/* GLIB - Library of useful routines for C programming

 * Copyright 2000-2022 Red Hat, Inc.

 * Copyright 2006-2007 Matthias Clasen

 * Copyright 2006 Padraig O'Briain

 * Copyright 2007 Lennart Poettering

 * Copyright 2018-2022 Endless OS Foundation, LLC

 * Copyright 2018 Peter Wu

 * Copyright 2019 Ting-Wei Lan

 * Copyright 2019 Sebastian Schwarz

 * Copyright 2020 Matt Rose

 * Copyright 2021 Casper Dik

 * Copyright 2022 Alexander Richardson

 * Copyright 2022 Ray Strode

 * Copyright 2022 Thomas Haller

 * Copyright 2023-2024 Collabora Ltd.

 * Copyright 2023 Sebastian Wilhelmi

 * Copyright 2023 CaiJingLong

 *

 * glib-unix.c: UNIX specific API wrappers and convenience functions

 *

 * SPDX-License-Identifier: LGPL-2.1-or-later

 *

 * This library is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public

 * License as published by the Free Software Foundation; either

 * version 2.1 of the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public

 * License along with this library; if not, see <http://www.gnu.org/licenses/>.

 *

 * Authors: Colin Walters <walters@verbum.org>

 */

#include "config.h"

#include "glib-private.h"

#include "glib-unix.h"

#include "glib-unixprivate.h"

#include "gmain-internal.h"

#include <dirent.h>

#include <errno.h>

#include <fcntl.h>

#include <stdlib.h>   /* for fdwalk */

#include <string.h>

#include <sys/types.h>

#include <pwd.h>

#include <unistd.h>

#if defined(__linux__) || defined(__DragonFly__)

#include <sys/syscall.h>  /* for syscall and SYS_getdents64 */

#endif

#ifdef HAVE_SYS_RESOURCE_H

#include <sys/resource.h>

#endif /* HAVE_SYS_RESOURCE_H */

#if defined(__APPLE__) && defined(HAVE_LIBPROC_H)

#include <libproc.h>

#include <sys/proc_info.h>

#endif

G_STATIC_ASSERT (sizeof (ssize_t) == GLIB_SIZEOF_SSIZE_T);

G_STATIC_ASSERT (G_ALIGNOF (gssize) == G_ALIGNOF (ssize_t));

G_STATIC_ASSERT (G_SIGNEDNESS_OF (ssize_t) == 1);

G_STATIC_ASSERT (sizeof (GPid) == sizeof (pid_t));

G_STATIC_ASSERT (G_ALIGNOF (GPid) == G_ALIGNOF (pid_t));

/* It's platform-dependent whether pid_t is signed, so no assertion */

/* If this assertion fails, then the ABI of g_unix_open_pipe() would be

 * ambiguous on this platform.

 * On Linux, usually O_NONBLOCK == 04000 and FD_CLOEXEC == 1, but the same

 * might not be true everywhere. */

G_STATIC_ASSERT (O_NONBLOCK != FD_CLOEXEC);

G_DEFINE_QUARK (g-unix-error-quark, g_unix_error)

static gboolean

g_unix_set_error_from_errno (GError **error,

                             gint     saved_errno)

{

  g_set_error_literal (error,

                       G_UNIX_ERROR,

                       0,

                       g_strerror (saved_errno));

  errno = saved_errno;

  return FALSE;

}

/**

 * g_unix_open_pipe:

 * @fds: (array fixed-size=2): Array of two integers

 * @flags: Bitfield of file descriptor flags, as for fcntl()

 * @error: a #GError

 *

 * Similar to the UNIX pipe() call, but on modern systems like Linux

 * uses the pipe2() system call, which atomically creates a pipe with

 * the configured flags.

 *

 * As of GLib 2.78, the supported flags are `O_CLOEXEC`/`FD_CLOEXEC` (see below)

 * and `O_NONBLOCK`. Prior to GLib 2.78, only `FD_CLOEXEC` was supported — if

 * you wanted to configure `O_NONBLOCK` then that had to be done separately with

 * `fcntl()`.

