[PATCH] SOCK_CLOEXEC for opening sockets
Alan Bateman
Alan.Bateman at oracle.com
Wed Jul 11 07:11:48 UTC 2018
This seems to cover the sockets created in libnet but there is also a
usage in libnio that will need update. It might be cleaner to name it
NET_Socket to be consistent with the other wrappers (NET_Bind,
NET_SetSocketOpt, etc.).
There are a lot of other file descriptors that you may run into. We use
socketpair in a few places, we have file descriptors for epoll and more.
It makes me wonder if it would be better to use FD_CLOEXEC consistently.
In the Windows port then you'll see that we change the inheritance flag
on all newly created SOCKETs, that is because is because we don't have
the same opportunity to close inherited handles in the child process
that we do on Unix platforms.
-Alan
On 11/07/2018 07:35, Andrew Luo wrote:
>
> I agree, I wasn’t aware of the other uses of ::socket in the libnet
> codebase. Thus, I’ve added a new common function, NET_SocketOpen that
> can be used by all the source files in libnet and revised my patch:
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/Inet4AddressImpl.c
>
> --- a/src/java.base/unix/native/libnet/Inet4AddressImpl.c
> Fri Jun 15 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/Inet4AddressImpl.c Tue
> Jul 10 23:32:21 2018 -0700
>
> @@ -264,7 +264,7 @@
>
> int connect_rv = -1;
>
> // open a TCP socket
>
> - fd = socket(AF_INET, SOCK_STREAM, 0);
>
> + fd = NET_SocketOpen(AF_INET, SOCK_STREAM, 0);
>
> if (fd == -1) {
>
> // note: if you run out of fds, you may not be able to load
>
> // the exception class, and get a NoClassDefFoundError instead.
>
> @@ -503,7 +503,7 @@
>
> // Let's try to create a RAW socket to send ICMP packets.
>
> // This usually requires "root" privileges, so it's likely to fail.
>
> - fd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
>
> + fd = NET_SocketOpen(AF_INET, SOCK_RAW, IPPROTO_ICMP);
>
> if (fd == -1) {
>
> return tcp_ping4(env, &sa, netif, timeout, ttl);
>
> } else {
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/Inet6AddressImpl.c
>
> --- a/src/java.base/unix/native/libnet/Inet6AddressImpl.c
> Fri Jun 15 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/Inet6AddressImpl.c Tue
> Jul 10 23:32:21 2018 -0700
>
> @@ -461,7 +461,7 @@
>
> int connect_rv = -1;
>
> // open a TCP socket
>
> - fd = socket(AF_INET6, SOCK_STREAM, 0);
>
> + fd = NET_SocketOpen(AF_INET6, SOCK_STREAM, 0);
>
> if (fd == -1) {
>
> // note: if you run out of fds, you may not be able to load
>
> // the exception class, and get a NoClassDefFoundError instead.
>
> @@ -711,7 +711,7 @@
>
> // Let's try to create a RAW socket to send ICMP packets.
>
> // This usually requires "root" privileges, so it's likely to fail.
>
> - fd = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
>
> + fd = NET_SocketOpen(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
>
> if (fd == -1) {
>
> return tcp_ping6(env, &sa, netif, timeout, ttl);
>
> } else {
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/NetworkInterface.c
>
> --- a/src/java.base/unix/native/libnet/NetworkInterface.c
> Fri Jun 15 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/NetworkInterface.c Tue
> Jul 10 23:32:21 2018 -0700
>
> @@ -1055,7 +1055,7 @@
>
> static int openSocket(JNIEnv *env, int proto) {
>
> int sock;
>
> - if ((sock = socket(proto, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(proto, SOCK_DGRAM, 0)) < 0) {
>
> // If EPROTONOSUPPORT is returned it means we don't have
>
> // support for this proto so don't throw an exception.
