Merge pull request swiftlang#2542 from weissi/jw-dont-inherit-fds

Author: swift-ci

Foundation/Process.swift

@@ -9,6 +9,10 @@
 
 import CoreFoundation
 
+#if canImport(Darwin)
+import Darwin
+#endif
+
 extension Process {
     public enum TerminationReason : Int {
         case exit
@@ -872,6 +876,21 @@ open class Process: NSObject {
             posix(_CFPosixSpawnFileActionsAddClose(fileActions, fd))
         }
 
+        #if canImport(Darwin)
+        var spawnAttrs: posix_spawnattr_t? = nil
+        posix_spawnattr_init(&spawnAttrs)
+        posix_spawnattr_setflags(&spawnAttrs, .init(POSIX_SPAWN_CLOEXEC_DEFAULT))
+        #else
+        for fd in 3 ..< getdtablesize() {
+            guard adddup2[fd] == nil &&
+                  !addclose.contains(fd) &&
+                  fd != taskSocketPair[1] else {
+                    continue // Do not double-close descriptors, or close those pertaining to Pipes or FileHandles we want inherited.
+            }
+            posix(_CFPosixSpawnFileActionsAddClose(fileActions, fd))
+        }
+        #endif
+
         let fileManager = FileManager()
         let previousDirectoryPath = fileManager.currentDirectoryPath
         if let dir = currentDirectoryURL?.path, !fileManager.changeCurrentDirectoryPath(dir) {
@@ -885,9 +904,16 @@ open class Process: NSObject {
 
         // Launch
         var pid = pid_t()
+        #if os(macOS)
+        guard _CFPosixSpawn(&pid, launchPath, fileActions, &spawnAttrs, argv, envp) == 0 else {
+            throw _NSErrorWithErrno(errno, reading: true, path: launchPath)
+        }
+        #else
         guard _CFPosixSpawn(&pid, launchPath, fileActions, nil, argv, envp) == 0 else {
             throw _NSErrorWithErrno(errno, reading: true, path: launchPath)
         }
+        #endif
+
 
         // Close the write end of the input and output pipes.
         if let pipe = standardInput as? Pipe {

TestFoundation/TestProcess.swift

@@ -682,6 +682,45 @@ class TestProcess : XCTestCase {
         }
     }
 
+    #if !os(Windows)
+    func test_fileDescriptorsAreNotInherited() throws {
+        let task = Process()
+        let someExtraFDs = [dup(1), dup(1), dup(1), dup(1), dup(1), dup(1), dup(1)]
+        task.executableURL = xdgTestHelperURL()
+        task.arguments = ["--print-open-file-descriptors"]
+        task.standardInput = FileHandle.nullDevice
+        let stdoutPipe = Pipe()
+        task.standardOutput = stdoutPipe.fileHandleForWriting
+        task.standardError = FileHandle.nullDevice
+        XCTAssertNoThrow(try task.run())
+
+        try stdoutPipe.fileHandleForWriting.close()
+        let stdoutData = try stdoutPipe.fileHandleForReading.readToEnd()
+        task.waitUntilExit()
+        let stdoutString = String(decoding: stdoutData ?? Data(), as: Unicode.UTF8.self)
+        #if os(macOS)
+        XCTAssertEqual("0\n1\n2\n", stdoutString)
+        #else
+        // on Linux we may also have a /dev/urandom open as well as some socket that Process uses for something.
+
+        // we should definitely have stdin (0), stdout (1), and stderr (2) open
+        XCTAssert(stdoutString.utf8.starts(with: "0\n1\n2\n".utf8))
+
+        // in total we should have 6 or fewer lines:
+        // 1. stdin
+        // 2. stdout
+        // 3. stderr
+        // 4. /dev/urandom (optional)
+        // 5. communication socket (optional)
+        // 6. trailing new line
+        XCTAssertLessThanOrEqual(stdoutString.components(separatedBy: "\n").count, 6, "\(stdoutString)")
+        #endif
+        for fd in someExtraFDs {
+            close(fd)
+        }
+    }
+    #endif
+
     func test_pipeCloseBeforeLaunch() {
         let process = Process()
         let stdInput = Pipe()
@@ -777,6 +816,7 @@ class TestProcess : XCTestCase {
             ("test_redirect_all_using_nil", test_redirect_all_using_nil),
             ("test_plutil", test_plutil),
             ("test_currentDirectory", test_currentDirectory),
+            ("test_fileDescriptorsAreNotInherited", test_fileDescriptorsAreNotInherited),
             ("test_pipeCloseBeforeLaunch", test_pipeCloseBeforeLaunch),
             ("test_multiProcesses", test_multiProcesses),
         ]
@@ -786,6 +826,7 @@ class TestProcess : XCTestCase {
         tests += [
             ("test_interrupt", test_interrupt),
             ("test_suspend_resume", test_suspend_resume),
+            ("test_fileDescriptorsAreNotInherited", test_fileDescriptorsAreNotInherited),
         ]
 #endif
         return tests

TestFoundation/xdgTestHelper/main.swift

@@ -196,6 +196,17 @@ func cat(_ args: ArraySlice<String>.Iterator) {
     exit(exitCode)
 }
 
+#if !os(Windows)
+func printOpenFileDescriptors() {
+    for fd in 0..<getdtablesize() {
+        if fcntl(fd, F_GETFD) != -1 {
+            print(fd)
+        }
+    }
+    exit(0)
+}
+#endif
+
 // -----
 
 var arguments = ProcessInfo.processInfo.arguments.dropFirst().makeIterator()
@@ -254,8 +265,11 @@ case "--nspathfor":
 #if !os(Windows)
 case "--signal-test":
     signalTest()
+
+case "--print-open-file-descriptors":
+    printOpenFileDescriptors()
 #endif
-    
+
 default:
     fatalError("These arguments are not recognized. Only run this from a unit test.")
 }