 *

 * Since GLib 2.80, the constants %G_UNIX_PIPE_END_READ and

 * %G_UNIX_PIPE_END_WRITE can be used as mnemonic indexes in @fds.

 *

 * It is a programmer error to call this function with unsupported flags, and a

 * critical warning will be raised.

 *

 * As of GLib 2.78, it is preferred to pass `O_CLOEXEC` in, rather than

 * `FD_CLOEXEC`, as that matches the underlying `pipe()` API more closely. Prior

 * to 2.78, only `FD_CLOEXEC` was supported. Support for `FD_CLOEXEC` may be

 * deprecated and removed in future.

 *

 * Returns: %TRUE on success, %FALSE if not (and errno will be set).

 *

 * Since: 2.30

 */

gboolean

g_unix_open_pipe (int     *fds,

                  int      flags,

                  GError **error)

{

  /* We only support O_CLOEXEC/FD_CLOEXEC and O_NONBLOCK */

  g_return_val_if_fail ((flags & (O_CLOEXEC | FD_CLOEXEC | O_NONBLOCK)) == flags, FALSE);

#if O_CLOEXEC != FD_CLOEXEC && !defined(G_DISABLE_CHECKS)

  if (flags & FD_CLOEXEC)

    g_debug ("g_unix_open_pipe() called with FD_CLOEXEC; please migrate to using O_CLOEXEC instead");

#endif

  if (!g_unix_open_pipe_internal (fds,

                                  (flags & (O_CLOEXEC | FD_CLOEXEC)) != 0,

                                  (flags & O_NONBLOCK) != 0))

    return g_unix_set_error_from_errno (error, errno);

  return TRUE;

}

/**

 * g_unix_set_fd_nonblocking:

 * @fd: A file descriptor

 * @nonblock: If %TRUE, set the descriptor to be non-blocking

 * @error: a #GError

 *

 * Control the non-blocking state of the given file descriptor,

 * according to @nonblock. On most systems this uses %O_NONBLOCK, but

 * on some older ones may use %O_NDELAY.

 *

 * Returns: %TRUE if successful

 *

 * Since: 2.30

 */

gboolean

g_unix_set_fd_nonblocking (gint       fd,

                           gboolean   nonblock,

                           GError   **error)

{

#ifdef F_GETFL

  glong fcntl_flags;

  fcntl_flags = fcntl (fd, F_GETFL);

  if (fcntl_flags == -1)

    return g_unix_set_error_from_errno (error, errno);

  if (nonblock)

    fcntl_flags |= O_NONBLOCK;

  else

    fcntl_flags &= ~O_NONBLOCK;

  if (fcntl (fd, F_SETFL, fcntl_flags) == -1)

    return g_unix_set_error_from_errno (error, errno);

  return TRUE;

#else

  return g_unix_set_error_from_errno (error, EINVAL);

#endif

}

/**

 * g_unix_signal_source_new:

 * @signum: A signal number

 *

 * Create a #GSource that will be dispatched upon delivery of the UNIX

 * signal @signum.  In GLib versions before 2.36, only `SIGHUP`, `SIGINT`,

 * `SIGTERM` can be monitored.  In GLib 2.36, `SIGUSR1` and `SIGUSR2`

 * were added. In GLib 2.54, `SIGWINCH` was added.

 *

 * Note that unlike the UNIX default, all sources which have created a

 * watch will be dispatched, regardless of which underlying thread

 * invoked g_unix_signal_source_new().

 *

 * For example, an effective use of this function is to handle `SIGTERM`

 * cleanly; flushing any outstanding files, and then calling

 * g_main_loop_quit().  It is not safe to do any of this from a regular

 * UNIX signal handler; such a handler may be invoked while malloc() or

 * another library function is running, causing reentrancy issues if the

 * handler attempts to use those functions.  None of the GLib/GObject

 * API is safe against this kind of reentrancy.

