Add Linux-specific pidfd process extensions (take 2)

[voidc]

Continuation of #77168.
I addressed the following concerns from the original PR:

• make CommandExt and ChildExt sealed traits
• wrap file descriptors in PidFd struct representing ownership over the fd
• add take_pidfd to take the fd out of Child
• close fd when dropped

Tracking Issue: #82971

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @Mark-Simulacrum (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[nicokoch]

Just checking for ENOSYS is sadly not enough here.
The syscall can also be blocked by seccomp (EPERM).

We have also found cases where new syscalls where randomly broken on some configurations (see the EOPNOTSUPP comment here. Though, I think we can ignore this case for now.

[voidc]

EPERM and EOPNOTSUPP might depend on the arguments of the clone3 call. It would be wrong to set HAS_CLONE3 to false if one of these errors occurred.

[the8472]

In that case the usual approach is to perform the probe separately with arguments that are known to fail with a specific error code, e.g. an invalid combination of flags leading to EINVAL. If that returns EPERM then we know the syscall is filtered. CLONE_SIGHAND | CLONE_CLEAR_SIGHAND could work.

[voidc]

Maybe we could just fallback to fork on EPERM without setting HAS_CLONE3.

[the8472]

That could be considered slightly suboptimal since it'll try again every time in that case, but we already have a preferred path through posix_spawn so this shouldn't be hit too frequently.

[voidc]

My concern was whether it would be possible for clone3 to succeed after having returned EPERM once. In case of ENOSYS we can be certain that any future calls will fail as well. For EPERM, this conclusion does potentially not hold since a seccomp filter could be defined in terms of arbitrary rules.

[joshtriplett]

I don't think we need to account for arbitrary seccomp filters here. seccomp filters should produce ENOSYS, not EPERM.

[Mark-Simulacrum]

r? @m-ou-se or perhaps @joshtriplett

[bors]

☔ The latest upstream changes (presumably #82045) made this pull request unmergeable. Please resolve the merge conflicts.

[voidc]

@joshtriplett I think you were interested in the original PR. Would you mind taking a look at this?

[bors]

☔ The latest upstream changes (presumably #82877) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

📌 Commit f48caef6fc47df6acfb9d72f1a254e503e98b557 has been approved by joshtriplett

[bors]

⌛ Testing commit f48caef6fc47df6acfb9d72f1a254e503e98b557 with merge d1b9a4c984315ffa8365dbdfbdc5a331f5adcd8e...

[bors]

💔 Test failed - checks-actions

[voidc]

@Aaron1011 Thanks for tending to this issue! Unfortunately, I think the workaround in your commit is not enough to circumvent the LLVM bug. To my knowledge, the combination of i686, fat LTO, and opt-level=0 is already sufficient to trigger the assertion. While, on the i686-gnu target, I was able to work around the bug by ensuring opt-level > 0, the i686-gnu-nopt target disables optimizations by definition, triggering the assertion in every test using LTO. One option would be to add ignore-i686-unknown-linux-gnu to all of the tests listed below. However, landing this PR with the workaround would mean potentially breaking user's builds satisfying the three criteria mentioned above. The better option, of course, would be fixing the underlying LLVM bug. Since it appears like the bug is already fixed in the latest LLVM trunk (as you commented in #86758), maybe we could cherry-pick the commit resolving the issue?

List of failing tests

ui/abi/stack-probes-lto.rs
ui/debuginfo-lto.rs
ui/extern/issue-64655-allow-unwind-when-calling-panic-directly.rs#fat
ui/fat-lto.rs
ui/lto-many-codegen-units.rs
ui/lto-rustc-loads-linker-plugin.rs
ui/lto-still-runs-thread-dtors.rs#mir
ui/lto-still-runs-thread-dtors.rs#thir
ui/panic-runtime/lto-abort.rs
ui/panic-runtime/lto-unwind.rs
ui/sepcomp/sepcomp-lib-lto.rs

[voidc]

I went ahead and added -C opt-level=1 to the failing tests. However, there are more tests that specify -C lto.

