防止子进程继承父进程';s使用boost进程库打开TCP端口 我有一个C++应用程序在特定的TCP端口上侦听。应用程序还使用Boost进程库中的Boost子类启动子进程。一旦启动子进程,netstat命令的输出就会显示TCP端口也与所创建的子进程相关联。 在使用boost进程库时,有没有一种方法可以防止子进程继承父进程的端口?子项被创建为:
防止子进程继承父进程';s使用boost进程库打开TCP端口 我有一个C++应用程序在特定的TCP端口上侦听。应用程序还使用Boost进程库中的Boost子类启动子进程。一旦启动子进程,netstat命令的输出就会显示TCP端口也与所创建的子进程相关联。 在使用boost进程库时,有没有一种方法可以防止子进程继承父进程的端口?子项被创建为:,boost,tcp,fork,child-process,boost-process,Boost,Tcp,Fork,Child Process,Boost Process,bp::child*proc=newbp::child(“a.out”,bp::std\u out>stdout,bp::std\u err>stderr); 我正在使用Linux平台。谢谢。目前没有办法 我尝试了一个补丁来添加它,但是我遇到了一些问题,测试的时间不够了。我可以分享补丁,但你要自己测试 注意,下面的所有内容都假设POSIX系统 简单的拍摄#1 最简单的方法是关闭所有非标准FD,没有例外: struct close_fds : bp::extend::handler {
bp::child*proc=newbp::child(“a.out”,bp::std\u out>stdout,bp::std\u err>stderr);
我正在使用Linux平台。谢谢。目前没有办法 我尝试了一个补丁来添加它,但是我遇到了一些问题,测试的时间不够了。我可以分享补丁,但你要自己测试 注意,下面的所有内容都假设POSIX系统 简单的拍摄#1 最简单的方法是关闭所有非标准FD,没有例外:
struct close_fds : bp::extend::handler {
template <typename Executor>
void on_exec_setup(Executor& /*ex*/) {
// TODO implemented smarter - below meddles with the library internals
int maxfd=sysconf(_SC_OPEN_MAX);
for(int fd=3; fd<maxfd; fd++) {
::close(fd);
}
}
};
这行不通
首先,在Boost流程内部(例如,错误处理/报告)有用于内部通信的强制父子管道。我们没有考虑到这一点,也无法预测所涉及的fd
价值,因此让我们转向更复杂的想法:
更复杂的设置
更智能的设置将考虑增压过程中涉及的任何FD。这包括管道(如上所述)和可能是由其他进程启动参数指定的重定向结果的任何其他FD
这是我准备好的补丁
同样,这是未经测试的。补丁,但我“最近”(4月)移植了它以提高1.66
用法与上面的类似:
bp::child x(..., bp::posix::fd.restrict_inherit()); };
请注意,它允许与其他(自定义)扩展协调以收集应该继承的FD
From 45c46a3d9ed42278af97e6ca11474bfbddf3ffb4 Mon Sep 17 00:00:00 2001
From: Seth Heeren <heeren@tracksinspector.com>
Date: Tue, 10 Apr 2018 02:48:27 +0200
Subject: [PATCH] fd_restrict prototype
---
boost/process/detail/posix/executor.hpp | 16 ++-
boost/process/detail/posix/fd.hpp | 8 ++
boost/process/detail/posix/fd_restrict.hpp | 154 +++++++++++++++++++++++++
boost/process/detail/posix/file_descriptor.hpp | 7 ++
4 files changed, 181 insertions(+), 4 deletions(-)
create mode 100644 boost/process/detail/posix/fd_restrict.hpp
diff --git a/boost/process/detail/posix/executor.hpp b/boost/process/detail/posix/executor.hpp
index b3781f2..0a7c446 100644
--- a/boost/process/detail/posix/executor.hpp
+++ b/boost/process/detail/posix/executor.hpp
@@ -15,6 +15,7 @@
#include <boost/process/pipe.hpp>
#include <boost/process/detail/posix/basic_pipe.hpp>
#include <boost/process/detail/posix/use_vfork.hpp>
+#include <boost/process/detail/posix/file_descriptor.hpp>
#include <boost/fusion/algorithm/iteration/for_each.hpp>
#include <cstdlib>
#include <sys/types.h>
@@ -45,7 +46,7 @@ inline int execvpe(const char* filename, char * const arg_list[], char* env[])
if (e != nullptr)
{
- std::vector<std::string> path;
+ std::vector<std::string> path;
boost::split(path, *e, boost::is_any_of(":"));
for (const std::string & pp : path)
@@ -157,13 +158,13 @@ struct on_fork_success_t
};
template<typename Executor> on_setup_t <Executor> call_on_setup (Executor & exec) {return exec;}
-template<typename Executor> on_error_t <Executor> call_on_error (Executor & exec, const std::error_code & ec)
+template<typename Executor> on_error_t <Executor> call_on_error (Executor & exec, const std::error_code & ec)
{
return on_error_t<Executor> (exec, ec);
}
template<typename Executor> on_success_t<Executor> call_on_success(Executor & exec) {return exec;}
-template<typename Executor> on_fork_error_t <Executor> call_on_fork_error (Executor & exec, const std::error_code & ec)
+template<typename Executor> on_fork_error_t <Executor> call_on_fork_error (Executor & exec, const std::error_code & ec)
{
return on_fork_error_t<Executor> (exec, ec);
}
@@ -330,6 +331,12 @@ public:
