-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new inherit_handles flag to CommandExt trait #115501
base: master
Are you sure you want to change the base?
Add new inherit_handles flag to CommandExt trait #115501
Conversation
The job Click to see the possible cause of the failure (guessed by this bot)
|
Should this have a stabilization issue attached to it? |
First you should create an API change proposal to see if libs-api wants it. |
I recently changed the exact same interface and didn't need an ACP, is this really required here? |
|
Anyway, does windows have an equivalent to Inheritance is questionable in multi-threaded programs because different command-spawning actions may want to pass different files to the child. Also, how does one communicate to a child that a specific handle is available? On unix we've run into issues defining IO safety when passing ownership through the environment. Are there better ways to send handles to another process?
Alternatively, can we limit this to passing a set of well-defined handles? |
It is not necessary when creating a pseudoconsole to disable handle inheritance. Doing so does however allow us to skip the mutex we currently use.
Yes. You need to set
The reason the previous API change didn't require an ACP was because the change was already accepted under an older system (and I asked privately if this was still OK). A new API would need an ACP. |
Do you know why all of them set |
Okay I just tested it, indeed not necessary to set Would this still be a useful extension to the |
The most likely the simplest explanation is "because the example code does". But there are good reasons to disable handle inheritance when it's not needed: inheriting unnecessary handles is pointless and also prevents kernel objects from being cleaned up. In the worst case it may also allow the child process to mess with the handles it inherits, though it would have to find them first.
I think it would for the above reasons. |
I don't know if windows has the concept of confidential handles but preventing the child from acquiring those handles could improve security of spawning commands. |
Okay, just found the following list in the Processes can inherit or duplicate handles to the following types of objects:
|
@ChrisDenton should I message somebody about this in rust internals? |
You don't need to do anything other than be patient 🙂. ACPs are discussed in a weekly meeting (time permitting). |
Sorry, didn't know that. |
☔ The latest upstream changes (presumably #117285) made this pull request unmergeable. Please resolve the merge conflicts. |
Hi everyone, While handle inheritance can be selectively configured using the This effectively means that Rust programs running as PPL currently cannot spawn non-protected processes using the standard library, as the
|
I have an exam on Monday but after that I should be able to work on this. |
@pixmaip would the following suggestion aid your need? |
No, the suggestion you mentioned might be good for most usecases, but when running processes as PPL, passing a list of handles to inherit cannot be done. This is because PPL processes are inherently prevented by the system from leaking handles to non-protected processes, so Windows does not allow it. Note that setting |
Okay, then this should mergable independently of #123604. Please also raise your issue with the proposed solution over at rust-lang/libs-team#264 so it can be re-discussed by the lib team or maybe @ChrisDenton you can note it. |
As per rust-lang/libs-team#264 (comment), the ACP about this seems to stand firm on having only a single API that sets a specific set of handles to inherit, with the special case of an empty slice not doing anything about that and setting @michaelvanstraten do you therefore think the current PR is salvageable for this in any way? If so, do you think you would have bandwidth these days to do so? The setup code for using |
Could be a bit tricky and confusing for users, as I mentioned in rust-lang/libs-team#264 (comment).
I currently have a deadline at work, which doesn't leave me with much time. I also have exams from the beginning of February to roughly the 20th, after then it should not be an issue. I hope I can work with you on it a bit in the meantime. |
This PR adds a new flag to the
CommandExt
trait to set whether to inherit the handles of the calling process ([ref][1]).This is necessary when, for example, spawning a process with a
pseudoconsole
attached.r? @ChrisDenton
ACP: rust-lang/libs-team#264
[1]: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw