Unix library: better API for "close-on-exec" over file descriptors

[xavierleroy]

This is one possible answer to the long-standing problem described in MPR#5256.

Background

An historical accident of the Unix API is that, by default, all file descriptors remain open when a program is started via exec: the new program inherits those file descriptors. This is often a security issue, making it possible for the new program to access files and sockets it could not have otherwise, just because the original program forgot to close the corresponding file descriptors before exec.

To mitigate this problem, a file descriptor can be marked "close on exec" (e.g. with Unix.set_close_on_exec). Then, the kernel will automatically close it during the exec call, and it will not leak to the new program.

However, in multithreaded programs, a race condition exists: if a concurrently-executing thread does fork and exec after the file descriptor is created but before set_close_on_exec is applied to it, the descriptor still leaks. To address this issue, the open system call has a O_CLOEXEC flag that atomically sets "close on exec" on the file descriptor as it is created. Linux adds variants of other system calls (pipe2, dup3, accept4) that do the same for other cases of file descriptor creation. So far these syscalls are Linux-specific, but there is hope that similar functionality will be standardized one day (see http://www.austingroupbugs.net/view.php?id=411).

Proposed solution

Several approaches to the problem above were discussed in MPR#5256. This pull request implements a solution that still relies on programmer's discipline but should not introduce major incompatibilities:

• All Unix functions that create file descriptors now have a way to specify if the descriptor is to be close-on-exec or keep-on-exec:
  • either via an optional argument ~cloexec:bool
  • or, in the case of Unix.openfile, via flags O_CLOEXEC and O_KEEPEXEC.
• For backward compatibility, keep-on-exec is the default, but the implementation makes it trivially easy to switch to close-on-exec by default in the future.
• The implementation of the functions honors the close-on-exec specification, using the system calls that set it atomically as the file descriptor is created, if available, and falling back on a non-atomic implementation otherwise.

Plans for the future

At some future point, it would make a lot of sense to switch the default behavior to "close-on-exec" instead of "keep-on-exec", as it is more secure. Other languages have already made that switch, e.g. Python and Ruby. If we do this now in OCaml it would break too much code. However, with the new API proposed in this pull request, programmers can start religiously annotating their Unix system calls with the appropriate ~cloexec argument. If they do this consistently on all the code that relies on file descriptor inheritance across exec, we will then be able to switch the default to "close-on-exec" and their code will keep working.

Current status

The implementation is at the prototype stage and needs more testing. (The Windows implementation wasn't even compiled, let alone tested.) I'm putting it as a pull request early so as to have a discussion on the API and on whether it's a good solution to the problem.

[toots]

Very happy to see this being worked on again. The proposed solution and PR look fine to me! I was wondering: would it be interesting to add a global switch or maybe a module functor that would allow the programmer to have a Unix module where all calls default to cloexec:true?

[xavierleroy]

@toots: yes, it makes a lot of sense to have programmer's control on the default value. (For example, the SecureOCaml people should probably have "close on exec" as the default.) We did something like that for hashtable randomization in OCaml 4.00. Maybe a similar API could be used here.

[mshinwell]

I think the arguments to this fcntl call are the wrong way round.

[xavierleroy]

Well spotted, thanks! Pushing a fix...

[mshinwell]

I am in favour. I spotted one bug, but can have a closer look once it's been tested.

[mrvn]

I saw a recent proposal to reorganize the stdlib into a new "namespace" Std, including putting the channel functions into Std.IO. Wouldn't that also be a good way to make close_on_exec the default? As in all the functions in Std.IO will default to close_on_exec while the old functions use keep_on_exec.

[xavierleroy]

I fixed the Win32 implementation and added some tests. This PR is ready for review.

Concerning the API, the implementation now makes it trivial to change the default for close-on-exec. I haven't added an API function to do this yet.

[bobot]

Doesn't a race condition can make the new fd1,fd2,fd3 go into another sub-process, since contrary to the unix version we are not inside a fork?

[mrvn]

If dup, win_create_process or close releases the runtime lock or invokes the GC then another thread could run before the final close. If that thread then also calls create_process_aux the duplicated FDs will leak.