}
void set_error(const std::error_code &ec, const std::string &msg) {set_error(ec, msg.c_str());};
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(executor const& me, OutputIterator& outit) {
+ // always protect the write end of the parent/child pipe
+ *outit++ = me._pipe_sink;
+ }
};
template<typename Sequence>
@@ -380,6 +387,7 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
return child();
}
_ec.clear();
+ _pipe_sink = p[1];
boost::fusion::for_each(seq, call_on_setup(*this));
if (_ec)
@@ -391,6 +399,7 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
this->pid = ::fork();
if (pid == -1)
{
+ _pipe_sink = -1;
_ec = boost::process::detail::get_last_error();
_msg = "fork() failed";
boost::fusion::for_each(seq, call_on_fork_error(*this, _ec));
@@ -400,7 +409,6 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
}
else if (pid == 0)
{
- _pipe_sink = p[1];
::close(p[0]);
boost::fusion::for_each(seq, call_on_exec_setup(*this));
diff --git a/boost/process/detail/posix/fd.hpp b/boost/process/detail/posix/fd.hpp
index 51790c3..f759d9e 100644
--- a/boost/process/detail/posix/fd.hpp
+++ b/boost/process/detail/posix/fd.hpp
@@ -11,6 +11,7 @@
#define BOOST_PROCESS_DETAIL_POSIX_FD_HPP
#include <boost/process/detail/posix/handler.hpp>
+#include <boost/process/detail/posix/fd_restrict.hpp>
#include <unistd.h>
namespace boost { namespace process { namespace detail { namespace posix {
@@ -68,6 +69,12 @@ public:
}
private:
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(bind_fd_ const& bind_fd, OutputIterator& outit) {
+ *outit++ = bind_fd.id_;
+ }
+
int id_;
FileDescriptor fd_;
};
@@ -84,6 +91,7 @@ struct fd_
template <class FileDescriptor>
bind_fd_<FileDescriptor> bind(int id, const FileDescriptor & fd) const {return {id, fd};}
+ fd_restrict::property_<> restrict_inherit(size_t capacity = 128) const {return {capacity};}
};
diff --git a/boost/process/detail/posix/fd_restrict.hpp b/boost/process/detail/posix/fd_restrict.hpp
new file mode 100644
index 0000000..71c6c7d
--- /dev/null
+++ b/boost/process/detail/posix/fd_restrict.hpp
@@ -0,0 +1,154 @@
+// Copyright (c) 2017 Seth Heeren
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+
+#ifndef BOOST_PROCESS_DETAIL_POSIX_FD_RESTRICT_HPP
+#define BOOST_PROCESS_DETAIL_POSIX_FD_RESTRICT_HPP
+
+#include <boost/process/detail/posix/handler.hpp>
+#include <unistd.h>
+
+namespace boost { namespace process { namespace detail { namespace posix { namespace fd_restrict {
+ // customization point for (custom) properties that need to protect fds
+ template <typename Property, typename OutputIterator>
+ void collect_filedescriptors(Property const& /*property*/, OutputIterator& /*outit*/) {
+ // primary template
+ }
+
+ // polymorphic function object for ADL dispatch
+ template <typename OutputIterator>
+ struct collect_fd_f {
+ OutputIterator mutable _outit;
+
+ template <typename Property>
+ void operator()(Property const& property) const {
+ using boost::process::detail::posix::fd_restrict::collect_filedescriptors; // ADL desired
+ collect_filedescriptors(property, _outit);
+ }
+ };
+
+ // launch property
+ template <typename=void>
+ struct property_ : handler_base_ext
+ {
+ public:
+ property_(size_t capacity) {
+ // reserve to avoid allocations between fork/exec which may
+ // deadlock with threads
+ _protected_fds.reserve(capacity);
+ }
+
+ template <class PosixExecutor>
+ void on_exec_setup(PosixExecutor& exec) const
+ {
+ _protected_fds.resize(0);
+ auto outit = back_inserter(_protected_fds);
+ collect_fd_f<decltype(outit)> visit{outit};
+
+ visit(exec);
+ boost::fusion::for_each(exec.seq, visit);
