From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id DBD755A004F for ; Wed, 07 Aug 2024 13:26:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723030000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zcE1Y/w91u/6VD6KIUBXTkZvWe0mNGvi3e6hZp2pbek=; b=iG0fk+himDrH3B9mMTHTmayNex4F9pLt9VTZF9tAronPOnEB3zhVKLUT61YOVr+/ZqY+pE 9KM58Rm1xA7qkBx1NYbHfaJTisBm4hAjKBc8t0ndS+idCCWEprP9Iawmze5u7iM7xS/SKJ 6V0iGJBz4znEXnBsy6Zm8EhTNqayB30= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-138-avclIafBOYmd3EjqUzu8fg-1; Wed, 07 Aug 2024 07:26:39 -0400 X-MC-Unique: avclIafBOYmd3EjqUzu8fg-1 Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-5a49935bda6so1288794a12.1 for ; Wed, 07 Aug 2024 04:26:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723029998; x=1723634798; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zcE1Y/w91u/6VD6KIUBXTkZvWe0mNGvi3e6hZp2pbek=; b=jSa5aD57JrFbCSAzbOZ4t15SU4HCTthh1HRl47Y9Ef2Oh5DaNAFdAzK+uQsdb/QZrd Zo0k+m/WUlGP0NmF+EvFQdtJfxHPH/vpRq1Wv/SBMbP2A0EVhimmNoSfq5M8SvpvlLxo y1sYmmZZc9bweXmNazOnNFL+14BkxFcN0zEKMEazfnrSBr+Tu+3AOxG+A00L0I8UarYg +y6cU5VQhZR/GhAu3iQVItSI7m+TDOGBcsi1hZV/pInuBp5xrCRFNqhSjLWZpLPwL5Z4 0ZmyKFVgtrnNUAoVXxYy8P/rp8djRyou+tkfu5Mbvax1ka8YeRvt0+ohwKcHuZKPLreT Ptow== X-Forwarded-Encrypted: i=1; AJvYcCXKVpdJ7XnyvlzMJOx4klo8HnU9vE+irMzefaAoho6oAUcz+DcKS/uncsrDIm1RnnjdYYDHK+Ujgus4bI1RmGgqq/Tq X-Gm-Message-State: AOJu0YwjVja9fWNNozEiWhW/21+Wpc+Ve0hxuwMssL+64uvBJJo0zvCS HQsl+KzLIXbxK1EMqFREQS6dCb9pQBB+uzMCmnrTl6a2HCKvnpl96XylRj0WDg4OYoVNZPLyb6q oc0iATsZtINBQQ2Zchd+HdQXa9v3IgeyoXRluJPEUlnIDIJnxKQ== X-Received: by 2002:a05:6402:542:b0:5a2:37e0:1e88 with SMTP id 4fb4d7f45d1cf-5b7f39e0ac1mr12268784a12.9.1723029997814; Wed, 07 Aug 2024 04:26:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFeeUXAzg+I2+ZQN6Bd09nyLfDupRHK4TpMzteK2kqb2/u/yJZMd3RP/R4GL0eaXAEBsPLDoA== X-Received: by 2002:a05:6402:542:b0:5a2:37e0:1e88 with SMTP id 4fb4d7f45d1cf-5b7f39e0ac1mr12268668a12.9.1723029993441; Wed, 07 Aug 2024 04:26:33 -0700 (PDT) Received: from [192.168.188.25] ([80.243.52.133]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5b83a140f13sm7003550a12.43.2024.08.07.04.26.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Aug 2024 04:26:33 -0700 (PDT) Message-ID: <138d459e-e805-4cc8-9a6e-f4bdcb4347d3@redhat.com> Date: Wed, 7 Aug 2024 13:26:32 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] passt, util: Close any open file that the parent might have leaked To: Stefano Brivio , passt-dev@passt.top References: <20240807111100.2086825-1-sbrivio@redhat.com> From: Paul Holzinger In-Reply-To: <20240807111100.2086825-1-sbrivio@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: 2F4TF5IUUYOPDFIONCP3HCNKHIB5X273 X-Message-ID-Hash: 2F4TF5IUUYOPDFIONCP3HCNKHIB5X273 X-MailFrom: pholzing@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 07/08/2024 13:11, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. > > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. > > Use close_range(2) to close all open files except for standard streams > and the one from --fd. > > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. > > As we need to check that the passed --fd option doesn't exceed > INT_MAX, because we'll parse it with strtol() but file descriptor > indices are signed ints (regardless of the arguments close_range() > take), extend the existing check in the actual --fd parsing in conf(), > while at it. > > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio > --- > v3: Handle --fd 3 case, and don't overflow if the --fd number exceeds > UINT_MAX: add an explicit check to ensure it's less than INT_MAX > > v2: Move call to close_open_files() to isolate_initial() > > conf.c | 3 ++- > isolation.c | 12 +++++++++--- > isolation.h | 2 +- > passt.c | 2 +- > util.c | 38 ++++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 6 files changed, 52 insertions(+), 6 deletions(-) > > diff --git a/conf.c b/conf.c > index 14d8ece..5422813 100644 > --- a/conf.c > +++ b/conf.c > @@ -1260,6 +1260,7 @@ void conf(struct ctx *c, int argc, char **argv) > c->tcp.fwd_in.mode = c->tcp.fwd_out.mode = FWD_UNSET; > c->udp.fwd_in.mode = c->udp.fwd_out.mode = FWD_UNSET; > > + optind = 