I'm assuming dup and close will be save here but win_create_process probably allocates something. So I agree with @bobot about the race condition. I think the dup should be moved into the win_create_process C stub and run with the runtime lock held. This would still race with non-ocaml threads forking at the same time but it's the best you can do.

[alainfrisch]

I'm assuming dup

I don't think so. Under Windows, handles are wrapped into head-allocated custom blocks, so dup can easily trigger the GC.

[alainfrisch]

@xavierleroy What about fd leaks when win_create_process (or dup) raises an exception?

[xavierleroy]

@alainfrisch : Here is an explanation of the change in create_process for Win32. I think it makes it work in cases where the previous implementation would misbehave, and I don't think it can break. Assume you call Unix.create_process with redirections to three new file descriptors fd1, fd2, fd3. Further assume that fd1, fd2, fd3 are close-on-exec, like they should be so that they won't be inherited by the new process.

• With the Unix implementation, fd1, fd2, fd3 are dup2-ed to the standard descriptors 0, 1, 2, the latter being (re-)set to keep-on-exec, so everything is fine.
• With the old Win32 implementation, the handles fd1, fd2, fd3 are passed "as is" to the new process, which uses them as stdin, stdout and stderr. Since the handles are close-on-exec, they are actually closed (invalid) in the new process! So the new process misbehaves.
• With the new Win32 implementation, fd1, fd2, fd3 are duplicated to inheritable handles (keep-on-exec), and the new process works as expected.

The reason why I don't think this change can break code that works today is that, in order for that code to work in Win32, the fds passed to create_process must be keep-on-exec. In this case, the new implementation behaves pretty much like the old one.

[bobot]

I propose to add to the creating process functions a way to specify which fd must be passed to the created process. Perhaps with the destination file descriptor, in the same way that perform_redirections does for standard file-descriptors : (file_descr * int) list.

However it seems that there is never enough provided after fork actions (resource limitation, user change, namespace) so perhaps it should go in external library (even Core/Async_extended create_process functions were not enough in my case)

[xavierleroy]

@bobot : yes, we (still) have a race condition. At this point I don't see how to avoid it based on the CreateProcess Win32 API, but I'll keep searching on StackOverflow...

[xavierleroy]

More info on CreateProcess, redirections and handle inheritance: https://blogs.msdn.microsoft.com/oldnewthing/20111216-00/?p=8873. It looks like there is a drastic solution where no handle is ever inherited, except those that become the new standard handles of the created process. This is very secure indeed but would cause problems with hypothetical applications that pass extra inherited handles through side channels (handle number as command-line parameter, for example).

[xavierleroy]

@mrvn @alainfrisch : yes, the current Win32 implementation is a proof-of-concept and I'll improve it along the lines you suggest. But a race condition will remain with concurrent CreateProcess calls made directly from C. Is this good enough or should we look into the more drastic solution mentioned in my previous comment?

[alainfrisch]

I'm not sure that the risk of breaking existing code with the more drastic solution is so high, esp. since our Unix module does not expose handle directly. To be on the safe side, this could always be controlled by a global switch, although this becomes more and more ugly. Ideally, there would be a way to emulate the strict mode on Unix and add an optional parameter to process-creation function to control it. But my understanding is that this is precisely what is difficult to achieve on Unix, right?

[mrvn]

I don't think this can ever be fully race free unless there is kernel support for actually atomically passing a specific set of FDs to the new process. Oh wait, there is since Vista.

@xavierleroy I would totaly go with the solution from the page you mentioned with an insecure fallback if the syscall isn't present. It was made for exactly this case after all.

[xavierleroy]

I know it's my time to move. Will try to improve createprocess, at least by moving the dup dance into the C code, so that it is more atomic and errors are handled better, and will move that we merge then.

[mshinwell]

The new Jane Street "shexp" package has a carefully-written implementation for spawning Unix processes that may (or may not) be of use for reference too. I think there may be a newer version available than the current version on Jane Street's github (please ask @diml if this is of interest).

[dra27]

I think this should be (Some(make_process_env env))