+
+ auto begin = _protected_fds.begin(), end = _protected_fds.end();
+ std::sort(begin, end);
+
+ for(int fd=0, maxfd=sysconf(_SC_OPEN_MAX); fd<maxfd; ++fd) {
+ if (!std::binary_search(begin, end, fd))
+ ::close(fd);
+ }
+ }
+
+ private:
+ std::vector<int> mutable _protected_fds;
+ };
+
+}}}}}
+
+/*
+ * Non-intrusive instrumentation of existing POSIX properties that require filedescriptors
+ *
+ * All of these could be done with an inline `friend` definition, like above.
+ *
+ * For now I prefer to keep them separate so that
+ *
+ * - upstream changes merge cleanly
+ * - interface changes in fd_restrict can more easily be applied consistently in 1 file
+ *
+ * Only bind_fd_ and filedescriptor need friend access, so cannot usefully be kept separate.
+ */
+
+#include <boost/process/detail/posix/async_in.hpp>
+#include <boost/process/detail/posix/async_out.hpp>
+#include <boost/process/detail/posix/null_in.hpp>
+#include <boost/process/detail/posix/null_out.hpp>
+#include <boost/process/detail/posix/file_in.hpp>
+#include <boost/process/detail/posix/file_out.hpp>
+#include <boost/process/detail/posix/pipe_in.hpp>
+#include <boost/process/detail/posix/pipe_out.hpp>
+
+namespace boost { namespace process { namespace detail { namespace posix {
+
+template<typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_in_buffer<Ts...> const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_out_buffer<p1, p2, Ts...> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<int p1, int p2, typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_out_future<p1, p2, Ts...> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(file_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(file_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(null_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(null_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(pipe_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(async_pipe_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(pipe_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(async_pipe_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+}}}}
+
+#endif
diff --git a/boost/process/detail/posix/file_descriptor.hpp b/boost/process/detail/posix/file_descriptor.hpp
index 0dcb99c..0cfcfd1 100644
--- a/boost/process/detail/posix/file_descriptor.hpp
+++ b/boost/process/detail/posix/file_descriptor.hpp
@@ -53,6 +53,13 @@ struct file_descriptor
int handle() const { return _handle;}
private:
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(file_descriptor const& property_, OutputIterator& outit) {
+ if (-1 != property_._handle)
+ *outit++ = property_._handle;
+ }
+
static int create_file(const char* name, mode_t mode )
{
switch(mode)
--
2.16.2
自45c46a3d9ed42278af97e6ca11474bfbddf3ffb4周一2001年9月17日00:00:00
发件人:塞思·希伦
日期:2018年4月10日星期二02:48:27+0200
主题:[补丁]fd_限制原型
---
boost/process/detail/posix/executor.hpp | 16++-
boost/process/detail/posix/fd.hpp | 8++
boost/process/detail/posix/fd|u restrict.hpp|154+++++++++++++++++++++++++
boost/process/detail/posix/file_descriptor.hpp|7++
4个文件已更改,181个插入(+),4个删除(-)
创建模式100644 boost/process/detail/posix/fd_restrict.hpp
diff——git a/boost/process/detail/posix/executor.hpp b/boost/process/detail/posix/executor.hpp
索引b3781f2..0a7c446 100644
---a/boost/process/detail/posix/executor.hpp
+++b/boost/process/detail/posix/executor.hpp
@@ -15,6 +15,7 @@
#包括
#包括
#包括
+#包括
#包括
#包括
#包括
@@-45,7+46,7@@inline int-execvpe(常量字符*文件名,字符*常量参数列表[],字符*环境[])
如果(e!=nullptr)
{
-向量路径;
+向量路径;
boost::split(路径,*e,boost::是(“:”)中的任意一个);
for(const std::string&pp:path)
@@-157,13+158,13@@struct on\u fork\u success\t
