##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

chg: use fsetcloexec instead of closing lockfd manually...
Jun Wu -
r28856:0d530299 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,587 +1,586 b''
1 1 /*
2 2 * A fast client for Mercurial command server
3 3 *
4 4 * Copyright (c) 2011 Yuya Nishihara <yuya@tcha.org>
5 5 *
6 6 * This software may be used and distributed according to the terms of the
7 7 * GNU General Public License version 2 or any later version.
8 8 */
9 9
10 10 #include <assert.h>
11 11 #include <errno.h>
12 12 #include <fcntl.h>
13 13 #include <signal.h>
14 14 #include <stdio.h>
15 15 #include <stdlib.h>
16 16 #include <string.h>
17 17 #include <sys/file.h>
18 18 #include <sys/stat.h>
19 19 #include <sys/types.h>
20 20 #include <sys/un.h>
21 21 #include <sys/wait.h>
22 22 #include <time.h>
23 23 #include <unistd.h>
24 24
25 25 #include "hgclient.h"
26 26 #include "util.h"
27 27
28 28 #ifndef UNIX_PATH_MAX
29 29 #define UNIX_PATH_MAX (sizeof(((struct sockaddr_un *)NULL)->sun_path))
30 30 #endif
31 31
32 32 struct cmdserveropts {
33 33 char sockname[UNIX_PATH_MAX];
34 34 char redirectsockname[UNIX_PATH_MAX];
35 35 char lockfile[UNIX_PATH_MAX];
36 36 size_t argsize;
37 37 const char **args;
38 38 int lockfd;
39 39 int sockdirfd;
40 40 };
41 41
42 42 static void initcmdserveropts(struct cmdserveropts *opts) {
43 43 memset(opts, 0, sizeof(struct cmdserveropts));
44 44 opts->lockfd = -1;
45 45 opts->sockdirfd = AT_FDCWD;
46 46 }
47 47
48 48 static void freecmdserveropts(struct cmdserveropts *opts) {
49 49 free(opts->args);
50 50 opts->args = NULL;
51 51 opts->argsize = 0;
52 52 assert(opts->lockfd == -1 && "should be closed by unlockcmdserver()");
53 53 if (opts->sockdirfd != AT_FDCWD) {
54 54 close(opts->sockdirfd);
55 55 opts->sockdirfd = AT_FDCWD;
56 56 }
57 57 }
58 58
59 59 /*
60 60 * Test if an argument is a sensitive flag that should be passed to the server.
61 61 * Return 0 if not, otherwise the number of arguments starting from the current
62 62 * one that should be passed to the server.
63 63 */
64 64 static size_t testsensitiveflag(const char *arg)
65 65 {
66 66 static const struct {
67 67 const char *name;
68 68 size_t narg;
69 69 } flags[] = {
70 70 {"--config", 1},
71 71 {"--cwd", 1},
72 72 {"--repo", 1},
73 73 {"--repository", 1},
74 74 {"--traceback", 0},
75 75 {"-R", 1},
76 76 };
77 77 size_t i;
78 78 for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i) {
79 79 size_t len = strlen(flags[i].name);
80 80 size_t narg = flags[i].narg;
81 81 if (memcmp(arg, flags[i].name, len) == 0) {
82 82 if (arg[len] == '\0') {
83 83 /* --flag (value) */
84 84 return narg + 1;
85 85 } else if (arg[len] == '=' && narg > 0) {
86 86 /* --flag=value */
87 87 return 1;
88 88 } else if (flags[i].name[1] != '-') {
89 89 /* short flag */
90 90 return 1;
91 91 }
92 92 }
93 93 }
94 94 return 0;
95 95 }
96 96
97 97 /*
98 98 * Parse argv[] and put sensitive flags to opts->args
99 99 */
100 100 static void setcmdserverargs(struct cmdserveropts *opts,
101 101 int argc, const char *argv[])
102 102 {
103 103 size_t i, step;
104 104 opts->argsize = 0;
105 105 for (i = 0, step = 1; i < (size_t)argc; i += step, step = 1) {
106 106 if (!argv[i])