 *

 * The interaction of this source when combined with native UNIX

 * functions like sigprocmask() is not defined.

 *

 * The source will not initially be associated with any #GMainContext

 * and must be added to one with g_source_attach() before it will be

 * executed.

 *

 * Returns: A newly created #GSource

 *

 * Since: 2.30

 */

GSource *

g_unix_signal_source_new (int signum)

{

  g_return_val_if_fail (signum == SIGHUP || signum == SIGINT || signum == SIGTERM ||

                        signum == SIGUSR1 || signum == SIGUSR2 || signum == SIGWINCH,

                        NULL);

  return _g_main_create_unix_signal_watch (signum);

}

/**

 * g_unix_signal_add_full: (rename-to g_unix_signal_add)

 * @priority: the priority of the signal source. Typically this will be in

 *            the range between %G_PRIORITY_DEFAULT and %G_PRIORITY_HIGH.

 * @signum: Signal number

 * @handler: Callback

 * @user_data: Data for @handler

 * @notify: #GDestroyNotify for @handler

 *

 * A convenience function for g_unix_signal_source_new(), which

 * attaches to the default #GMainContext.  You can remove the watch

 * using g_source_remove().

 *

 * Returns: An ID (greater than 0) for the event source

 *

 * Since: 2.30

 */

guint

g_unix_signal_add_full (int            priority,

                        int            signum,

                        GSourceFunc    handler,

                        gpointer       user_data,

                        GDestroyNotify notify)

{

  guint id;

  GSource *source;

  source = g_unix_signal_source_new (signum);

  if (priority != G_PRIORITY_DEFAULT)

    g_source_set_priority (source, priority);

  g_source_set_callback (source, handler, user_data, notify);

  id = g_source_attach (source, NULL);

  g_source_unref (source);

  return id;

}

/**

 * g_unix_signal_add:

 * @signum: Signal number

 * @handler: Callback

 * @user_data: Data for @handler

 *

 * A convenience function for g_unix_signal_source_new(), which

 * attaches to the default #GMainContext.  You can remove the watch

 * using g_source_remove().

 *

 * Returns: An ID (greater than 0) for the event source

 *

 * Since: 2.30

 */

guint

g_unix_signal_add (int         signum,

                   GSourceFunc handler,

                   gpointer    user_data)

{

  return g_unix_signal_add_full (G_PRIORITY_DEFAULT, signum, handler, user_data, NULL);

}

typedef struct

{

  GSource source;

  gint     fd;

  gpointer tag;

} GUnixFDSource;

static gboolean

g_unix_fd_source_dispatch (GSource     *source,

                           GSourceFunc  callback,

                           gpointer     user_data)

{

  GUnixFDSource *fd_source = (GUnixFDSource *) source;

  GUnixFDSourceFunc func = (GUnixFDSourceFunc) callback;

  if (!callback)

    {

      g_warning ("GUnixFDSource dispatched without callback. "

                 "You must call g_source_set_callback().");

      return FALSE;

    }

  return (* func) (fd_source->fd, g_source_query_unix_fd (source, fd_source->tag), user_data);

}

GSourceFuncs g_unix_fd_source_funcs = {

  NULL, NULL, g_unix_fd_source_dispatch, NULL, NULL, NULL

};

/**

 * g_unix_fd_source_new:

 * @fd: a file descriptor

 * @condition: I/O conditions to watch for on @fd

 *

 * Creates a #GSource to watch for a particular I/O condition on a file

 * descriptor.

 *

 * The source will never close the @fd — you must do it yourself.

 *

 * Any callback attached to the returned #GSource must have type

 * #GUnixFDSourceFunc.