};
设置上的模板\u t调用\u设置上的模板(Executor&exec){return exec;}
-模板错误调用错误(执行器和执行器、常量标准::错误代码和ec)
+模板错误调用错误(执行器和执行器、常量标准::错误代码和ec)
{
错误返回(执行,ec);
}
成功上的模板调用成功上的模板(Executor&exec){return exec;}
-fork上的模板错误调用fork错误(Executor&exec,const std::error\u code&ec)
+fork上的模板错误调用fork错误(Executor&exec,const std::error\u code&ec)
{
错误返回(exec、ec);
}
@@-330,6+331,12@@public:
}
void set_error(const std::error_code&ec,const std::string&msg){set_error(ec,msg.c_str());};
+//fd_限制的自定义点
+模板
+friend void collect_文件描述符(执行器const&me、输出器&outit){
+//始终保护父/子管道的写入端
+*outit++=me.\u管道\u水槽;
+ }
};
模板
@@-380,6+387,7@@child executor::invoke(boost::mpl::false,boost::mpl::false)
返回子对象();
}
_ec.clear();
+_管道_水槽=p[1];
boost::fusion::for_each(seq,调用_on_setup(*this));
如果(_ec)
@@-391,6+399,7@@child executor::invoke(boost::mpl::false,boost::mpl::false)
this->pid=::fork();
如果(pid==-1)
{
+_管道_水槽=-1;
_ec=boost::process::detail::get_last_error();
_msg=“fork()失败”;
boost::fusion::for_each(seq,调用_on_fork_error(*this,_ec));
@@-400,7+409,6@@child executor::invoke(boost::mpl::false,boost::mpl::false)
}
否则如果(pid==0)
{
-_管道_水槽=p[1];
::关闭(p[0]);
boost::fusion::for_each(seq,在_exec_setup(*this))上调用_;
diff——git a/boost/process/detail/posix/fd.hpp b/boost/process/detail/posix/fd.hpp
索引51790c3..f759d9e 100644
---a/boost/process/detail/posix/fd.hpp
+++b/boost/process/detail/posix/fd.hpp
@@ -11,6 +11,7 @@
#定义增压\u过程\u细节\u位置\u FD\u水电站
#包括
+#包括
#包括
命名空间提升{命名空间进程{命名空间详细信息{命名空间posix{
@@-68,6+69,12@@public:
}
私人:
+//fd_限制的自定义点
+模板
+friend void collect_文件描述符(bind_fd_const&bind_fd,OutputIterator&outit){
+*outit++=bind\u fd.id\u0;
+ }
+
int-id_2;;
文件描述符fd;
};
@@-84,6+91,7@@struct fd_
模板
bind_fd_bind(int-id,const-FileDescriptor&fd)const{return{id,fd};}
+fd_restrict::property_restrict_inherit(size_t capacity=128)const{return{capacity};}
};
diff——git a/boost/process/detail/posix/fd_restrict.hpp b/boost/process/detail/posix/fd_restrict.hpp
新文件模式100644
inde
From 45c46a3d9ed42278af97e6ca11474bfbddf3ffb4 Mon Sep 17 00:00:00 2001
From: Seth Heeren <heeren@tracksinspector.com>
Date: Tue, 10 Apr 2018 02:48:27 +0200
Subject: [PATCH] fd_restrict prototype
---
boost/process/detail/posix/executor.hpp | 16 ++-
boost/process/detail/posix/fd.hpp | 8 ++
boost/process/detail/posix/fd_restrict.hpp | 154 +++++++++++++++++++++++++
boost/process/detail/posix/file_descriptor.hpp | 7 ++
4 files changed, 181 insertions(+), 4 deletions(-)
create mode 100644 boost/process/detail/posix/fd_restrict.hpp
diff --git a/boost/process/detail/posix/executor.hpp b/boost/process/detail/posix/executor.hpp
index b3781f2..0a7c446 100644
--- a/boost/process/detail/posix/executor.hpp
+++ b/boost/process/detail/posix/executor.hpp
@@ -15,6 +15,7 @@
#include <boost/process/pipe.hpp>
#include <boost/process/detail/posix/basic_pipe.hpp>
#include <boost/process/detail/posix/use_vfork.hpp>
+#include <boost/process/detail/posix/file_descriptor.hpp>
#include <boost/fusion/algorithm/iteration/for_each.hpp>
#include <cstdlib>
#include <sys/types.h>
@@ -45,7 +46,7 @@ inline int execvpe(const char* filename, char * const arg_list[], char* env[])
if (e != nullptr)
{
- std::vector<std::string> path;
+ std::vector<std::string> path;
boost::split(path, *e, boost::is_any_of(":"));
for (const std::string & pp : path)
@@ -157,13 +158,13 @@ struct on_fork_success_t
};
template<typename Executor> on_setup_t <Executor> call_on_setup (Executor & exec) {return exec;}
-template<typename Executor> on_error_t <Executor> call_on_error (Executor & exec, const std::error_code & ec)
+template<typename Executor> on_error_t <Executor> call_on_error (Executor & exec, const std::error_code & ec)