107 107 continue; /* pass clang-analyse */
108 108 if (strcmp(argv[i], "--") == 0)
109 109 break;
110 110 size_t n = testsensitiveflag(argv[i]);
111 111 if (n == 0 || i + n > (size_t)argc)
112 112 continue;
113 113 opts->args = reallocx(opts->args,
114 114 (n + opts->argsize) * sizeof(char *));
115 115 memcpy(opts->args + opts->argsize, argv + i,
116 116 sizeof(char *) * n);
117 117 opts->argsize += n;
118 118 step = n;
119 119 }
120 120 }
121 121
122 122 static void preparesockdir(const char *sockdir)
123 123 {
124 124 int r;
125 125 r = mkdir(sockdir, 0700);
126 126 if (r < 0 && errno != EEXIST)
127 127 abortmsgerrno("cannot create sockdir %s", sockdir);
128 128
129 129 struct stat st;
130 130 r = lstat(sockdir, &st);
131 131 if (r < 0)
132 132 abortmsgerrno("cannot stat %s", sockdir);
133 133 if (!S_ISDIR(st.st_mode))
134 134 abortmsg("cannot create sockdir %s (file exists)", sockdir);
135 135 if (st.st_uid != geteuid() || st.st_mode & 0077)
136 136 abortmsg("insecure sockdir %s", sockdir);
137 137 }
138 138
139 139 static void setcmdserveropts(struct cmdserveropts *opts)
140 140 {
141 141 int r;
142 142 char sockdir[UNIX_PATH_MAX];
143 143 const char *envsockname = getenv("CHGSOCKNAME");
144 144 if (!envsockname) {
145 145 /* by default, put socket file in secure directory
146 146 * (permission of socket file may be ignored on some Unices) */
147 147 const char *tmpdir = getenv("TMPDIR");
148 148 if (!tmpdir)
149 149 tmpdir = "/tmp";
150 150 r = snprintf(sockdir, sizeof(sockdir), "%s/chg%d",
151 151 tmpdir, geteuid());
152 152 if (r < 0 || (size_t)r >= sizeof(sockdir))
153 153 abortmsg("too long TMPDIR (r = %d)", r);
154 154 preparesockdir(sockdir);
155 155 }
156 156
157 157 const char *basename = (envsockname) ? envsockname : sockdir;
158 158 const char *sockfmt = (envsockname) ? "%s" : "%s/server";
159 159 const char *lockfmt = (envsockname) ? "%s.lock" : "%s/lock";
160 160 r = snprintf(opts->sockname, sizeof(opts->sockname), sockfmt, basename);
161 161 if (r < 0 || (size_t)r >= sizeof(opts->sockname))
162 162 abortmsg("too long TMPDIR or CHGSOCKNAME (r = %d)", r);
163 163 r = snprintf(opts->lockfile, sizeof(opts->lockfile), lockfmt, basename);
164 164 if (r < 0 || (size_t)r >= sizeof(opts->lockfile))
165 165 abortmsg("too long TMPDIR or CHGSOCKNAME (r = %d)", r);
166 166 }
167 167
168 168 /*
169 169 * Acquire a file lock that indicates a client is trying to start and connect
170 170 * to a server, before executing a command. The lock is released upon exit or
171 171 * explicit unlock. Will block if the lock is held by another process.
172 172 */
173 173 static void lockcmdserver(struct cmdserveropts *opts)
174 174 {
175 175 if (opts->lockfd == -1) {
176 176 opts->lockfd = open(opts->lockfile,
177 177 O_RDWR | O_CREAT | O_NOFOLLOW, 0600);
178 178 if (opts->lockfd == -1)
179 179 abortmsgerrno("cannot create lock file %s",
180 180 opts->lockfile);
181 fsetcloexec(opts->lockfd);
181 182 }
182 183 int r = flock(opts->lockfd, LOCK_EX);
183 184 if (r == -1)
184 185 abortmsgerrno("cannot acquire lock");
185 186 }
186 187
187 188 /*
188 189 * Release the file lock held by calling lockcmdserver. Will do nothing if
189 190 * lockcmdserver is not called.