 *

 * Returns: the newly created #GSource

 *

 * Since: 2.36

 **/

GSource *

g_unix_fd_source_new (gint         fd,

                      GIOCondition condition)

{

  GUnixFDSource *fd_source;

  GSource *source;

  source = g_source_new (&g_unix_fd_source_funcs, sizeof (GUnixFDSource));

  fd_source = (GUnixFDSource *) source;

  fd_source->fd = fd;

  fd_source->tag = g_source_add_unix_fd (source, fd, condition);

  return source;

}

/**

 * g_unix_fd_add_full:

 * @priority: the priority of the source

 * @fd: a file descriptor

 * @condition: IO conditions to watch for on @fd

 * @function: a #GUnixFDSourceFunc

 * @user_data: data to pass to @function

 * @notify: function to call when the idle is removed, or %NULL

 *

 * Sets a function to be called when the IO condition, as specified by

 * @condition becomes true for @fd.

 *

 * This is the same as g_unix_fd_add(), except that it allows you to

 * specify a non-default priority and a provide a #GDestroyNotify for

 * @user_data.

 *

 * Returns: the ID (greater than 0) of the event source

 *

 * Since: 2.36

 **/

guint

g_unix_fd_add_full (gint              priority,

                    gint              fd,

                    GIOCondition      condition,

                    GUnixFDSourceFunc function,

                    gpointer          user_data,

                    GDestroyNotify    notify)

{

  GSource *source;

  guint id;

  g_return_val_if_fail (function != NULL, 0);

  source = g_unix_fd_source_new (fd, condition);

  if (priority != G_PRIORITY_DEFAULT)

    g_source_set_priority (source, priority);

  g_source_set_callback (source, (GSourceFunc) function, user_data, notify);

  id = g_source_attach (source, NULL);

  g_source_unref (source);

  return id;

}

/**

 * g_unix_fd_add:

 * @fd: a file descriptor

 * @condition: IO conditions to watch for on @fd

 * @function: a #GUnixFDSourceFunc

 * @user_data: data to pass to @function

 *

 * Sets a function to be called when the IO condition, as specified by

 * @condition becomes true for @fd.

 *

 * @function will be called when the specified IO condition becomes

 * %TRUE.  The function is expected to clear whatever event caused the

 * IO condition to become true and return %TRUE in order to be notified

 * when it happens again.  If @function returns %FALSE then the watch

 * will be cancelled.

 *

 * The return value of this function can be passed to g_source_remove()

 * to cancel the watch at any time that it exists.

 *

 * The source will never close the fd -- you must do it yourself.

 *

 * Returns: the ID (greater than 0) of the event source

 *

 * Since: 2.36

 **/

guint

g_unix_fd_add (gint              fd,

               GIOCondition      condition,

               GUnixFDSourceFunc function,

               gpointer          user_data)

{

  return g_unix_fd_add_full (G_PRIORITY_DEFAULT, fd, condition, function, user_data, NULL);

}

/**

 * g_unix_get_passwd_entry:

 * @user_name: the username to get the passwd file entry for

 * @error: return location for a #GError, or %NULL

 *

 * Get the `passwd` file entry for the given @user_name using `getpwnam_r()`.

 * This can fail if the given @user_name doesn’t exist.

 *

 * The returned `struct passwd` has been allocated using g_malloc() and should

 * be freed using g_free(). The strings referenced by the returned struct are

 * included in the same allocation, so are valid until the `struct passwd` is

 * freed.

 *

 * This function is safe to call from multiple threads concurrently.

 *

 * You will need to include `pwd.h` to get the definition of `struct passwd`.

 *

 * Returns: (transfer full): passwd entry, or %NULL on error; free the returned

 *    value with g_free()

 * Since: 2.64

 */

struct passwd *

g_unix_get_passwd_entry (const gchar  *user_name,

                         GError      **error)

{

  struct passwd *passwd_file_entry;

  struct

    {

      struct passwd pwd;

      char string_buffer[];

    } *buffer = NULL;

  gsize string_buffer_size = 0;

  GError *local_error = NULL;

  g_return_val_if_fail (user_name != NULL, NULL);

  g_return_val_if_fail (error == NULL || *error == NULL, NULL);