{
return on_error_t<Executor> (exec, ec);
}
template<typename Executor> on_success_t<Executor> call_on_success(Executor & exec) {return exec;}
-template<typename Executor> on_fork_error_t <Executor> call_on_fork_error (Executor & exec, const std::error_code & ec)
+template<typename Executor> on_fork_error_t <Executor> call_on_fork_error (Executor & exec, const std::error_code & ec)
{
return on_fork_error_t<Executor> (exec, ec);
}
@@ -330,6 +331,12 @@ public:
}
void set_error(const std::error_code &ec, const std::string &msg) {set_error(ec, msg.c_str());};
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(executor const& me, OutputIterator& outit) {
+ // always protect the write end of the parent/child pipe
+ *outit++ = me._pipe_sink;
+ }
};
template<typename Sequence>
@@ -380,6 +387,7 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
return child();
}
_ec.clear();
+ _pipe_sink = p[1];
boost::fusion::for_each(seq, call_on_setup(*this));
if (_ec)
@@ -391,6 +399,7 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
this->pid = ::fork();
if (pid == -1)
{
+ _pipe_sink = -1;
_ec = boost::process::detail::get_last_error();
_msg = "fork() failed";
boost::fusion::for_each(seq, call_on_fork_error(*this, _ec));
@@ -400,7 +409,6 @@ child executor<Sequence>::invoke(boost::mpl::false_, boost::mpl::false_)
}
else if (pid == 0)
{
- _pipe_sink = p[1];
::close(p[0]);
boost::fusion::for_each(seq, call_on_exec_setup(*this));
diff --git a/boost/process/detail/posix/fd.hpp b/boost/process/detail/posix/fd.hpp
index 51790c3..f759d9e 100644
--- a/boost/process/detail/posix/fd.hpp
+++ b/boost/process/detail/posix/fd.hpp
@@ -11,6 +11,7 @@
#define BOOST_PROCESS_DETAIL_POSIX_FD_HPP
#include <boost/process/detail/posix/handler.hpp>
+#include <boost/process/detail/posix/fd_restrict.hpp>
#include <unistd.h>
namespace boost { namespace process { namespace detail { namespace posix {
@@ -68,6 +69,12 @@ public:
}
private:
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(bind_fd_ const& bind_fd, OutputIterator& outit) {
+ *outit++ = bind_fd.id_;
+ }
+
int id_;
FileDescriptor fd_;
};
@@ -84,6 +91,7 @@ struct fd_
template <class FileDescriptor>
bind_fd_<FileDescriptor> bind(int id, const FileDescriptor & fd) const {return {id, fd};}
+ fd_restrict::property_<> restrict_inherit(size_t capacity = 128) const {return {capacity};}
};
diff --git a/boost/process/detail/posix/fd_restrict.hpp b/boost/process/detail/posix/fd_restrict.hpp
new file mode 100644
index 0000000..71c6c7d
--- /dev/null
+++ b/boost/process/detail/posix/fd_restrict.hpp
@@ -0,0 +1,154 @@
+// Copyright (c) 2017 Seth Heeren
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+
+#ifndef BOOST_PROCESS_DETAIL_POSIX_FD_RESTRICT_HPP
+#define BOOST_PROCESS_DETAIL_POSIX_FD_RESTRICT_HPP
+
+#include <boost/process/detail/posix/handler.hpp>
+#include <unistd.h>
+
+namespace boost { namespace process { namespace detail { namespace posix { namespace fd_restrict {
+ // customization point for (custom) properties that need to protect fds
+ template <typename Property, typename OutputIterator>
+ void collect_filedescriptors(Property const& /*property*/, OutputIterator& /*outit*/) {
+ // primary template
+ }
+
+ // polymorphic function object for ADL dispatch
+ template <typename OutputIterator>
+ struct collect_fd_f {
+ OutputIterator mutable _outit;
+
+ template <typename Property>
+ void operator()(Property const& property) const {
+ using boost::process::detail::posix::fd_restrict::collect_filedescriptors; // ADL desired
+ collect_filedescriptors(property, _outit);
+ }
+ };
+
+ // launch property