190 191 */
191 192 static void unlockcmdserver(struct cmdserveropts *opts)
192 193 {
193 194 if (opts->lockfd == -1)
194 195 return;
195 196 flock(opts->lockfd, LOCK_UN);
196 197 close(opts->lockfd);
197 198 opts->lockfd = -1;
198 199 }
199 200
200 201 static const char *gethgcmd(void)
201 202 {
202 203 static const char *hgcmd = NULL;
203 204 if (!hgcmd) {
204 205 hgcmd = getenv("CHGHG");
205 206 if (!hgcmd || hgcmd[0] == '\0')
206 207 hgcmd = getenv("HG");
207 208 if (!hgcmd || hgcmd[0] == '\0')
208 209 #ifdef HGPATH
209 210 hgcmd = (HGPATH);
210 211 #else
211 212 hgcmd = "hg";
212 213 #endif
213 214 }
214 215 return hgcmd;
215 216 }
216 217
217 218 static void execcmdserver(const struct cmdserveropts *opts)
218 219 {
219 220 const char *hgcmd = gethgcmd();
220 221
221 222 const char *baseargv[] = {
222 223 hgcmd,
223 224 "serve",
224 225 "--cmdserver", "chgunix",
225 226 "--address", opts->sockname,
226 227 "--daemon-postexec", "chdir:/",
227 228 "--config", "extensions.chgserver=",
228 229 };
229 230 size_t baseargvsize = sizeof(baseargv) / sizeof(baseargv[0]);
230 231 size_t argsize = baseargvsize + opts->argsize + 1;
231 232
232 233 const char **argv = mallocx(sizeof(char *) * argsize);
233 234 memcpy(argv, baseargv, sizeof(baseargv));
234 235 memcpy(argv + baseargvsize, opts->args, sizeof(char *) * opts->argsize);
235 236 argv[argsize - 1] = NULL;
236 237
237 238 if (putenv("CHGINTERNALMARK=") != 0)
238 239 abortmsgerrno("failed to putenv");
239 240 if (execvp(hgcmd, (char **)argv) < 0)
240 241 abortmsgerrno("failed to exec cmdserver");
241 242 free(argv);
242 243 }
243 244
244 245 /* Retry until we can connect to the server. Give up after some time. */
245 246 static hgclient_t *retryconnectcmdserver(struct cmdserveropts *opts, pid_t pid)
246 247 {
247 248 static const struct timespec sleepreq = {0, 10 * 1000000};
248 249 int pst = 0;
249 250
250 251 debugmsg("try connect to %s repeatedly", opts->sockname);
251 252 for (unsigned int i = 0; i < 10 * 100; i++) {
252 253 hgclient_t *hgc = hgc_open(opts->sockname);
253 254 if (hgc)
254 255 return hgc;
255 256
256 257 if (pid > 0) {
257 258 /* collect zombie if child process fails to start */
258 259 int r = waitpid(pid, &pst, WNOHANG);
259 260 if (r != 0)
260 261 goto cleanup;
261 262 }
262 263
263 264 nanosleep(&sleepreq, NULL);
264 265 }
265 266
266 267 abortmsg("timed out waiting for cmdserver %s", opts->sockname);
267 268 return NULL;
268 269
269 270 cleanup:
270 271 if (WIFEXITED(pst)) {
271 272 debugmsg("cmdserver exited with status %d", WEXITSTATUS(pst));
272 273 exit(WEXITSTATUS(pst));
273 274 } else if (WIFSIGNALED(pst)) {
274 275 abortmsg("cmdserver killed by signal %d", WTERMSIG(pst));
275 276 } else {
276 277 abortmsg("error while waiting for cmdserver");
277 278 }
278 279 return NULL;
279 280 }
280 281
281 282 /* Connect to a cmdserver. Will start a new server on demand. */
282 283 static hgclient_t *connectcmdserver(struct cmdserveropts *opts)
283 284 {
284 285 const char *sockname = opts->redirectsockname[0] ?
