I/O safety of dup2 with an imminent exec #497
Comments
|
I think we can expose
|
|
The Rust compiler and Rustix both regularly call things in libcore. |
|
Note about dup2: POSIX says that implemtations can have extra fds open that user code doesn't know about, so user code can't just dup2 to arbitrary integer values even when there's an imminent exec: https://pubs.opengroup.org/onlinepubs/9699919799/functions/dup.html# |
There's |
Wow, that's a scary function. I don't think it's possible to use it safely unless you know how every line of code you run inside that, transitively, is implemented, including all the standard library functions, and any compiler builtins that get called implicitly. |
One of the main use cases for dup2 is to pass fds to an exec at arbitrarily chosen positions. I/O safety considers that to be forgery. But it's an important use case, and if you somehow know there will be no further I/O on any other fd, including on other threads, you can make it work reliably in practice. Is there a way we can accommodate this in I/O safety?
A related question: is it possible to call
forkin Rust at all? POSIX says the child can only call async-signal-safe functions, but Rust doesn't currently guarantee that anything is async-signal-safe.One option would be to say that these situations are too unwieldy, and that instead of trying to define soundness requirements for fork and exec, we should instead define "spawn" and "replace the current process" primitives which can be passed a list of fds to pass to exec, so that we can do all the dup2's etc in specially blessed code.
The text was updated successfully, but these errors were encountered: