process.rs source code [crates/std/src/os/unix/process.rs]

1	//! Unix-specific extensions to primitives in the [`std::process`] module.
2	//!
3	//! [`std::process`]: crate::process
4
5	#![stable(feature = "rust1", since = "1.0.0")]
6
7	use cfg_if::cfg_if;
8
9	use crate::ffi::OsStr;
10	use crate::os::unix::io::{AsFd, AsRawFd, BorrowedFd, FromRawFd, IntoRawFd, OwnedFd, RawFd};
11	use crate::sealed::Sealed;
12	use crate::sys_common::{AsInner, AsInnerMut, FromInner, IntoInner};
13	use crate::{io, process, sys};
14
15	cfg_if! {
16	if #[cfg(any(target_os = "vxworks", target_os = "espidf", target_os = "horizon", target_os = "vita"))] {
17	type UserId = u16;
18	type GroupId = u16;
19	} else if #[cfg(target_os = "nto")] {
20	// Both IDs are signed, see `sys/target_nto.h` of the QNX Neutrino SDP.
21	// Only positive values should be used, see e.g.
22	// https://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/s/setuid.html
23	type UserId = i32;
24	type GroupId = i32;
25	} else {
26	type UserId = u32;
27	type GroupId = u32;
28	}
29	}
30
31	/// Unix-specific extensions to the [`process::Command`] builder.
32	///
33	/// This trait is sealed: it cannot be implemented outside the standard library.
34	/// This is so that future additional methods are not breaking changes.
35	#[stable(feature = "rust1", since = "1.0.0")]
36	pub trait CommandExt: Sealed {
37	/// Sets the child process's user ID. This translates to a
38	/// `setuid` call in the child process. Failure in the `setuid`
39	/// call will cause the spawn to fail.
40	///
41	/// # Notes
42	///
43	/// This will also trigger a call to `setgroups(0, NULL)` in the child
44	/// process if no groups have been specified.
45	/// This removes supplementary groups that might have given the child
46	/// unwanted permissions.
47	#[stable(feature = "rust1", since = "1.0.0")]
48	fn uid(&mut self, id: UserId) -> &mut process::Command;
49
50	/// Similar to `uid`, but sets the group ID of the child process. This has
51	/// the same semantics as the `uid` field.
52	#[stable(feature = "rust1", since = "1.0.0")]
53	fn gid(&mut self, id: GroupId) -> &mut process::Command;
54
55	/// Sets the supplementary group IDs for the calling process. Translates to
56	/// a `setgroups` call in the child process.
57	#[unstable(feature = "setgroups", issue = "90747")]
58	fn groups(&mut self, groups: &[GroupId]) -> &mut process::Command;
59
60	/// Schedules a closure to be run just before the `exec` function is
61	/// invoked.
62	///
63	/// The closure is allowed to return an I/O error whose OS error code will
64	/// be communicated back to the parent and returned as an error from when
65	/// the spawn was requested.
66	///
67	/// Multiple closures can be registered and they will be called in order of
68	/// their registration. If a closure returns `Err` then no further closures
69	/// will be called and the spawn operation will immediately return with a
70	/// failure.
71	///
72	/// # Notes and Safety
73	///
74	/// This closure will be run in the context of the child process after a
75	/// `fork`. This primarily means that any modifications made to memory on
76	/// behalf of this closure will not* be visible to the parent process.*
77	/// This is often a very constrained environment where normal operations
78	/// like `malloc`, accessing environment variables through [`std::env`]
79	/// or acquiring a mutex are not guaranteed to work (due to
80	/// other threads perhaps still running when the `fork` was run).
81	///
82	/// For further details refer to the [POSIX fork() specification]
83	/// and the equivalent documentation for any targeted
84	/// platform, especially the requirements around async-signal-safety.
85	///
86	/// This also means that all resources such as file descriptors and
87	/// memory-mapped regions got duplicated. It is your responsibility to make
88	/// sure that the closure does not violate library invariants by making
89	/// invalid use of these duplicates.
90	///
91	/// Panicking in the closure is safe only if all the format arguments for the
92	/// panic message can be safely formatted; this is because although
93	/// `Command` calls [`std::panic::always_abort`](crate::panic::always_abort)
94	/// before calling the pre_exec hook, panic will still try to format the
95	/// panic message.
96	///
97	/// When this closure is run, aspects such as the stdio file descriptors and
98	/// working directory have successfully been changed, so output to these
99	/// locations might not appear where intended.
100	///
101	/// [POSIX fork() specification]:
102	/// https://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html
103	/// [`std::env`]: mod@crate::env
104	#[stable(feature = "process_pre_exec", since = "1.34.0")]
105	unsafe fn pre_exec<F>(&mut self, f: F) -> &mut process::Command
106	where
107	F: FnMut() -> io::Result<()> + Send + Sync + 'static;
108
109	/// Schedules a closure to be run just before the `exec` function is
110	/// invoked.
111	///
112	/// `before_exec` used to be a safe method, but it needs to be unsafe since the closure may only
113	/// perform operations that are async-signal-safe. Hence it got deprecated in favor of the
114	/// unsafe [`pre_exec`]. Meanwhile, Rust gained the ability to make an existing safe method
115	/// fully unsafe in a new edition, which is how `before_exec` became `unsafe`. It still also
116	/// remains deprecated; `pre_exec` should be used instead.
117	///
118	/// [`pre_exec`]: CommandExt::pre_exec
119	#[stable(feature = "process_exec", since = "1.15.0")]
120	#[deprecated(since = "1.37.0", note = "should be unsafe, use `pre_exec` instead")]
121	#[rustc_deprecated_safe_2024(audit_that = "the closure is async-signal-safe")]
122	unsafe fn before_exec<F>(&mut self, f: F) -> &mut process::Command
123	where
124	F: FnMut() -> io::Result<()> + Send + Sync + 'static,
125	{
126	unsafe { self.pre_exec(f) }
127	}
128
129	/// Performs all the required setup by this `Command`, followed by calling
130	/// the `execvp` syscall.
131	///
132	/// On success this function will not return, and otherwise it will return
133	/// an error indicating why the exec (or another part of the setup of the
134	/// `Command`) failed.
135	///
136	/// `exec` not returning has the same implications as calling
137	/// [`process::exit`] – no destructors on the current stack or any other
138	/// thread’s stack will be run. Therefore, it is recommended to only call
139	/// `exec` at a point where it is fine to not run any destructors. Note,
140	/// that the `execvp` syscall independently guarantees that all memory is
141	/// freed and all file descriptors with the `CLOEXEC` option (set by default
142	/// on all file descriptors opened by the standard library) are closed.
143	///
144	/// This function, unlike `spawn`, will not* `fork` the process to create*
145	/// a new child. Like spawn, however, the default behavior for the stdio
146	/// descriptors will be to inherit them from the current process.
147	///
148	/// # Notes
149	///
150	/// The process may be in a "broken state" if this function returns in
151	/// error. For example the working directory, environment variables, signal
152	/// handling settings, various user/group information, or aspects of stdio
153	/// file descriptors may have changed. If a "transactional spawn" is
154	/// required to gracefully handle errors it is recommended to use the
155	/// cross-platform `spawn` instead.
156	#[stable(feature = "process_exec2", since = "1.9.0")]
157	#[must_use]
158	fn exec(&mut self) -> io::Error;
159
160	/// Set executable argument
161	///
162	/// Set the first process argument, `argv[0]`, to something other than the
163	/// default executable path.
164	#[stable(feature = "process_set_argv0", since = "1.45.0")]
165	fn arg0<S>(&mut self, arg: S) -> &mut process::Command
166	where
167	S: AsRef<OsStr>;
168
169	/// Sets the process group ID (PGID) of the child process. Equivalent to a
170	/// `setpgid` call in the child process, but may be more efficient.
171	///
172	/// Process groups determine which processes receive signals.
173	///
174	/// # Examples
175	///
176	/// Pressing Ctrl-C in a terminal will send SIGINT to all processes in
177	/// the current foreground process group. By spawning the `sleep`
178	/// subprocess in a new process group, it will not receive SIGINT from the
179	/// terminal.
180	///
181	/// The parent process could install a signal handler and manage the
182	/// subprocess on its own terms.
183	///
184	/// A process group ID of 0 will use the process ID as the PGID.
185	///
186	/// ```no_run
187	/// use std::process::Command;
188	/// use std::os::unix::process::CommandExt;
189	///
190	/// Command::new("sleep")
191	/// .arg("10")
192	/// .process_group(`0`)
193	/// .spawn()?
