diff options
| author | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2017-09-23 22:44:17 +0900 |
|---|---|---|
| committer | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2017-09-23 22:44:17 +0900 |
| commit | d136961e3eeb53fa73a2326dc66c4ccd37b13e75 (patch) | |
| tree | b8af952fc3841d3096ba8cbf02100bf21de2e064 | |
| parent | 17507bab43e18b3a29fb045302de6c4f88fef594 (diff) | |
ecore exe - add an "isolate io"f lag for sending io to /dev/null
this is useful for security to disallow child processes access to
stdio/err of the parent process.
@feature
| -rw-r--r-- | src/lib/ecore/ecore_exe.eo | 3 | ||||
| -rw-r--r-- | src/lib/ecore/ecore_exe_posix.c | 70 |
2 files changed, 54 insertions, 19 deletions
diff --git a/src/lib/ecore/ecore_exe.eo b/src/lib/ecore/ecore_exe.eo index 78a1da9e03..100f5b35f3 100644 --- a/src/lib/ecore/ecore_exe.eo +++ b/src/lib/ecore/ecore_exe.eo | |||
| @@ -35,7 +35,8 @@ enum Ecore.Exe_Flags | |||
| 35 | respawn = 64, [[FIXME: Exe is restarted if it dies]] | 35 | respawn = 64, [[FIXME: Exe is restarted if it dies]] |
| 36 | use_sh = 128, [[Use /bin/sh to run the command.]] | 36 | use_sh = 128, [[Use /bin/sh to run the command.]] |
| 37 | not_leader = 256, [[Do not use setsid() to have the executed process be its own session leader]] | 37 | not_leader = 256, [[Do not use setsid() to have the executed process be its own session leader]] |
| 38 | term_with_parent = 512 [[Makes child receive SIGTERM when parent dies.]] | 38 | term_with_parent = 512, [[Makes child receive SIGTERM when parent dies.]] |
| 39 | isolate_io = 1024, [[Try and isolate stdin/out and err of the process so it isn't shared with the parent.]] | ||
| 39 | } | 40 | } |
| 40 | 41 | ||
| 41 | class Ecore.Exe (Efl.Object, Efl.Control) | 42 | class Ecore.Exe (Efl.Object, Efl.Control) |
diff --git a/src/lib/ecore/ecore_exe_posix.c b/src/lib/ecore/ecore_exe_posix.c index 2a240a2d01..3cbba20f44 100644 --- a/src/lib/ecore/ecore_exe_posix.c +++ b/src/lib/ecore/ecore_exe_posix.c | |||
| @@ -317,24 +317,58 @@ _impl_ecore_exe_efl_object_finalize(Eo *obj, Ecore_Exe_Data *exe) | |||
| 317 | #warning "Have support for this" | 317 | #warning "Have support for this" |
| 318 | #endif | 318 | #endif |
| 319 | } | 319 | } |
| 320 | /* dup2 STDERR, STDIN, and STDOUT. dup2() allegedly closes the | 320 | if (ok && (flags & ECORE_EXE_ISOLATE_IO)) |
| 321 | * second pipe if it's open. On the other hand, there was the | 321 | { |
| 322 | * Great FD Leak Scare of '06, so let's be paranoid. */ | 322 | int devnull; |
| 323 | if (ok && (flags & ECORE_EXE_PIPE_ERROR)) | 323 | |
| 324 | { | 324 | /* we want to isolatie the stdin/out/err of the process so |
| 325 | E_NO_ERRNO(result, close(STDERR_FILENO), ok); | 325 | * it can't share those of the parent, so close and replace with |
| 326 | E_NO_ERRNO(result, dup2(errorPipe[1], STDERR_FILENO), ok); | 326 | * /dev/null */ |
| 327 | } | 327 | devnull = open("/dev/null", O_RDONLY); |
| 328 | if (ok && (flags & ECORE_EXE_PIPE_READ)) | 328 | if (devnull >= 0) |
| 329 | { | 329 | { |
| 330 | E_NO_ERRNO(result, close(STDOUT_FILENO), ok); | 330 | E_NO_ERRNO(result, close(STDIN_FILENO), ok); |
| 331 | E_NO_ERRNO(result, dup2(readPipe[1], STDOUT_FILENO), ok); | 331 | E_NO_ERRNO(result, dup2(devnull, STDIN_FILENO), ok); |
| 332 | } | 332 | E_NO_ERRNO(result, close(devnull), ok); |
| 333 | if (ok && (flags & ECORE_EXE_PIPE_WRITE)) | 333 | } |
| 334 | { | 334 | |
| 335 | E_NO_ERRNO(result, close(STDIN_FILENO), ok); | 335 | devnull = open("/dev/null", O_WRONLY); |
| 336 | E_NO_ERRNO(result, dup2(writePipe[0], STDIN_FILENO), ok); | 336 | if (devnull >= 0) |
| 337 | } | 337 | { |
| 338 | E_NO_ERRNO(result, close(STDOUT_FILENO), ok); | ||
| 339 | E_NO_ERRNO(result, dup2(devnull, STDOUT_FILENO), ok); | ||
| 340 | E_NO_ERRNO(result, close(devnull), ok); | ||
| 341 | } | ||
| 342 | |||
| 343 | devnull = open("/dev/null", O_WRONLY); | ||
| 344 | if (devnull >= 0) | ||
| 345 | { | ||
| 346 | E_NO_ERRNO(result, close(STDERR_FILENO), ok); | ||
| 347 | E_NO_ERRNO(result, dup2(devnull, STDERR_FILENO), ok); | ||
| 348 | E_NO_ERRNO(result, close(devnull), ok); | ||
| 349 | } | ||
| 350 | } | ||
| 351 | else | ||
| 352 | { | ||
| 353 | /* dup2 STDERR, STDIN, and STDOUT. dup2() allegedly closes the | ||
| 354 | * second pipe if it's open. On the other hand, there was the | ||
| 355 | * Great FD Leak Scare of '06, so let's be paranoid. */ | ||
| 356 | if (ok && (flags & ECORE_EXE_PIPE_ERROR)) | ||
| 357 | { | ||
| 358 | E_NO_ERRNO(result, close(STDERR_FILENO), ok); | ||
| 359 | E_NO_ERRNO(result, dup2(errorPipe[1], STDERR_FILENO), ok); | ||
| 360 | } | ||
| 361 | if (ok && (flags & ECORE_EXE_PIPE_READ)) | ||
| 362 | { | ||
| 363 | E_NO_ERRNO(result, close(STDOUT_FILENO), ok); | ||
| 364 | E_NO_ERRNO(result, dup2(readPipe[1], STDOUT_FILENO), ok); | ||
| 365 | } | ||
| 366 | if (ok && (flags & ECORE_EXE_PIPE_WRITE)) | ||
| 367 | { | ||
| 368 | E_NO_ERRNO(result, close(STDIN_FILENO), ok); | ||
| 369 | E_NO_ERRNO(result, dup2(writePipe[0], STDIN_FILENO), ok); | ||
| 370 | } | ||
| 371 | } | ||
| 338 | 372 | ||
| 339 | if (ok) | 373 | if (ok) |
| 340 | { | 374 | { |