This requires modifying fhandler_pty_master::dup so that it duplicates
handles when it is called with non-zero src_pid on an fhandler that
doesn't yet have an archetype.
This requires modifying fhandler_console::dup so that it duplicates
handles when it is called with non-zero src_pid on an fhandler that
doesn't yet have an archetype.
As in the recent change to fhandler_pty_slave::dup, dtable::dup_worker
will then create an archetype for the new fhandler after
fhandler_console::dup returns.
Untested.
This is the first case where the fhandler being sent uses an
archetype. This archetype is of no use to the receiving process, so
we have to make the following changes:
- Modify fhandler_pty_slave::dup so that it duplicates handles when it
is called on an fhandler that doesn't yet have an archetype.
- Modify dtable::dup_worker so that it creates an archetype for the
new fhandler after fhandler_pty_slave::dup returns.
Add a 'src_pid' argument to dtable::dup_worker.
Use the latter in serialize/deserialize rather than repeating much of
what it does.
Don't duplicate the path_conv handle; it isn't needed.
When a process sends a file descriptor via an SCM_RIGHTS control
message, it creates a temporary copy of the fhandler associated with
that descriptor and sends a serialization of that copy. The
deserialization done by the receiver involves duplicating handles from
the copy, so the latter must stay alive until the deserialization is
done. But it must ultimately be closed in order to avoid a memory
leak.
We coordinate all this as follows:
- Introduce a new struct scm_pending_fd that contains information
about the temporary copy. For brevity, call such a struct a
"pending fd" in what follows.
- Maintain a list of pending fds in shared memory.
- Add several methods for manipulating the list to the af_unix_shmem_t
and fhandler_socket_unix classes.
- Also add a lock, 'scm_fd_lock', to control access to the list.
- When a serialized fhandler is received, the receiver sends an ack
back to the sender in an administrative packet with a control
message of a new (Cygwin-specific) type SCM_RIGHTS_ACK.
- grab_admin_pkt is called in various places to process these packets.
A complication here is that the process that calls grab_admin_pkt
might not be the process that originally sent the serialized
fhandler. (It could be a subprocess of the original process, for
example.) This is why we need to maintain the list of pending fds
in shared memory.
- Each fhandler_socket_unix keeps a count of the pending fds that it
has created but not yet processed; this count is in a new data
member 'my_npending_fd'.
- fhandler_socket_unix::close tries to process any remaining pending
fds before closing, but it gives up after a short timeout and
forcibly deletes them if necessary.
Make them member functions of the fhandler_socket_unix class.
Make them use void * instead of fh_ser * so that fhandler.h doesn't
need to know about fh_ser.
First cut. This is currently implemented only for disk files, and
many things still need to be fixed. But it works in limited testing
with the programs scm_rights_{recv,send} in
winsup/cygwin/socket_tests.
Define static helper functions serialize/deserialize in
fhandler_socket_unix.cc. These will be used to support sending file
descriptors via SCM_RIGHTS control messages.
The serialize function creates an 'fh_ser' structure that contains a
copy of the fhandler associated with the file descriptor, with all
allocated memory freed. The structure also contains the Windows pid
of the current process, which deserialize can use for duplicating
handles.
The deserialize function reconstructs an fhandler from an fh_ser
structure, with the handles duplicated into its own process.
For now, serialization and deserialization are fully implemented only
for disk files, and even in that case there are many FIXMEs that need
attention.
This allows duplication of handles from an fhandler created in a
different process. For now, this is implemented only for
fhandler_base and fhandler_disk_file.
This includes various changes to create_cmsg_data and
evaluate_cmsg_data. The most important are:
- create_cmsg_data now allows only one SCM_RIGHTS message and one
SCM_CREDENTIALS message.
- evaluate_cmsg_data now truncates the ancillary data to the number of
control messages that will fit in the supplied buffer. Previously
it discarded all control messages if the buffer was too small.
See https://man7.org/linux/man-pages/man7/unix.7.html.
Previously, create_cmsg_data and evaluate_cmsg_data required the
ancillary data to contain only a single control message, of type
SCM_CREDENTIALS. In preparation for supporting SCM_RIGHTS in the
future, allow more than one.
create_cmsg_data now iterates through the specified control messages
and allows both SCM_CREDENTIALS and SCM_RIGHTS. If no SCM_CREDENTIALS
message is present, it creates one. This was previously done in
sendmsg.
evaluate_cmsg_data also iterates through the received control messages
and allows both SCM_CREDENTIALS and SCM_RIGHTS. Control messages of
type SCM_CREDENTIALS are discarded unless the SO_PASSCRED option has
been set.
Update tests.
Add a new HANDLE argument to peek_pipe and peek_pipe_poll so that the
caller can specify a pipe handle to use in lieu of get_handle(). Use
this in recvmsg to make the MSG_PEEK flag work for unbound datagram
sockets.
Untested.
If the caller doesn't specify ancillary data, add credentials to the
outgoing packet.
This enables us to satisfy the requirement
(https://man7.org/linux/man-pages/man7/unix.7.html) that a socket with
the SO_PASSCRED option enabled can get the credentials of its peer in
every message it receives.
FIXME: I'm not sure if this is the right way to satisfy that
requirement. A possible alternative would be to arrange for a socket
to be notified when its peer enables SO_PASSCRED.
Call set_nonblocking before creating the pipe so that the pipe is
created with the correct blocking mode.
Also call set_pipe_non_blocking on the second socket so that the
client end of the pipe has the correct blocking mode. This also makes
sure that the client end of the pipe is set to message mode for
reading.
If the caller has requested the source address, try to get it on each
iteration of the main read loop, not just the first. Set msg_namelen
to 0 if it is never received.
If a packet containing control message data is received, don't read
any more packets, even if MSG_WAITALL is set.
If there's unread data in the pipe from a previous partial read of a
packet, just return. There can't be an administrative packet waiting
to be read in that case.
And use it in recvmsg.
I'm not sure this implementation is what was intended when the
evaluate_cmsg_data method was added.
For now, just support an ancillary data block consisting of a single
cmsghdr, containing SCM_CREDENTIALS.
For convenience, add a 'mshdr *' argument and make the 'cloexec'
argument false by default. The 'cloexec' argument is not currently
used, and I want to avoid having to artificially specify a value for
it when recvmsg calls evaluate_cmsg_data.
For now, just support an ancillary data block consisting of a single
cmsghdr, containing SCM_CREDENTIALS.
FIXME: We're supposed to check the credentials.
Use sizeof (af_unix_shmem_t) as the view size, as when the shared
memory was created. Previously PAGESIZE was used, causing
NtMapViewOfSection to fail with STATUS_INVALID_VIEW_SIZE.
Call grab_admin_pkt at appropriate times to check whether we've been
shut down for reading. Also, update our shutdown state whenever we
read a packet.
Untested.
FIXME: I'm not sure whether I've treated datagram sockets properly.
Extract from grab_admin_pkg two new methods, record_shut_info and
process_admin_pkg. Also add a new 'peek' argument to grab_admin_pkg.
If this is true, peek to see if the next packet in the pipe is an
administrative packet. Otherwise, assume we already know it is.