#ifdef _SC_GETPW_R_SIZE_MAX

    {

      /* Get the recommended buffer size */

      glong string_buffer_size_long = sysconf (_SC_GETPW_R_SIZE_MAX);

      if (string_buffer_size_long > 0)

        string_buffer_size = string_buffer_size_long;

    }

#endif /* _SC_GETPW_R_SIZE_MAX */

  /* Default starting size. */

  if (string_buffer_size == 0)

    string_buffer_size = 64;

  do

    {

      int retval;

      g_free (buffer);

      /* Allocate space for the `struct passwd`, and then a buffer for all its

       * strings (whose size is @string_buffer_size, which increases in this

       * loop until it’s big enough). Add 6 extra bytes to work around a bug in

       * macOS < 10.3. See #156446.

       */

      buffer = g_malloc0 (sizeof (*buffer) + string_buffer_size + 6);

      retval = getpwnam_r (user_name, &buffer->pwd, buffer->string_buffer,

                           string_buffer_size, &passwd_file_entry);

      /* Bail out if: the lookup was successful, or if the user id can't be

       * found (should be pretty rare case actually), or if the buffer should be

       * big enough and yet lookups are still not successful.

       */

      if (passwd_file_entry != NULL)

        {

          /* Success. */

          break;

        }

      else if (retval == 0 ||

          retval == ENOENT || retval == ESRCH ||

          retval == EBADF || retval == EPERM)

        {

          /* Username not found. */

          g_unix_set_error_from_errno (&local_error, retval);

          break;

        }

      else if (retval == ERANGE)

        {

          /* Can’t allocate enough string buffer space. */

          if (string_buffer_size > 32 * 1024)

            {

              g_unix_set_error_from_errno (&local_error, retval);

              break;

            }

          string_buffer_size *= 2;

          continue;

        }

      else

        {

          g_unix_set_error_from_errno (&local_error, retval);

          break;

        }

    }

  while (passwd_file_entry == NULL);

  g_assert (passwd_file_entry == NULL ||

            (gpointer) passwd_file_entry == (gpointer) buffer);

  /* Success or error. */

  if (local_error != NULL)

    {

      g_clear_pointer (&buffer, g_free);

      g_propagate_error (error, g_steal_pointer (&local_error));

    }

  return (struct passwd *) g_steal_pointer (&buffer);

}

/* This function is called between fork() and exec() and hence must be

 * async-signal-safe (see signal-safety(7)). */

static int

set_cloexec (void *data, gint fd)

{

  if (fd >= GPOINTER_TO_INT (data))

    fcntl (fd, F_SETFD, FD_CLOEXEC);

  return 0;

}

/* fdwalk()-compatible callback to close a fd for non-compliant

 * implementations of fdwalk() that potentially pass already

 * closed fds.

 *

 * It is not an error to pass an invalid fd to this function.

 *

 * This function is called between fork() and exec() and hence must be

 * async-signal-safe (see signal-safety(7)).

 */

G_GNUC_UNUSED static int

close_func_with_invalid_fds (void *data, int fd)

{

  /* We use close and not g_close here because on some platforms, we

   * don't know how to close only valid, open file descriptors, so we

   * have to pass bad fds to close too. g_close warns if given a bad

   * fd.

   *

   * This function returns no error, because there is nothing that the caller

   * could do with that information. That is even the case for EINTR. See

   * g_close() about the specialty of EINTR and why that is correct.

   * If g_close() ever gets extended to handle EINTR specially, then this place

   * should get updated to do the same handling.