285 286 opts->redirectsockname : opts->sockname;
286 287 debugmsg("try connect to %s", sockname);
287 288 hgclient_t *hgc = hgc_open(sockname);
288 289 if (hgc)
289 290 return hgc;
290 291
291 292 lockcmdserver(opts);
292 293 hgc = hgc_open(sockname);
293 294 if (hgc) {
294 295 unlockcmdserver(opts);
295 296 debugmsg("cmdserver is started by another process");
296 297 return hgc;
297 298 }
298 299
299 300 /* prevent us from being connected to an outdated server: we were
300 301 * told by a server to redirect to opts->redirectsockname and that
301 302 * address does not work. we do not want to connect to the server
302 303 * again because it will probably tell us the same thing. */
303 304 if (sockname == opts->redirectsockname)
304 305 unlink(opts->sockname);
305 306
306 307 debugmsg("start cmdserver at %s", opts->sockname);
307 308
308 309 pid_t pid = fork();
309 310 if (pid < 0)
310 311 abortmsg("failed to fork cmdserver process");
311 312 if (pid == 0) {
312 /* do not leak lockfd to hg */
313 close(opts->lockfd);
314 313 execcmdserver(opts);
315 314 } else {
316 315 hgc = retryconnectcmdserver(opts, pid);
317 316 }
318 317
319 318 unlockcmdserver(opts);
320 319 return hgc;
321 320 }
322 321
323 322 static void killcmdserver(const struct cmdserveropts *opts)
324 323 {
325 324 /* resolve config hash */
326 325 char *resolvedpath = realpath(opts->sockname, NULL);
327 326 if (resolvedpath) {
328 327 unlink(resolvedpath);
329 328 free(resolvedpath);
330 329 }
331 330 }
332 331
333 332 static pid_t peerpid = 0;
334 333
335 334 static void forwardsignal(int sig)
336 335 {
337 336 assert(peerpid > 0);
338 337 if (kill(peerpid, sig) < 0)
339 338 abortmsgerrno("cannot kill %d", peerpid);
340 339 debugmsg("forward signal %d", sig);
341 340 }
342 341
343 342 static void handlestopsignal(int sig)
344 343 {
345 344 sigset_t unblockset, oldset;
346 345 struct sigaction sa, oldsa;
347 346 if (sigemptyset(&unblockset) < 0)
348 347 goto error;
349 348 if (sigaddset(&unblockset, sig) < 0)
350 349 goto error;
351 350 memset(&sa, 0, sizeof(sa));
352 351 sa.sa_handler = SIG_DFL;
353 352 sa.sa_flags = SA_RESTART;
354 353 if (sigemptyset(&sa.sa_mask) < 0)
355 354 goto error;
356 355
357 356 forwardsignal(sig);
358 357 if (raise(sig) < 0) /* resend to self */
359 358 goto error;
360 359 if (sigaction(sig, &sa, &oldsa) < 0)
361 360 goto error;
362 361 if (sigprocmask(SIG_UNBLOCK, &unblockset, &oldset) < 0)
363 362 goto error;
364 363 /* resent signal will be handled before sigprocmask() returns */
365 364 if (sigprocmask(SIG_SETMASK, &oldset, NULL) < 0)
366 365 goto error;
367 366 if (sigaction(sig, &oldsa, NULL) < 0)
368 367 goto error;
369 368 return;
370 369
371 370 error:
372 371 abortmsgerrno("failed to handle stop signal");
373 372 }
374 373
375 374 static void setupsignalhandler(pid_t pid)
376 375 {
377 376 if (pid <= 0)
378 377 return;
379 378 peerpid = pid;
380 379
381 380 struct sigaction sa;
382 381 memset(&sa, 0, sizeof(sa));
383 382 sa.sa_handler = forwardsignal;
384 383 sa.sa_flags = SA_RESTART;
385 384 if (sigemptyset(&sa.sa_mask) < 0)
386 385 goto error;
387 386
388 387 if (sigaction(SIGHUP, &sa, NULL) < 0)
389 388 goto error;
390 389 if (sigaction(SIGINT, &sa, NULL) < 0)
391 390 goto error;
392 391
393 392 /* terminate frontend by double SIGTERM in case of server freeze */
