Make file descriptors close-on-exec when possible.

This simplifies Emacs a bit, since it no longer needs to worry
about closing file descriptors by hand in some cases.
It also fixes some unlikely races.  Not all such races, as
libraries often open files internally without setting
close-on-exec, but it's an improvement.
* admin/merge-gnulib (GNULIB_MODULES): Add fcntl, pipe2.
(GNULIB_TOOL_FLAGS): Avoid binary-io, close.  Do not avoid fcntl.
* configure.ac (mkostemp): New function to check for.
(PTY_OPEN): Pass O_CLOEXEC to posix_openpt.
* lib/fcntl.c, lib/getdtablesize.c, lib/pipe2.c, m4/fcntl.m4:
* m4/getdtablesize.m4, m4/pipe2.m4: New files, taken from gnulib.
* lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate.
* nt/gnulib.mk: Remove empty gl_GNULIB_ENABLED_verify section;
otherwise, gnulib-tool complains given close-on-exec changes.
* nt/inc/ms-w32.h (pipe): Remove.
* nt/mingw-cfg.site (ac_cv_func_fcntl, gl_cv_func_fcntl_f_dupfd_cloexec)
(gl_cv_func_fcntl_f_dupfd_works, ac_cv_func_pipe2): New vars.
* src/alloc.c (valid_pointer_p) [!WINDOWSNT]:
* src/callproc.c (Fcall_process) [!MSDOS]:
* src/emacs.c (main) [!DOS_NT]:
* src/nsterm.m (ns_term_init):
* src/process.c (create_process):
Use 'pipe2' with O_CLOEXEC instead of 'pipe'.
* src/emacs.c (Fcall_process_region) [HAVE_MKOSTEMP]:
* src/filelock.c (create_lock_file) [HAVE_MKOSTEMP]:
Prefer mkostemp with O_CLOEXEC to mkstemp.
* src/callproc.c (relocate_fd) [!WINDOWSNT]:
* src/emacs.c (main): Use F_DUPFD_CLOEXEC, not plain F_DUPFD.
No need to use fcntl (..., F_SETFD, FD_CLOEXEC), since we're
now using pipe2.
* src/filelock.c (create_lock_file) [! HAVE_MKOSTEMP]:
Make the resulting file descriptor close-on-exec.
* src/lisp.h, src/lread.c, src/process.c (close_load_descs, close_process_descs):
* src/lread.c (load_descriptor_list, load_descriptor_unwind):
Remove; no longer needed.  All uses removed.
* src/process.c (SOCK_CLOEXEC): Define to 0 if not supplied by system.
(close_on_exec, accept4, process_socket) [!SOCK_CLOEXEC]:
New functions.
(socket) [!SOCK_CLOEXEC]: Supply a substitute.
(Fmake_network_process, Fnetwork_interface_list):
(Fnetwork_interface_info, server_accept_connection):
Make newly-created socket close-on-exec.
* src/sysdep.c (emacs_open, emacs_fopen):
Make new-created descriptor close-on-exec.
* src/w32.c (fcntl): Support F_DUPFD_CLOEXEC well enough for Emacs.
* src/w32.c, src/w32.h (pipe2): Rename from 'pipe', with new flags arg.

