Merge pull request #419 from memorysafety/fork-is-safe-in-linux

japaric · web-flow · commit 7df8c082cacf · 2023-06-07T10:28:09.000Z
Conditionally mark `fork` as safe in linux
diff --git a/lib/sudo-exec/src/lib.rs b/lib/sudo-exec/src/lib.rs
@@ -70,10 +70,7 @@ pub fn run_command(ctx: Context, env: Environment) -> io::Result<(ExitReason, im
 
     let (pty_leader, pty_follower) = openpty()?;
     let (rx, tx) = pipe()?;
-    // SAFETY: we don't call any function that is not `async-signal-safe` inside this `fork` as all
-    // the signal handling is done by `signal_hook` which protects us from it.
-    #[allow(unsafe_code)]
-    let monitor_pid = unsafe { fork() }?;
+    let monitor_pid = fork()?;
     // Monitor logic. Based on `exec_monitor`.
     if monitor_pid == 0 {
         match monitor::MonitorRelay::new(command, pty_follower, tx)?.run()? {}
diff --git a/lib/sudo-system/src/lib.rs b/lib/sudo-system/src/lib.rs
@@ -44,6 +44,21 @@ pub fn pipe() -> io::Result<(OwnedFd, OwnedFd)> {
     Ok(unsafe { (OwnedFd::from_raw_fd(fds[0]), OwnedFd::from_raw_fd(fds[1])) })
 }
 
+#[cfg(target_os = "linux")]
+/// Create a new process.
+pub fn fork() -> io::Result<ProcessId> {
+    // SAFETY: `fork` is implemented using `clone` in linux so we don't need to worry about signal
+    // safety.
+    cerr(unsafe { libc::fork() })
+}
+
+#[cfg(not(target_os = "linux"))]
+/// Create a new process.
+///
+/// # Safety
+///
+/// In a multithreaded program, only async-signal-safe functions are guaranteed to work in the
+/// child process until a call to `execve` or a similar function is done.
 pub unsafe fn fork() -> io::Result<ProcessId> {
     cerr(unsafe { libc::fork() })
 }
