[PATCH] pasta: do not leak netlink sock into child

[PATCH] pasta: do not leak netlink sock into child

[Paul Holzinger]

When spawning a child command with pasta command... pasta should not
leak fds that it opened. Only the fds that were already open should be
given to the child.

Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where
only stdin/out/err are open. The fd 3 was opend by ls to read the
/proc/self/fd dir. But fd 5 is the netlink socket that was opend in
pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 netlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/netlink.c b/netlink.c
index 0850cbe..b8fa2a0 100644
--- a/netlink.c
+++ b/netlink.c
@@ -56,8 +56,8 @@ static int nl_sock_init_do(void *arg)
 	if (arg)
 		ns_enter((struct ctx *)arg);
 
-	if (((*s) = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0 ||
-	    bind(*s, (struct sockaddr *)&addr, sizeof(addr))) {
+	*s = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE);
+	if (*s < 0 || bind(*s, (struct sockaddr *)&addr, sizeof(addr))) {
 		*s = -1;
 		return 0;
 	}
-- 
@@ -56,8 +56,8 @@ static int nl_sock_init_do(void *arg)
 	if (arg)
 		ns_enter((struct ctx *)arg);
 
-	if (((*s) = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0 ||
-	    bind(*s, (struct sockaddr *)&addr, sizeof(addr))) {
+	*s = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE);
+	if (*s < 0 || bind(*s, (struct sockaddr *)&addr, sizeof(addr))) {
 		*s = -1;
 		return 0;
 	}
-- 
2.39.1

Re: [PATCH] pasta: do not leak netlink sock into child

[Stefano Brivio]

On Tue,  7 Feb 2023 16:10:46 +0100
Paul Holzinger <pholzing@redhat.com> wrote:

> When spawning a child command with pasta command... pasta should not
> leak fds that it opened. Only the fds that were already open should be
> given to the child.
> 
> Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where
> only stdin/out/err are open. The fd 3 was opend by ls to read the
> /proc/self/fd dir. But fd 5 is the netlink socket that was opend in
> pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.
> 
> Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Thanks for the patch, and welcome to the git log!

I'll push this out in a bit (still sorting some unrelated test failures
first).

-- 
Stefano

Re: [PATCH] pasta: do not leak netlink sock into child

[Stefano Brivio]

On Tue,  7 Feb 2023 16:10:46 +0100
Paul Holzinger <pholzing@redhat.com> wrote:

> When spawning a child command with pasta command... pasta should not
> leak fds that it opened. Only the fds that were already open should be
> given to the child.
> 
> Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where
> only stdin/out/err are open. The fd 3 was opend by ls to read the
> /proc/self/fd dir. But fd 5 is the netlink socket that was opend in
> pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.
> 
> Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Applied.

-- 
Stefano