+ template <typename=void>
+ struct property_ : handler_base_ext
+ {
+ public:
+ property_(size_t capacity) {
+ // reserve to avoid allocations between fork/exec which may
+ // deadlock with threads
+ _protected_fds.reserve(capacity);
+ }
+
+ template <class PosixExecutor>
+ void on_exec_setup(PosixExecutor& exec) const
+ {
+ _protected_fds.resize(0);
+ auto outit = back_inserter(_protected_fds);
+ collect_fd_f<decltype(outit)> visit{outit};
+
+ visit(exec);
+ boost::fusion::for_each(exec.seq, visit);
+
+ auto begin = _protected_fds.begin(), end = _protected_fds.end();
+ std::sort(begin, end);
+
+ for(int fd=0, maxfd=sysconf(_SC_OPEN_MAX); fd<maxfd; ++fd) {
+ if (!std::binary_search(begin, end, fd))
+ ::close(fd);
+ }
+ }
+
+ private:
+ std::vector<int> mutable _protected_fds;
+ };
+
+}}}}}
+
+/*
+ * Non-intrusive instrumentation of existing POSIX properties that require filedescriptors
+ *
+ * All of these could be done with an inline `friend` definition, like above.
+ *
+ * For now I prefer to keep them separate so that
+ *
+ * - upstream changes merge cleanly
+ * - interface changes in fd_restrict can more easily be applied consistently in 1 file
+ *
+ * Only bind_fd_ and filedescriptor need friend access, so cannot usefully be kept separate.
+ */
+
+#include <boost/process/detail/posix/async_in.hpp>
+#include <boost/process/detail/posix/async_out.hpp>
+#include <boost/process/detail/posix/null_in.hpp>
+#include <boost/process/detail/posix/null_out.hpp>
+#include <boost/process/detail/posix/file_in.hpp>
+#include <boost/process/detail/posix/file_out.hpp>
+#include <boost/process/detail/posix/pipe_in.hpp>
+#include <boost/process/detail/posix/pipe_out.hpp>
+
+namespace boost { namespace process { namespace detail { namespace posix {
+
+template<typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_in_buffer<Ts...> const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_out_buffer<p1, p2, Ts...> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<int p1, int p2, typename... Ts, typename OutputIterator>
+void collect_filedescriptors(async_out_future<p1, p2, Ts...> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(file_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(file_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(null_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(null_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(pipe_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<typename OutputIterator>
+void collect_filedescriptors(async_pipe_in const&, OutputIterator& outit) {
+ *outit++ = STDIN_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(pipe_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+template<int p1, int p2, typename OutputIterator>
+void collect_filedescriptors(async_pipe_out<p1, p2> const&, OutputIterator& outit) {
+ if (p1==1||p2==1) *outit++ = STDOUT_FILENO;
+ if (p1==2||p2==2) *outit++ = STDERR_FILENO;
+}
+
+}}}}
+
+#endif
diff --git a/boost/process/detail/posix/file_descriptor.hpp b/boost/process/detail/posix/file_descriptor.hpp
index 0dcb99c..0cfcfd1 100644
--- a/boost/process/detail/posix/file_descriptor.hpp
+++ b/boost/process/detail/posix/file_descriptor.hpp
@@ -53,6 +53,13 @@ struct file_descriptor
int handle() const { return _handle;}
private:
+ // customization point for fd_restrict
+ template <typename OutputIterator>
+ friend void collect_filedescriptors(file_descriptor const& property_, OutputIterator& outit) {
+ if (-1 != property_._handle)
+ *outit++ = property_._handle;
+ }
+
static int create_file(const char* name, mode_t mode )
{
switch(mode)
--
2.16.2