Fixes: debbugs:14803

1 files changed, 171 insertions, 0 deletions

diff --git a/lib/pipe2.c b/lib/pipe2.c
new file mode 100644
index 00000000000..3858c328f76
--- /dev/null
+++ b/lib/pipe2.c
@@ -0,0 +1,171 @@
+/* Create a pipe, with specific opening flags.
+   Copyright (C) 2009-2013 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License along
+   with this program; if not, see <http://www.gnu.org/licenses/>.  */
+
+#include <config.h>
+
+/* Specification.  */
+#include <unistd.h>
+
+#include <errno.h>
+#include <fcntl.h>
+
+#if GNULIB_BINARY_IO
+# include "binary-io.h"
+#endif
+
+#include "verify.h"
+
+#if GNULIB_defined_O_NONBLOCK
+# include "nonblocking.h"
+#endif
+
+#if (defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__
+/* Native Windows API.  */
+
+# include <io.h>
+
+#endif
+
+int
+pipe2 (int fd[2], int flags)
+{
+  /* Mingw _pipe() corrupts fd on failure; also, if we succeed at
+     creating the pipe but later fail at changing fcntl, we want
+     to leave fd unchanged: http://austingroupbugs.net/view.php?id=467  */
+  int tmp[2];
+  tmp[0] = fd[0];
+  tmp[1] = fd[1];
+
+#if HAVE_PIPE2
+# undef pipe2
+  /* Try the system call first, if it exists.  (We may be running with a glibc
+     that has the function but with an older kernel that lacks it.)  */
+  {
+    /* Cache the information whether the system call really exists.  */
+    static int have_pipe2_really; /* 0 = unknown, 1 = yes, -1 = no */
+    if (have_pipe2_really >= 0)
+      {
+        int result = pipe2 (fd, flags);
+        if (!(result < 0 && errno == ENOSYS))
+          {
+            have_pipe2_really = 1;
+            return result;
+          }
+        have_pipe2_really = -1;
+      }
+  }
+#endif
+
+  /* Check the supported flags.  */
+  if ((flags & ~(O_CLOEXEC | O_NONBLOCK | O_BINARY | O_TEXT)) != 0)
+    {
+      errno = EINVAL;
+      return -1;
+    }
+
+#if (defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__
+/* Native Windows API.  */
+
+  if (_pipe (fd, 4096, flags & ~O_NONBLOCK) < 0)
+    {
+      fd[0] = tmp[0];
+      fd[1] = tmp[1];
+      return -1;
+    }
+
+  /* O_NONBLOCK handling.
+     On native Windows platforms, O_NONBLOCK is defined by gnulib.  Use the
+     functions defined by the gnulib module 'nonblocking'.  */
+# if GNULIB_defined_O_NONBLOCK
+  if (flags & O_NONBLOCK)
+    {
+      if (set_nonblocking_flag (fd[0], true) != 0
+          || set_nonblocking_flag (fd[1], true) != 0)
+        goto fail;
+    }
+# else
+  {
+    verify (O_NONBLOCK == 0);
+  }
+# endif
+
+  return 0;
+
+#else
+/* Unix API.  */
+
+  if (pipe (fd) < 0)
+    return -1;
+
+  /* POSIX <http://www.opengroup.org/onlinepubs/9699919799/functions/pipe.html>
+     says that initially, the O_NONBLOCK and FD_CLOEXEC flags are cleared on
+     both fd[0] and fd[1].  */
+
+  /* O_NONBLOCK handling.
+     On Unix platforms, O_NONBLOCK is defined by the system.  Use fcntl().  */
+  if (flags & O_NONBLOCK)
+    {
+      int fcntl_flags;
+
+      if ((fcntl_flags = fcntl (fd[1], F_GETFL, 0)) < 0
+          || fcntl (fd[1], F_SETFL, fcntl_flags | O_NONBLOCK) == -1
+          || (fcntl_flags = fcntl (fd[0], F_GETFL, 0)) < 0
+          || fcntl (fd[0], F_SETFL, fcntl_flags | O_NONBLOCK) == -1)
+        goto fail;
+    }
+
+  if (flags & O_CLOEXEC)
+    {
+      int fcntl_flags;
+
+      if ((fcntl_flags = fcntl (fd[1], F_GETFD, 0)) < 0
+          || fcntl (fd[1], F_SETFD, fcntl_flags | FD_CLOEXEC) == -1
+          || (fcntl_flags = fcntl (fd[0], F_GETFD, 0)) < 0
+          || fcntl (fd[0], F_SETFD, fcntl_flags | FD_CLOEXEC) == -1)
+        goto fail;
+    }
+
+# if O_BINARY
+  if (flags & O_BINARY)
+    {
+      setmode (fd[1], O_BINARY);
+      setmode (fd[0], O_BINARY);
+    }
+  else if (flags & O_TEXT)
+    {
+      setmode (fd[1], O_TEXT);
+      setmode (fd[0], O_TEXT);
+    }
+# endif
+
+  return 0;
+
+#endif
+
+#if GNULIB_defined_O_NONBLOCK || \
+  !((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__)
+ fail:
+  {
+    int saved_errno = errno;
+    close (fd[0]);
+    close (fd[1]);
+    fd[0] = tmp[0];
+    fd[1] = tmp[1];
+    errno = saved_errno;
+    return -1;
+  }
+#endif
+}