List of tests

codegen/lto-removes-invokes.rs
codegen/sanitizer-memory-track-orgins.rs
codegen/sanitizer-recover.rs
debuginfo/cross-crate-type-uniquing.rs (*)
incremental/lto.rs
incremental/rlib-lto.rs
run-make-fulldeps/cdylib/Makefile
run-make-fulldeps/codegen-options-parsing/Makefile
run-make-fulldeps/cross-lang-lto/Makefile
run-make-fulldeps/issue-14500/Makefile
run-make-fulldeps/issue-64153/Makefile
run-make-fulldeps/lto-dylib-dep/Makefile
run-make-fulldeps/lto-no-link-whole-rlib/Makefile
run-make-fulldeps/lto-readonly-lib/Makefile
run-make-fulldeps/lto-smoke-c/Makefile
run-make-fulldeps/lto-smoke/Makefile
run-make-fulldeps/no-builtins-lto/Makefile
run-make-fulldeps/pgo-gen-lto/Makefile
run-make-fulldeps/reproducible-build-2/Makefile
run-make/wasm-custom-section/Makefile
run-make/wasm-export-all-symbols/Makefile
run-make/wasm-import-module/Makefile
run-make/wasm-panic-small/Makefile
run-make/wasm-stringify-ints-small/Makefile
run-make/wasm-symbols-different-module/Makefile
run-make/wasm-symbols-not-imported/Makefile
ui/abi/stack-probes-lto.rs (*)
ui/debuginfo-lto.rs (*)
ui/extern/issue-64655-allow-unwind-when-calling-panic-directly.rs (*)
ui/extern/issue-64655-extern-rust-must-allow-unwind.rs (*)
ui/fat-lto.rs (*)
ui-fulldeps/lto-syntax-extension.rs
ui/issues/issue-11154.rs (build-fail)
ui/issues/issue-44056.rs (only-x86_64)
ui/lto-and-no-bitcode-in-rlib.rs (build-fail)
ui/lto-duplicate-symbols.rs (build-fail)
ui/lto-many-codegen-units.rs (*)
ui/lto-rustc-loads-linker-plugin.rs (*)
ui/lto-still-runs-thread-dtors.rs (*)
ui/panic-runtime/lto-abort.rs (*)
ui/panic-runtime/lto-unwind.rs (*)
ui/sepcomp/sepcomp-lib-lto.rs (*)

(*): added -C opt-level=1

[joshtriplett]

#87610 may address this. Let's give it another try (with the workarounds removed) once that has gone in.

[voidc]

@joshtriplett I removed the workarounds.

[Aaron1011]

#87610 has been merged, so let's try this again:

@bors r=joshtriplett

[bors]

📌 Commit 741176a38771b233bdd6f972929a3930682da169 has been approved by joshtriplett

[bors]

⌛ Testing commit 741176a38771b233bdd6f972929a3930682da169 with merge a2522c6c85a7388a80cb33edc2ce2631b0695f99...

[bors]

💔 Test failed - checks-actions

[Aaron1011]

All of the non-Apple builders passes, so the LLVM issue is fixed 🎉

The failing tests need to be made Linux-only (or be adjusted to avoid libc::SYS_getpid on non-Linux Unix systems).

[voidc]

@Aaron1011 Okay, I fixed it! And thanks for seeing to the LLVM fix getting merged so fast! 😃

[Aaron1011]

@bors r=joshtriplett

[bors]

📌 Commit 4a832d3 has been approved by joshtriplett

[bors]

⌛ Testing commit 4a832d3 with merge 4e21ef2...

[bors]

☀️ Test successful - checks-actions
Approved by: joshtriplett
Pushing 4e21ef2 to master...

[Aaron1011]

@voidc: Thanks for all of your work getting this over the finish line!

[voidc]

🎉 🎉 Finally! Thanks for your patience @Aaron1011 and @joshtriplett during all of these 200+ comments and 15+ bors runs 😂

[brauner]

Thank you all for your work. Very happy to see upstream work make it into this project. :)