>
> if (errno != EPROTONOSUPPORT) {
>
> @@ -1078,9 +1078,9 @@
>
> static int openSocketWithFallback(JNIEnv *env, const char *ifname) {
>
> int sock;
>
> - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> if (errno == EPROTONOSUPPORT) {
>
> - if ((sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> JNU_ThrowByNameWithMessageAndLastError
>
> (env, JNU_JAVANETPKG "SocketException", "IPV6 Socket creation failed");
>
> return -1;
>
> @@ -1315,9 +1315,9 @@
>
> static int openSocketWithFallback(JNIEnv *env, const char *ifname) {
>
> int sock;
>
> - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> if (errno == EPROTONOSUPPORT) {
>
> - if ((sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> JNU_ThrowByNameWithMessageAndLastError
>
> (env, JNU_JAVANETPKG "SocketException", "IPV6 Socket creation failed");
>
> return -1;
>
> @@ -1590,9 +1590,9 @@
>
> int sock, alreadyV6 = 0;
>
> struct lifreq if2;
>
> - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> if (errno == EPROTONOSUPPORT) {
>
> - if ((sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> JNU_ThrowByNameWithMessageAndLastError
>
> (env, JNU_JAVANETPKG "SocketException", "IPV6 Socket creation failed");
>
> return -1;
>
> @@ -1616,7 +1616,7 @@
>
> strncpy(if2.lifr_name, ifname, sizeof(if2.lifr_name) - 1);
>
> if (ioctl(sock, SIOCGLIFNETMASK, (char *)&if2) < 0) {
>
> close(sock);
>
> - if ((sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> JNU_ThrowByNameWithMessageAndLastError
>
> (env, JNU_JAVANETPKG "SocketException", "IPV6 Socket creation failed");
>
> return -1;
>
> @@ -1941,9 +1941,9 @@
>
> static int openSocketWithFallback(JNIEnv *env, const char *ifname) {
>
> int sock;
>
> - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET, SOCK_DGRAM, 0)) < 0) {
>
> if (errno == EPROTONOSUPPORT) {
>
> - if ((sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> + if ((sock = NET_SocketOpen(AF_INET6, SOCK_DGRAM, 0)) < 0) {
>
> JNU_ThrowByNameWithMessageAndLastError
>
> (env, JNU_JAVANETPKG "SocketException", "IPV6 Socket creation failed");
>
> return -1;
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/PlainSocketImpl.c
>
> --- a/src/java.base/unix/native/libnet/PlainSocketImpl.c Fri Jun 15
> 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/PlainSocketImpl.c
> Tue Jul 10 23:32:21 2018 -0700
>
> @@ -178,7 +178,7 @@
>
> return;
>
> }
>
> - if ((fd = socket(domain, type, 0)) == -1) {
>
> + if ((fd = NET_SocketOpen(domain, type, 0)) == -1) {
>
> /* note: if you run out of fds, you may not be able to load
>
> * the exception class, and get a NoClassDefFoundError
>
> * instead.
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/SdpSupport.c
>
> --- a/src/java.base/unix/native/libnet/SdpSupport.c Fri Jun 15
> 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/SdpSupport.c Tue Jul 10
> 23:32:21 2018 -0700
>
> @@ -57,7 +57,7 @@
>
> #if defined(__solaris__)
>
> int domain = ipv6_available() ? AF_INET6 : AF_INET;
>
> - s = socket(domain, SOCK_STREAM, PROTO_SDP);
>
> + s = NET_SocketOpen(domain, SOCK_STREAM, PROTO_SDP);
>
> #elif defined(__linux__)
>
> /**
>
> * IPv6 not supported by SDP on Linux
>
> @@ -66,7 +66,7 @@
>
> JNU_ThrowIOException(env, "IPv6 not supported");
>
> return -1;
>
> }
>
> - s = socket(AF_INET_SDP, SOCK_STREAM, 0);
>
> + s = NET_SocketOpen(AF_INET_SDP, SOCK_STREAM, 0);
>
> #else
>
> /* not supported on other platforms at this time */
>
> s = -1;
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/net_util_md.c
>
> --- a/src/java.base/unix/native/libnet/net_util_md.c Fri Jun 15
> 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/net_util_md.c Tue Jul 10