394 393 sa.sa_flags |= SA_RESETHAND;
395 394 if (sigaction(SIGTERM, &sa, NULL) < 0)
396 395 goto error;
397 396
398 397 /* propagate job control requests to worker */
399 398 sa.sa_handler = forwardsignal;
400 399 sa.sa_flags = SA_RESTART;
401 400 if (sigaction(SIGCONT, &sa, NULL) < 0)
402 401 goto error;
403 402 sa.sa_handler = handlestopsignal;
404 403 sa.sa_flags = SA_RESTART;
405 404 if (sigaction(SIGTSTP, &sa, NULL) < 0)
406 405 goto error;
407 406
408 407 return;
409 408
410 409 error:
411 410 abortmsgerrno("failed to set up signal handlers");
412 411 }
413 412
414 413 /* This implementation is based on hgext/pager.py (pre 369741ef7253) */
415 414 static void setuppager(hgclient_t *hgc, const char *const args[],
416 415 size_t argsize)
417 416 {
418 417 const char *pagercmd = hgc_getpager(hgc, args, argsize);
419 418 if (!pagercmd)
420 419 return;
421 420
422 421 int pipefds[2];
423 422 if (pipe(pipefds) < 0)
424 423 return;
425 424 pid_t pid = fork();
426 425 if (pid < 0)
427 426 goto error;
428 427 if (pid == 0) {
429 428 close(pipefds[0]);
430 429 if (dup2(pipefds[1], fileno(stdout)) < 0)
431 430 goto error;
432 431 if (isatty(fileno(stderr))) {
433 432 if (dup2(pipefds[1], fileno(stderr)) < 0)
434 433 goto error;
435 434 }
436 435 close(pipefds[1]);
437 436 hgc_attachio(hgc); /* reattach to pager */
438 437 return;
439 438 } else {
440 439 dup2(pipefds[0], fileno(stdin));
441 440 close(pipefds[0]);
442 441 close(pipefds[1]);
443 442
444 443 int r = execlp("/bin/sh", "/bin/sh", "-c", pagercmd, NULL);
445 444 if (r < 0) {
446 445 abortmsgerrno("cannot start pager '%s'", pagercmd);
447 446 }
448 447 return;
449 448 }
450 449
451 450 error:
452 451 close(pipefds[0]);
453 452 close(pipefds[1]);
454 453 abortmsgerrno("failed to prepare pager");
455 454 }
456 455
457 456 /* Run instructions sent from the server like unlink and set redirect path
458 457 * Return 1 if reconnect is needed, otherwise 0 */
459 458 static int runinstructions(struct cmdserveropts *opts, const char **insts)
460 459 {
461 460 int needreconnect = 0;
462 461 if (!insts)
463 462 return needreconnect;
464 463
465 464 assert(insts);
466 465 opts->redirectsockname[0] = '\0';
467 466 const char **pinst;
468 467 for (pinst = insts; *pinst; pinst++) {
469 468 debugmsg("instruction: %s", *pinst);
470 469 if (strncmp(*pinst, "unlink ", 7) == 0) {
471 470 unlink(*pinst + 7);
472 471 } else if (strncmp(*pinst, "redirect ", 9) == 0) {
473 472 int r = snprintf(opts->redirectsockname,
474 473 sizeof(opts->redirectsockname),
475 474 "%s", *pinst + 9);
476 475 if (r < 0 || r >= (int)sizeof(opts->redirectsockname))
477 476 abortmsg("redirect path is too long (%d)", r);
478 477 needreconnect = 1;
479 478 } else if (strncmp(*pinst, "exit ", 5) == 0) {
480 479 int n = 0;
481 480 if (sscanf(*pinst + 5, "%d", &n) != 1)
482 481 abortmsg("cannot read the exit code");
483 482 exit(n);
484 483 } else if (strcmp(*pinst, "reconnect") == 0) {
485 484 needreconnect = 1;
486 485 } else {
487 486 abortmsg("unknown instruction: %s", *pinst);
488 487 }
489 488 }
490 489 return needreconnect;
491 490 }
492 491
493 492 /*
494 493 * Test whether the command is unsupported or not. This is not designed to
495 494 * cover all cases. But it's fast, does not depend on the server and does
496 495 * not return false positives.