   */

  if (fd >= GPOINTER_TO_INT (data))

    close (fd);

  return 0;

}

#ifdef __linux__

struct linux_dirent64

{

  guint64        d_ino;    /* 64-bit inode number */

  guint64        d_off;    /* 64-bit offset to next structure */

  unsigned short d_reclen; /* Size of this dirent */

  unsigned char  d_type;   /* File type */

  char           d_name[]; /* Filename (null-terminated) */

};

/* This function is called between fork() and exec() and hence must be

 * async-signal-safe (see signal-safety(7)). */

static gint

filename_to_fd (const char *p)

{

  char c;

  int fd = 0;

  const int cutoff = G_MAXINT / 10;

  const int cutlim = G_MAXINT % 10;

  if (*p == '\0')

    return -1;

  while ((c = *p++) != '\0')

    {

      if (c < '0' || c > '9')

        return -1;

      c -= '0';

      /* Check for overflow. */

      if (fd > cutoff || (fd == cutoff && c > cutlim))

        return -1;

      fd = fd * 10 + c;

    }

  return fd;

}

#endif

static int safe_fdwalk_with_invalid_fds (int (*cb)(void *data, int fd), void *data);

/* This function is called between fork() and exec() and hence must be

 * async-signal-safe (see signal-safety(7)). */

static int

safe_fdwalk (int (*cb)(void *data, int fd), void *data)

{

#if 0

  /* Use fdwalk function provided by the system if it is known to be

   * async-signal safe.

   *

   * Currently there are no operating systems known to provide a safe

   * implementation, so this section is not used for now.

   */

  return fdwalk (cb, data);

#else

  /* Fallback implementation of fdwalk. It should be async-signal safe, but it

   * may fail on non-Linux operating systems. See safe_fdwalk_with_invalid_fds

   * for a slower alternative.

   */

#ifdef __linux__

  gint fd;

  gint res = 0;

  /* Avoid use of opendir/closedir since these are not async-signal-safe. */

  int dir_fd = open ("/proc/self/fd", O_RDONLY | O_DIRECTORY);

  if (dir_fd >= 0)

    {

      /* buf needs to be aligned correctly to receive linux_dirent64.

       * C11 has _Alignof for this purpose, but for now a

       * union serves the same purpose. */

      union

      {

        char buf[4096];

        struct linux_dirent64 alignment;

      } u;

      int pos, nread;

      struct linux_dirent64 *de;

      while ((nread = syscall (SYS_getdents64, dir_fd, u.buf, sizeof (u.buf))) > 0)

        {

          for (pos = 0; pos < nread; pos += de->d_reclen)

            {

              de = (struct linux_dirent64 *) (u.buf + pos);

              fd = filename_to_fd (de->d_name);

              if (fd < 0 || fd == dir_fd)

                  continue;

              if ((res = cb (data, fd)) != 0)

                  break;

            }

        }

      g_close (dir_fd, NULL);

      return res;

    }

  /* If /proc is not mounted or not accessible we fail here and rely on

   * safe_fdwalk_with_invalid_fds to fall back to the old

   * rlimit trick. */

#endif

#if defined(__sun__) && defined(F_PREVFD) && defined(F_NEXTFD)

/*

 * Solaris 11.4 has a signal-safe way which allows

 * us to find all file descriptors in a process.

 *

 * fcntl(fd, F_NEXTFD, maxfd)

 * - returns the first allocated file descriptor <= maxfd  > fd.

 *

 * fcntl(fd, F_PREVFD)

 * - return highest allocated file descriptor < fd.

 */

  gint open_max;

  gint fd;

  gint res = 0;

  open_max = fcntl (INT_MAX, F_PREVFD); /* find the maximum fd */

  if (open_max < 0) /* No open files */

    return 0;

  for (fd = -1; (fd = fcntl (fd, F_NEXTFD, open_max)) != -1; )

    if ((res = cb (data, fd)) != 0 || fd == open_max)

      break;

  return res;

#endif

  return safe_fdwalk_with_invalid_fds (cb, data);

#endif

}

/* This function is called between fork() and exec() and hence must be

 * async-signal-safe (see signal-safety(7)). */

static int

safe_fdwalk_with_invalid_fds (int (*cb)(void *data, int fd), void *data)

{

  /* Fallback implementation of fdwalk. It should be async-signal safe, but it

   * may be slow, especially on systems allowing very high number of open file

   * descriptors.