194	/// .wait()?;
195	/// #
196	/// # Ok::<_, Box<dyn std::error::Error>>(())
197	/// ```
198	#[stable(feature = "process_set_process_group", since = "1.64.0")]
199	fn process_group(&mut self, pgroup: i32) -> &mut process::Command;
200	}
201
202	#[stable(feature = "rust1", since = "1.0.0")]
203	impl CommandExt for process::Command {
204	fn uid(&mut self, id: UserId) -> &mut process::Command {
205	self.as_inner_mut().uid(id);
206	self
207	}
208
209	fn gid(&mut self, id: GroupId) -> &mut process::Command {
210	self.as_inner_mut().gid(id);
211	self
212	}
213
214	fn groups(&mut self, groups: &[GroupId]) -> &mut process::Command {
215	self.as_inner_mut().groups(groups);
216	self
217	}
218
219	unsafe fn pre_exec<F>(&mut self, f: F) -> &mut process::Command
220	where
221	F: FnMut() -> io::Result<()> + Send + Sync + 'static,
222	{
223	self.as_inner_mut().pre_exec(Box::new(f));
224	self
225	}
226
227	fn exec(&mut self) -> io::Error {
228	// NOTE: This may not* be safe to call after `libc::fork`, because it*
229	// may allocate. That may be worth fixing at some point in the future.
230	self.as_inner_mut().exec(sys::process::Stdio::Inherit)
231	}
232
233	fn arg0<S>(&mut self, arg: S) -> &mut process::Command
234	where
235	S: AsRef<OsStr>,
236	{
237	self.as_inner_mut().set_arg_0(arg.as_ref());
238	self
239	}
240
241	fn process_group(&mut self, pgroup: i32) -> &mut process::Command {
242	self.as_inner_mut().pgroup(pgroup);
243	self
244	}
245	}
246
247	/// Unix-specific extensions to [`process::ExitStatus`] and
248	/// [`ExitStatusError`](process::ExitStatusError).
249	///
250	/// On Unix, `ExitStatus` does not necessarily represent an exit status, as
251	/// passed to the `_exit` system call or returned by
252	/// [`ExitStatus::code()`](crate::process::ExitStatus::code). It represents any wait status
253	/// as returned by one of the `wait` family of system
254	/// calls.
255	///
256	/// A Unix wait status (a Rust `ExitStatus`) can represent a Unix exit status, but can also
257	/// represent other kinds of process event.
258	///
259	/// This trait is sealed: it cannot be implemented outside the standard library.
260	/// This is so that future additional methods are not breaking changes.
261	#[stable(feature = "rust1", since = "1.0.0")]
262	pub trait ExitStatusExt: Sealed {
263	/// Creates a new `ExitStatus` or `ExitStatusError` from the raw underlying integer status
264	/// value from `wait`
265	///
266	/// The value should be a wait status, not an exit status.
267	///
268	/// # Panics
269	///
270	/// Panics on an attempt to make an `ExitStatusError` from a wait status of `0`.
271	///
272	/// Making an `ExitStatus` always succeeds and never panics.
273	#[stable(feature = "exit_status_from", since = "1.12.0")]
274	fn from_raw(raw: i32) -> Self;
275
276	/// If the process was terminated by a signal, returns that signal.
277	///
278	/// In other words, if `WIFSIGNALED`, this returns `WTERMSIG`.
279	#[stable(feature = "rust1", since = "1.0.0")]
280	fn signal(&self) -> Option<i32>;
281
282	/// If the process was terminated by a signal, says whether it dumped core.
283	#[stable(feature = "unix_process_wait_more", since = "1.58.0")]
284	fn core_dumped(&self) -> bool;
285
286	/// If the process was stopped by a signal, returns that signal.
287	///
288	/// In other words, if `WIFSTOPPED`, this returns `WSTOPSIG`. This is only possible if the status came from
289	/// a `wait` system call which was passed `WUNTRACED`, and was then converted into an `ExitStatus`.
290	#[stable(feature = "unix_process_wait_more", since = "1.58.0")]
291	fn stopped_signal(&self) -> Option<i32>;
292
293	/// Whether the process was continued from a stopped status.
294	///
295	/// Ie, `WIFCONTINUED`. This is only possible if the status came from a `wait` system call
296	/// which was passed `WCONTINUED`, and was then converted into an `ExitStatus`.
297	#[stable(feature = "unix_process_wait_more", since = "1.58.0")]
298	fn continued(&self) -> bool;
299
300	/// Returns the underlying raw `wait` status.
301	///
302	/// The returned integer is a wait status, not an exit status.
