diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2024-08-06 20:32:11 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2024-08-08 21:31:25 +0200 |
commit | 09603cab28f9883baf1d7b48bdc102d6641dc300 (patch) | |
tree | 3ff30ff534d70179735e8f39354db6e418cb4cf0 /util.c | |
parent | 755f9fd91125c65361c81d8aa9e8af2cfd7adc6d (diff) | |
download | passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar.gz passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar.bz2 passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar.lz passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar.xz passt-09603cab28f9883baf1d7b48bdc102d6641dc300.tar.zst passt-09603cab28f9883baf1d7b48bdc102d6641dc300.zip |
passt, util: Close any open file that the parent might have leaked
If a parent accidentally or due to implementation reasons leaks any
open file, we don't want to have access to them, except for the file
passed via --fd, if any.
This is the case for Podman when Podman's parent leaks files into
Podman: it's not practical for Podman to close unrelated files before
starting pasta, as reported by Paul.
Use close_range(2) to close all open files except for standard streams
and the one from --fd.
Given that parts of conf() depend on other files to be already opened,
such as the epoll file descriptor, we can't easily defer this to a
more convenient point, where --fd was already parsed. Introduce a
minimal, duplicate version of --fd parsing to keep this simple.
As we need to check that the passed --fd option doesn't exceed
INT_MAX, because we'll parse it with strtol() but file descriptor
indices are signed ints (regardless of the arguments close_range()
take), extend the existing check in the actual --fd parsing in conf(),
also rejecting file descriptors numbers that match standard streams,
while at it.
Suggested-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'util.c')
-rw-r--r-- | util.c | 41 |
1 files changed, 41 insertions, 0 deletions
@@ -26,6 +26,7 @@ #include <errno.h> #include <stdbool.h> #include <linux/errqueue.h> +#include <getopt.h> #include "util.h" #include "iov.h" @@ -694,3 +695,43 @@ const char *str_ee_origin(const struct sock_extended_err *ee) return "<invalid>"; } + +/** + * close_open_files() - Close leaked files, but not --fd, stdin, stdout, stderr + * @argc: Argument count + * @argv: Command line options, as we need to skip any file given via --fd + */ +void close_open_files(int argc, char **argv) +{ + const struct option optfd[] = { { "fd", required_argument, NULL, 'F' }, + { 0 }, + }; + long fd = -1; + int name, rc; + + do { + name = getopt_long(argc, argv, ":F", optfd, NULL); + + if (name == 'F') { + errno = 0; + fd = strtol(optarg, NULL, 0); + + if (errno || fd <= STDERR_FILENO || fd > INT_MAX) + die("Invalid --fd: %s", optarg); + } + } while (name != -1); + + if (fd == -1) { + rc = close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE); + } else if (fd == STDERR_FILENO + 1) { /* Still a single range */ + rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE); + } else { + rc = close_range(STDERR_FILENO + 1, fd - 1, + CLOSE_RANGE_UNSHARE); + if (!rc) + rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE); + } + + if (rc) + die_perror("Failed to close files leaked by parent"); +} |