   */

  gint open_max = -1;

  gint fd;

  gint res = 0;

#if 0 && defined(HAVE_SYS_RESOURCE_H)

  struct rlimit rl;

  /* Use getrlimit() function provided by the system if it is known to be

   * async-signal safe.

   *

   * Currently there are no operating systems known to provide a safe

   * implementation, so this section is not used for now.

   */

  if (getrlimit (RLIMIT_NOFILE, &rl) == 0 && rl.rlim_max != RLIM_INFINITY)

    open_max = rl.rlim_max;

#endif

#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__APPLE__)

  /* Use sysconf() function provided by the system if it is known to be

   * async-signal safe.

   *

   * FreeBSD: sysconf() is included in the list of async-signal safe functions

   * found in https://man.freebsd.org/sigaction(2).

   *

   * OpenBSD: sysconf() is included in the list of async-signal safe functions

   * found in https://man.openbsd.org/sigaction.2.

   *

   * Apple: sysconf() is included in the list of async-signal safe functions

   * found in https://opensource.apple.com/source/xnu/xnu-517.12.7/bsd/man/man2/sigaction.2

   */

  if (open_max < 0)

    open_max = sysconf (_SC_OPEN_MAX);

#endif

  /* Hardcoded fallback: the default process hard limit in Linux as of 2020 */

  if (open_max < 0)

    open_max = 4096;

#if defined(__APPLE__) && defined(HAVE_LIBPROC_H)

  /* proc_pidinfo isn't documented as async-signal-safe but looking at the implementation

   * in the darwin tree here:

   *

   * https://opensource.apple.com/source/Libc/Libc-498/darwin/libproc.c.auto.html

   *

   * It's just a thin wrapper around a syscall, so it's probably okay.

   */

  {

    char buffer[4096 * PROC_PIDLISTFD_SIZE];

    ssize_t buffer_size;

    buffer_size = proc_pidinfo (getpid (), PROC_PIDLISTFDS, 0, buffer, sizeof (buffer));

    if (buffer_size > 0 &&

        sizeof (buffer) >= (size_t) buffer_size &&

        (buffer_size % PROC_PIDLISTFD_SIZE) == 0)

      {

        const struct proc_fdinfo *fd_info = (const struct proc_fdinfo *) buffer;

        size_t number_of_fds = (size_t) buffer_size / PROC_PIDLISTFD_SIZE;

        for (size_t i = 0; i < number_of_fds; i++)

          if ((res = cb (data, fd_info[i].proc_fd)) != 0)

            break;

        return res;

      }

  }

#endif

  for (fd = 0; fd < open_max; fd++)

      if ((res = cb (data, fd)) != 0)

          break;

  return res;

}

/**

 * g_fdwalk_set_cloexec:

 * @lowfd: Minimum fd to act on, which must be non-negative

 *

 * Mark every file descriptor equal to or greater than @lowfd to be closed

 * at the next `execve()` or similar, as if via the `FD_CLOEXEC` flag.

 *

 * Typically @lowfd will be 3, to leave standard input, standard output

 * and standard error open after exec.

 *

 * This is the same as Linux `close_range (lowfd, ~0U, CLOSE_RANGE_CLOEXEC)`,

 * but portable to other OSs and to older versions of Linux.

 *

 * This function is async-signal safe, making it safe to call from a

 * signal handler or a [callback@GLib.SpawnChildSetupFunc], as long as @lowfd is

 * non-negative.

 * See [`signal(7)`](man:signal(7)) and

 * [`signal-safety(7)`](man:signal-safety(7)) for more details.

 *

 * Returns: 0 on success, -1 with errno set on error

 * Since: 2.80

 */

int

g_fdwalk_set_cloexec (int lowfd)

{

  int ret;

  g_return_val_if_fail (lowfd >= 0, (errno = EINVAL, -1));

#if defined(HAVE_CLOSE_RANGE) && defined(CLOSE_RANGE_CLOEXEC)

  /* close_range() is available in Linux since kernel 5.9, and on FreeBSD at

   * around the same time. It was designed for use in async-signal-safe

   * situations: https://bugs.python.org/issue38061

   *

   * The `CLOSE_RANGE_CLOEXEC` flag was added in Linux 5.11, and is not yet

   * present in FreeBSD.

