return;
299 }
300 }
301 if (sticky_errno != 0)
302 errno = sticky_errno;
303 }
304}
305
306/**
307 * Child process after a successful fork().
308 * This function must not return, and must be prepared for either all
309 * of its address space to be shared with its parent, or to be a copy.
310 * It must not modify global variables such as "environ".
311 */
312int
313childProcess(void *arg)
314{
315 const ChildStuff* p = (const ChildStuff*) arg;
316 int fail_pipe_fd = p->fail[1];
317
318 if (p->sendAlivePing) {
319 /* Child shall signal aliveness to parent at the very first
320 * moment. */
321 int code = CHILD_IS_ALIVE;
322 restartableWrite(fail_pipe_fd, &code, sizeof(code));
323 }
324
325 /* Close the parent sides of the pipes.
326 Closing pipe fds here is redundant, since closeDescriptors()
327 would do it anyways, but a little paranoia is a good thing. */
328 if ((closeSafely(p->in[1]) == -1) ||
329 (closeSafely(p->out[0]) == -1) ||
330 (closeSafely(p->err[0]) == -1) ||
331 (closeSafely(p->childenv[0]) == -1) ||
332 (closeSafely(p->childenv[1]) == -1) ||
333 (closeSafely(p->fail[0]) == -1))
334 goto WhyCantJohnnyExec;
335
336 /* Give the child sides of the pipes the right fileno's. */
337 /* Note: it is possible for in[0] == 0 */
338 if ((moveDescriptor(p->in[0] != -1 ? p->in[0] : p->fds[0],
339 STDIN_FILENO) == -1) ||
340 (moveDescriptor(p->out[1]!= -1 ? p->out[1] : p->fds[1],
341 STDOUT_FILENO) == -1))
342 goto WhyCantJohnnyExec;
343
344 if (p->redirectErrorStream) {
345 if ((closeSafely(p->err[1]) == -1) ||
346 (restartableDup2(STDOUT_FILENO, STDERR_FILENO) == -1))
347 goto WhyCantJohnnyExec;
348 } else {
349 if (moveDescriptor(p->err[1] != -1 ? p->err[1] : p->fds[2],
350 STDERR_FILENO) == -1)
351 goto WhyCantJohnnyExec;
352 }
353
354 if (moveDescriptor(fail_pipe_fd, FAIL_FILENO) == -1)
355 goto WhyCantJohnnyExec;
356
357 /* We moved the fail pipe fd */
358 fail_pipe_fd = FAIL_FILENO;
359
360 /* close everything */
361 if (closeDescriptors() == 0) { /* failed, close the old way */
362 int max_fd = (int)sysconf(_SC_OPEN_MAX);
363 int fd;
364 for (fd = FAIL_FILENO + 1; fd < max_fd; fd++)
365 if (close(fd) == -1 && errno != EBADF)
366 goto WhyCantJohnnyExec;
367 }
368
369 /* change to the new working directory */
370 if (p->pdir != NULL && chdir(p->pdir) < 0)
371 goto WhyCantJohnnyExec;
372
373 if (fcntl(FAIL_FILENO, F_SETFD, FD_CLOEXEC) == -1)
374 goto WhyCantJohnnyExec;
375
376 JDK_execvpe(p->mode, p->argv[0], p->argv, p->envv);
377
378 WhyCantJohnnyExec:
379 /* We used to go to an awful lot of trouble to predict whether the
380 * child would fail, but there is no reliable way to predict the
381 * success of an operation without *trying* it, and there's no way
382 * to try a chdir or exec in the parent. Instead, all we need is a
383 * way to communicate any failure back to the parent. Easy; we just
384 * send the errno back to the parent over a pipe in case of failure.
385 * The tricky thing is, how do we communicate the *success* of exec?
386 * We use FD_CLOEXEC together with the fact that a read() on a pipe
387 * yields EOF when the write ends (we have two of them!) are closed.
388 */
389 {
390 int errnum = errno;
391 restartableWrite(fail_pipe_fd, &errnum, sizeof(errnum));
392 }
393 close(fail_pipe_fd);
394 _exit(-1);
395 return 0; /* Suppress warning "no return value from function" */
396}
397