303	#[stable(feature = "unix_process_wait_more", since = "1.58.0")]
304	fn into_raw(self) -> i32;
305	}
306
307	#[stable(feature = "rust1", since = "1.0.0")]
308	impl ExitStatusExt for process::ExitStatus {
309	fn from_raw(raw: i32) -> Self {
310	process::ExitStatus::from_inner(From::from(raw))
311	}
312
313	fn signal(&self) -> Option<i32> {
314	self.as_inner().signal()
315	}
316
317	fn core_dumped(&self) -> bool {
318	self.as_inner().core_dumped()
319	}
320
321	fn stopped_signal(&self) -> Option<i32> {
322	self.as_inner().stopped_signal()
323	}
324
325	fn continued(&self) -> bool {
326	self.as_inner().continued()
327	}
328
329	fn into_raw(self) -> i32 {
330	self.as_inner().into_raw().into()
331	}
332	}
333
334	#[unstable(feature = "exit_status_error", issue = "84908")]
335	impl ExitStatusExt for process::ExitStatusError {
336	fn from_raw(raw: i32) -> Self {
337	process::ExitStatus::from_raw(raw)
338	.exit_ok()
339	.expect_err("<ExitStatusError as ExitStatusExt>::from_raw(0) but zero is not an error")
340	}
341
342	fn signal(&self) -> Option<i32> {
343	self.into_status().signal()
344	}
345
346	fn core_dumped(&self) -> bool {
347	self.into_status().core_dumped()
348	}
349
350	fn stopped_signal(&self) -> Option<i32> {
351	self.into_status().stopped_signal()
352	}
353
354	fn continued(&self) -> bool {
355	self.into_status().continued()
356	}
357
358	fn into_raw(self) -> i32 {
359	self.into_status().into_raw()
360	}
361	}
362
363	#[stable(feature = "process_extensions", since = "1.2.0")]
364	impl FromRawFd for process::Stdio {
365	#[inline]
366	unsafe fn from_raw_fd(fd: RawFd) -> process::Stdio {
367	let fd: FileDesc = sys::fd::FileDesc::from_raw_fd(fd);
368	let io: Stdio = sys::process::Stdio::Fd(fd);
369	process::Stdio::from_inner(io)
370	}
371	}
372
373	#[stable(feature = "io_safety", since = "1.63.0")]
374	impl From<OwnedFd> for process::Stdio {
375	/// Takes ownership of a file descriptor and returns a [`Stdio`](process::Stdio)
376	/// that can attach a stream to it.
377	#[inline]
378	fn from(fd: OwnedFd) -> process::Stdio {
379	let fd: FileDesc = sys::fd::FileDesc::from_inner(fd);
380	let io: Stdio = sys::process::Stdio::Fd(fd);
381	process::Stdio::from_inner(io)
382	}
383	}
384
385	#[stable(feature = "process_extensions", since = "1.2.0")]
386	impl AsRawFd for process::ChildStdin {
387	#[inline]
388	fn as_raw_fd(&self) -> RawFd {
389	self.as_inner().as_raw_fd()
390	}
391	}
392
393	#[stable(feature = "process_extensions", since = "1.2.0")]
394	impl AsRawFd for process::ChildStdout {
395	#[inline]
396	fn as_raw_fd(&self) -> RawFd {
397	self.as_inner().as_raw_fd()
398	}
399	}
400
401	#[stable(feature = "process_extensions", since = "1.2.0")]
402	impl AsRawFd for process::ChildStderr {
403	#[inline]
404	fn as_raw_fd(&self) -> RawFd {
405	self.as_inner().as_raw_fd()
406	}
407	}
408
409	#[stable(feature = "into_raw_os", since = "1.4.0")]
410	impl IntoRawFd for process::ChildStdin {
411	#[inline]
412	fn into_raw_fd(self) -> RawFd {
413	self.into_inner().into_inner().into_raw_fd()
414	}
415	}
416
417	#[stable(feature = "into_raw_os", since = "1.4.0")]
418	impl IntoRawFd for process::ChildStdout {
419	#[inline]
420	fn into_raw_fd(self) -> RawFd {
421	self.into_inner().into_inner().into_raw_fd()
422	}
423	}
424
425	#[stable(feature = "into_raw_os", since = "1.4.0")]
426	impl IntoRawFd for process::ChildStderr {
427	#[inline]
428	fn into_raw_fd(self) -> RawFd {
429	self.into_inner().into_inner().into_raw_fd()
430	}
431	}
432
433	#[stable(feature = "io_safety", since = "1.63.0")]
434	impl AsFd for crate::process::ChildStdin {
435	#[inline]
436	fn as_fd(&self) -> BorrowedFd<'_> {
437	self.as_inner().as_fd()
438	}
439	}
440
441	#[stable(feature = "io_safety", since = "1.63.0")]
442	impl From<crate::process::ChildStdin> for OwnedFd {
443	/// Takes ownership of a [`ChildStdin`](crate::process::ChildStdin)'s file descriptor.