   *

   * Handle ENOSYS in case it’s supported in libc but not the kernel; if so,

   * fall back to safe_fdwalk(). Handle EINVAL in case `CLOSE_RANGE_CLOEXEC`

   * is not supported. */

  ret = close_range (lowfd, G_MAXUINT, CLOSE_RANGE_CLOEXEC);

  if (ret == 0 || !(errno == ENOSYS || errno == EINVAL))

    return ret;

#endif  /* HAVE_CLOSE_RANGE */

  ret = safe_fdwalk (set_cloexec, GINT_TO_POINTER (lowfd));

  return ret;

}

/**

 * g_closefrom:

 * @lowfd: Minimum fd to close, which must be non-negative

 *

 * Close every file descriptor equal to or greater than @lowfd.

 *

 * Typically @lowfd will be 3, to leave standard input, standard output

 * and standard error open.

 *

 * This is the same as Linux `close_range (lowfd, ~0U, 0)`,

 * but portable to other OSs and to older versions of Linux.

 * Equivalently, it is the same as BSD `closefrom (lowfd)`, but portable,

 * and async-signal-safe on all OSs.

 *

 * This function is async-signal safe, making it safe to call from a

 * signal handler or a [callback@GLib.SpawnChildSetupFunc], as long as @lowfd is

 * non-negative.

 * See [`signal(7)`](man:signal(7)) and

 * [`signal-safety(7)`](man:signal-safety(7)) for more details.

 *

 * Returns: 0 on success, -1 with errno set on error

 * Since: 2.80

 */

int

g_closefrom (int lowfd)

{

  int ret;

  g_return_val_if_fail (lowfd >= 0, (errno = EINVAL, -1));

#if defined(HAVE_CLOSE_RANGE)

  /* close_range() is available in Linux since kernel 5.9, and on FreeBSD at

   * around the same time. It was designed for use in async-signal-safe

   * situations: https://bugs.python.org/issue38061

   *

   * Handle ENOSYS in case it’s supported in libc but not the kernel; if so,

   * fall back to safe_fdwalk(). */

  ret = close_range (lowfd, G_MAXUINT, 0);

  if (ret == 0 || errno != ENOSYS)

    return ret;

#endif  /* HAVE_CLOSE_RANGE */

#if defined(__FreeBSD__) || defined(__OpenBSD__) || \

  (defined(__sun__) && defined(F_CLOSEFROM))

  /* Use closefrom function provided by the system if it is known to be

   * async-signal safe.

   *

   * FreeBSD: closefrom is included in the list of async-signal safe functions

   * found in https://man.freebsd.org/sigaction(2).

   *

   * OpenBSD: closefrom is not included in the list, but a direct system call

   * should be safe to use.

   *

   * In Solaris as of 11.3 SRU 31, closefrom() is also a direct system call.

   * On such systems, F_CLOSEFROM is defined.

   */

  (void) closefrom (lowfd);

  return 0;

#elif defined(__DragonFly__)

  /* It is unclear whether closefrom function included in DragonFlyBSD libc_r

   * is safe to use because it calls a lot of library functions. It is also

   * unclear whether libc_r itself is still being used. Therefore, we do a

   * direct system call here ourselves to avoid possible issues.

   */

  (void) syscall (SYS_closefrom, lowfd);

  return 0;

#elif defined(F_CLOSEM)

  /* NetBSD and AIX have a special fcntl command which does the same thing as

   * closefrom. NetBSD also includes closefrom function, which seems to be a

   * simple wrapper of the fcntl command.

   */

  return fcntl (lowfd, F_CLOSEM);

#else

  ret = safe_fdwalk (close_func_with_invalid_fds, GINT_TO_POINTER (lowfd));

  return ret;

#endif

}