std.process.Child: block signals during clone()

ruihe774 · ruihe774 · commit bf7f827f5c06 · 2025-01-03T06:36:36.000Z
diff --git a/lib/std/process/Child.zig b/lib/std/process/Child.zig
@@ -534,6 +534,7 @@ const ChildArg = struct {
     dev_null_fd: posix.fd_t,
     argv_buf: [:null]?[*:0]const u8,
     envp: [*:null]const ?[*:0]const u8,
+    sigmask: ?*posix.sigset_t,
     ret_err: RetErr,
 };
 
@@ -567,6 +568,28 @@ fn spawnPosixChildHelper(arg: usize) callconv(.c) u8 {
         posix.setpgid(0, pid) catch |err| return forkChildErrReport(&child_arg.ret_err, err);
     }
 
+    if (native_os == .linux and child_arg.sigmask != null) {
+        std.debug.assert(linux.SIG.DFL == null);
+        for (1..linux.NSIG) |sig| {
+            if (sig == posix.SIG.KILL or sig == posix.SIG.STOP) {
+                continue;
+            }
+            if (sig > std.math.maxInt(u6)) {
+                // XXX: We cannot disable all signals.
+                // sigaction accepts u6, which is too narrow.
+                break;
+            }
+            var old_act: posix.Sigaction = undefined;
+            const new_act = mem.zeroes(posix.Sigaction);
+            // Do not use posix.sigaction. It reaches unreachable.
+            _ = linux.sigaction(@intCast(sig), &new_act, &old_act);
+            if (old_act.handler.handler == linux.SIG.IGN) {
+                _ = linux.sigaction(@intCast(sig), &old_act, null);
+            }
+        }
+        posix.sigprocmask(posix.SIG.SETMASK, child_arg.sigmask, null);
+    }
+
     const err = switch (child_arg.self.expand_arg0) {
         .expand => posix.execvpeZ_expandArg0(.expand, child_arg.argv_buf.ptr[0].?, child_arg.argv_buf.ptr, child_arg.envp),
         .no_expand => posix.execvpeZ_expandArg0(.no_expand, child_arg.argv_buf.ptr[0].?, child_arg.argv_buf.ptr, child_arg.envp),
@@ -692,6 +715,7 @@ fn spawnPosix(self: *ChildProcess) SpawnError!void {
         .dev_null_fd = dev_null_fd,
         .argv_buf = argv_buf,
         .envp = envp,
+        .sigmask = null,
         .ret_err = undefined,
     };
 
@@ -703,6 +727,10 @@ fn spawnPosix(self: *ChildProcess) SpawnError!void {
             immediateExit(spawnPosixChildHelper(@intFromPtr(&child_arg)));
         }
     } else {
+        var old_mask: posix.sigset_t = undefined;
+        posix.sigprocmask(posix.SIG.SETMASK, &linux.all_mask, &old_mask);
+        defer posix.sigprocmask(posix.SIG.SETMASK, &old_mask, null);
+        child_arg.sigmask = &old_mask;
         child_arg.ret_err = null;
         // Although the stack is fixed sized, we alloc it here,
         // because stack-smashing protection may have higher overhead than allocation.