444	#[inline]
445	fn from(child_stdin: crate::process::ChildStdin) -> OwnedFd {
446	child_stdin.into_inner().into_inner().into_inner()
447	}
448	}
449
450	/// Creates a `ChildStdin` from the provided `OwnedFd`.
451	///
452	/// The provided file descriptor must point to a pipe
453	/// with the `CLOEXEC` flag set.
454	#[stable(feature = "child_stream_from_fd", since = "1.74.0")]
455	impl From<OwnedFd> for process::ChildStdin {
456	#[inline]
457	fn from(fd: OwnedFd) -> process::ChildStdin {
458	let fd: FileDesc = sys::fd::FileDesc::from_inner(fd);
459	let pipe: AnonPipe = sys::pipe::AnonPipe::from_inner(fd);
460	process::ChildStdin::from_inner(pipe)
461	}
462	}
463
464	#[stable(feature = "io_safety", since = "1.63.0")]
465	impl AsFd for crate::process::ChildStdout {
466	#[inline]
467	fn as_fd(&self) -> BorrowedFd<'_> {
468	self.as_inner().as_fd()
469	}
470	}
471
472	#[stable(feature = "io_safety", since = "1.63.0")]
473	impl From<crate::process::ChildStdout> for OwnedFd {
474	/// Takes ownership of a [`ChildStdout`](crate::process::ChildStdout)'s file descriptor.
475	#[inline]
476	fn from(child_stdout: crate::process::ChildStdout) -> OwnedFd {
477	child_stdout.into_inner().into_inner().into_inner()
478	}
479	}
480
481	/// Creates a `ChildStdout` from the provided `OwnedFd`.
482	///
483	/// The provided file descriptor must point to a pipe
484	/// with the `CLOEXEC` flag set.
485	#[stable(feature = "child_stream_from_fd", since = "1.74.0")]
486	impl From<OwnedFd> for process::ChildStdout {
487	#[inline]
488	fn from(fd: OwnedFd) -> process::ChildStdout {
489	let fd: FileDesc = sys::fd::FileDesc::from_inner(fd);
490	let pipe: AnonPipe = sys::pipe::AnonPipe::from_inner(fd);
491	process::ChildStdout::from_inner(pipe)
492	}
493	}
494
495	#[stable(feature = "io_safety", since = "1.63.0")]
496	impl AsFd for crate::process::ChildStderr {
497	#[inline]
498	fn as_fd(&self) -> BorrowedFd<'_> {
499	self.as_inner().as_fd()
500	}
501	}
502
503	#[stable(feature = "io_safety", since = "1.63.0")]
504	impl From<crate::process::ChildStderr> for OwnedFd {
505	/// Takes ownership of a [`ChildStderr`](crate::process::ChildStderr)'s file descriptor.
506	#[inline]
507	fn from(child_stderr: crate::process::ChildStderr) -> OwnedFd {
508	child_stderr.into_inner().into_inner().into_inner()
509	}
510	}
511
512	/// Creates a `ChildStderr` from the provided `OwnedFd`.
513	///
514	/// The provided file descriptor must point to a pipe
515	/// with the `CLOEXEC` flag set.
516	#[stable(feature = "child_stream_from_fd", since = "1.74.0")]
517	impl From<OwnedFd> for process::ChildStderr {
518	#[inline]
519	fn from(fd: OwnedFd) -> process::ChildStderr {
520	let fd: FileDesc = sys::fd::FileDesc::from_inner(fd);
521	let pipe: AnonPipe = sys::pipe::AnonPipe::from_inner(fd);
522	process::ChildStderr::from_inner(pipe)
523	}
524	}
525
526	/// Returns the OS-assigned process identifier associated with this process's parent.
527	#[must_use]
528	#[stable(feature = "unix_ppid", since = "1.27.0")]
529	pub fn parent_id() -> u32 {
530	crate::sys::os::getppid()
531	}
532