> 23:32:21 2018 -0700
>
> @@ -117,6 +117,34 @@
>
> return defaultIndex;
>
> }
>
> +/*
>
> + * Opens a socket
>
> + * On systems where supported, uses SOCK_CLOEXEC where possible
>
> + */
>
> +int NET_SocketOpen(int domain, int type, int protocol) {
>
> +#if defined(SOCK_CLOEXEC)
>
> + int typeToUse = type | SOCK_CLOEXEC;
>
> +#else
>
> + int typeToUse = type;
>
> +#endif
>
> +
>
> + int socketFileDescriptor = socket(domain, typeToUse, protocol);
>
> +#if defined(SOCK_CLOEXEC)
>
> + if ((socketFileDescriptor == -1) && (errno = EINVAL)) {
>
> + // Attempt to open the socket without SOCK_CLOEXEC
>
> + // May have been compiled on an OS with SOCK_CLOEXEC supported
>
> + // But runtime system might not have SOCK_CLOEXEC support
>
> + socketFileDescriptor = socket(domain, type, protocol);
>
> + }
>
> +#else
>
> + // Best effort
>
> + // Return value is intentionally ignored since socket was
> successfully opened anyways
>
> + fcntl(socketFileDescriptor, F_SETFD, FD_CLOEXEC);
>
> +#endif
>
> +
>
> + return socketFileDescriptor;
>
> +}
>
> +
>
> #define RESTARTABLE(_cmd, _result) do { \
>
> do { \
>
> _result = _cmd; \
>
> @@ -295,7 +323,7 @@
>
> SOCKETADDRESS sa;
>
> socklen_t sa_len = sizeof(SOCKETADDRESS);
>
> - fd = socket(AF_INET6, SOCK_STREAM, 0) ;
>
> + fd = NET_SocketOpen(AF_INET6, SOCK_STREAM, 0) ;
>
> if (fd < 0) {
>
> /*
>
> * TODO: We really cant tell since it may be an unrelated error
>
> @@ -402,7 +430,7 @@
>
> /* Do a simple dummy call, and try to figure out from that */
>
> int one = 1;
>
> int rv, s;
>
> - s = socket(PF_INET, SOCK_STREAM, 0);
>
> + s = NET_SocketOpen(PF_INET, SOCK_STREAM, 0);
>
> if (s < 0) {
>
> return JNI_FALSE;
>
> }
>
> diff -r 95c0644a1c47 src/java.base/unix/native/libnet/net_util_md.h
>
> --- a/src/java.base/unix/native/libnet/net_util_md.h Fri Jun 15
> 17:34:01 2018 -0700
>
> +++ b/src/java.base/unix/native/libnet/net_util_md.h Tue Jul 10
> 23:32:21 2018 -0700
>
> @@ -89,6 +89,7 @@
>
> int NET_Writev(int s, const struct iovec * vector, int count);
>
> int NET_Connect(int s, struct sockaddr *addr, int addrlen);
>
> int NET_Accept(int s, struct sockaddr *addr, socklen_t *addrlen);
>
> +int NET_SocketOpen(int domain, int type, int protocol);
>
> int NET_SocketClose(int s);
>
> int NET_Dup2(int oldfd, int newfd);
>
> int NET_Poll(struct pollfd *ufds, unsigned int nfds, int timeout);
>
> *From:*Norman Maurer <norman.maurer at googlemail.com>
> *Sent:* Tuesday, July 10, 2018 9:55 AM
> *To:* Alan Bateman <Alan.Bateman at oracle.com>
> *Cc:* Martin Buchholz <martinrb at google.com>; Andrew Luo
> <andrewluotechnologies at outlook.com>; net-dev at openjdk.java.net
> *Subject:* Re: [PATCH] SOCK_CLOEXEC for opening sockets
>
> +1 I think this makes a lot of sense
>
>
>
> On 10. Jul 2018, at 17:54, Alan Bateman <Alan.Bateman at oracle.com
> <mailto:Alan.Bateman at oracle.com>> wrote:
>
> On 10/07/2018 17:40, Martin Buchholz wrote:
>
> I agree with this approach - it parallels the efforts made
> with O_CLOEXEC in past years.
>
>
>
> According to
>
> https://www.freebsd.org/cgi/man.cgi?query=socket&sektion=2
>
> SOCK_CLOEXEC is also available on freebsd.
>
> This is something that doesn't come up too often, I assume because
> most developers using ProcessBuilder/Process rather than invoking
> fork from native code.
>
> If we are going to tackle this issue then it will require changes
> in several places, changing PlainSocketImpl.c is just one of several.
>
> -Alan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20180711/580fe55e/attachment-0001.html>
More information about the net-dev
mailing list