1; > do { > name = getopt_long(argc, argv, optstring, options, NULL); > > @@ -1426,7 +1427,7 @@ void conf(struct ctx *c, int argc, char **argv) > errno = 0; > c->fd_tap = strtol(optarg, NULL, 0); > > - if (c->fd_tap < 0 || errno) > + if (c->fd_tap < 0 || errno || c->fd_tap > INT_MAX) > die("Invalid --fd: %s", optarg); > > c->one_off = true; > diff --git a/isolation.c b/isolation.c > index 4956d7e..45fba1e 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -29,7 +29,8 @@ > * > * Executed immediately after startup, drops capabilities we don't > * need at any point during execution (or which we gain back when we > - * need by joining other namespaces). > + * need by joining other namespaces), and closes any leaked file we > + * might have inherited from the parent process. > * > * 2. isolate_user() > * ================= > @@ -166,14 +167,17 @@ static void clamp_caps(void) > } > > /** > - * isolate_initial() - Early, config independent self isolation > + * isolate_initial() - Early, mostly config independent self isolation > + * @argc: Argument count > + * @argv: Command line options: only --fd (if present) is relevant here > * > * Should: > * - drop unneeded capabilities > + * - close all open files except for standard streams and the one from --fd > * Musn't: > * - remove filesytem access (we need to access files during setup) > */ > -void isolate_initial(void) > +void isolate_initial(int argc, char **argv) > { > uint64_t keep; > > @@ -207,6 +211,8 @@ void isolate_initial(void) > keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); > > drop_caps_ep_except(keep); > + > + close_open_files(argc, argv); > } > > /** > diff --git a/isolation.h b/isolation.h > index 846b2af..80bb68d 100644 > --- a/isolation.h > +++ b/isolation.h > @@ -7,7 +7,7 @@ > #ifndef ISOLATION_H > #define ISOLATION_H > > -void isolate_initial(void); > +void isolate_initial(int argc, char **argv); > void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns, > enum passt_modes mode); > int isolate_prefork(const struct ctx *c); > diff --git a/passt.c b/passt.c > index ea5bece..4b3c306 100644 > --- a/passt.c > +++ b/passt.c > @@ -211,7 +211,7 @@ int main(int argc, char **argv) > > arch_avx2_exec(argv); > > - isolate_initial(); > + isolate_initial(argc, argv); > > c.pasta_netns_fd = c.fd_tap = c.pidfile_fd = -1; > > diff --git a/util.c b/util.c > index 07fb21c..9c6be6a 100644 > --- a/util.c > +++ b/util.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > > #include "util.h" > #include "iov.h" > @@ -694,3 +695,40 @@ const char *str_ee_origin(const struct sock_extended_err *ee) > > return ""; > } > + > +/** > + * close_open_files() - Close leaked files, but not --fd, stdin, stdout, stderr > + * @argc: Argument count > + * @argv: Command line options, as we need to skip any file given via --fd > + */ > +void close_open_files(int argc, char **argv) > +{ > + const struct option optfd[] = { { "fd", required_argument, NULL, 'F' }, > + { 0 }, > + }; > + long fd = -1; > + int name; > + > + do { > + name = getopt_long(argc, argv, ":F", optfd, NULL); > + > + if (name == 'F') { > + errno = 0; > + fd = strtol(optarg, NULL, 0); > + > + if (fd < 0 || errno || fd > INT_MAX) > + die("Invalid --fd: %s", optarg); > + } > + } while (name != -1); > + > + if (fd == -1 || fd == 3) { > + unsigned int first = (fd == 3) ? 4 : 3; > + > + if (close_range(first, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } else { > + if (close_range(3, fd - 1, CLOSE_RANGE_UNSHARE) || > + close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } Sorry that I didn't mentioned this before but doesn't this still fail when given fd 0, 1 or 2? I guess it should check if (fd < 3) in the die(Invalid --fd) case, unless someone sees a reason to allow passing the fd on stdio fds? > +} > diff --git a/util.h b/util.h > index 83d2b53..cb4d181 100644 > --- a/util.h > +++ b/util.h > @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); > int write_file(const char *path, const char *buf); > int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip); > +void close_open_files(int argc, char **argv); > > /** > * af_name() - Return name of an address family -- Paul Holzinger