497 496 */
498 497 static int isunsupported(int argc, const char *argv[])
499 498 {
500 499 enum {
501 500 SERVE = 1,
502 501 DAEMON = 2,
503 502 SERVEDAEMON = SERVE | DAEMON,
504 503 TIME = 4,
505 504 };
506 505 unsigned int state = 0;
507 506 int i;
508 507 for (i = 0; i < argc; ++i) {
509 508 if (strcmp(argv[i], "--") == 0)
510 509 break;
511 510 if (i == 0 && strcmp("serve", argv[i]) == 0)
512 511 state |= SERVE;
513 512 else if (strcmp("-d", argv[i]) == 0 ||
514 513 strcmp("--daemon", argv[i]) == 0)
515 514 state |= DAEMON;
516 515 else if (strcmp("--time", argv[i]) == 0)
517 516 state |= TIME;
518 517 }
519 518 return (state & TIME) == TIME ||
520 519 (state & SERVEDAEMON) == SERVEDAEMON;
521 520 }
522 521
523 522 static void execoriginalhg(const char *argv[])
524 523 {
525 524 debugmsg("execute original hg");
526 525 if (execvp(gethgcmd(), (char **)argv) < 0)
527 526 abortmsgerrno("failed to exec original hg");
528 527 }
529 528
530 529 int main(int argc, const char *argv[], const char *envp[])
531 530 {
532 531 if (getenv("CHGDEBUG"))
533 532 enabledebugmsg();
534 533
535 534 if (!getenv("HGPLAIN") && isatty(fileno(stderr)))
536 535 enablecolor();
537 536
538 537 if (getenv("CHGINTERNALMARK"))
539 538 abortmsg("chg started by chg detected.\n"
540 539 "Please make sure ${HG:-hg} is not a symlink or "
541 540 "wrapper to chg. Alternatively, set $CHGHG to the "
542 541 "path of real hg.");
543 542
544 543 if (isunsupported(argc - 1, argv + 1))
545 544 execoriginalhg(argv);
546 545
547 546 struct cmdserveropts opts;
548 547 initcmdserveropts(&opts);
549 548 setcmdserveropts(&opts);
550 549 setcmdserverargs(&opts, argc, argv);
551 550
552 551 if (argc == 2) {
553 552 if (strcmp(argv[1], "--kill-chg-daemon") == 0) {
554 553 killcmdserver(&opts);
555 554 return 0;
556 555 }
557 556 }
558 557
559 558 hgclient_t *hgc;
560 559 size_t retry = 0;
561 560 while (1) {
562 561 hgc = connectcmdserver(&opts);
563 562 if (!hgc)
564 563 abortmsg("cannot open hg client");
565 564 hgc_setenv(hgc, envp);
566 565 const char **insts = hgc_validate(hgc, argv + 1, argc - 1);
567 566 int needreconnect = runinstructions(&opts, insts);
568 567 free(insts);
569 568 if (!needreconnect)
570 569 break;
571 570 hgc_close(hgc);
572 571 if (++retry > 10)
573 572 abortmsg("too many redirections.\n"
574 573 "Please make sure %s is not a wrapper which "
575 574 "changes sensitive environment variables "
576 575 "before executing hg. If you have to use a "
577 576 "wrapper, wrap chg instead of hg.",
578 577 gethgcmd());
579 578 }
580 579
581 580 setupsignalhandler(hgc_peerpid(hgc));
582 581 setuppager(hgc, argv + 1, argc - 1);
583 582 int exitcode = hgc_runcommand(hgc, argv + 1, argc - 1);
584 583 hgc_close(hgc);
585 584 freecmdserveropts(&opts);
586 585 return exitcode;
587 586 }
General Comments 0
You need to be logged in to leave comments. Login now