From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=jH9T4kk4; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id EC5F45A0262 for ; Thu, 16 Jul 2026 09:22:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1784186554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=frQn0LrB0ydUPrsa0dgzOGguq4HhJQoNov0smIt77hs=; b=jH9T4kk4ZFyfOdH6IkAqG6PFiOiLaHkJnqp5vP3ESLT/GePadkjHL3p9nnWM5YtbjoIEh8 svMA1RKMlkJvDodBzkKuxcZ0QxcWb6I0VFQ45eiZONKxlwiUG/tk4zl0zL7L/fT1v4/pUK X8R2Ug3C+JkL4Mcl17+3q0Sgs9Aqef0= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-642-5Tl2p_efPGmd35NjLTG__Q-1; Thu, 16 Jul 2026 03:22:33 -0400 X-MC-Unique: 5Tl2p_efPGmd35NjLTG__Q-1 X-Mimecast-MFC-AGG-ID: 5Tl2p_efPGmd35NjLTG__Q_1784186552 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-475e540a0ffso3635041f8f.3 for ; Thu, 16 Jul 2026 00:22:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784186552; x=1784791352; h=date:content-transfer-encoding:content-type:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to:content-type; bh=frQn0LrB0ydUPrsa0dgzOGguq4HhJQoNov0smIt77hs=; b=O3qyo38u0uNljxv/dKvTZOfXBy6eYeM/Hbq5C+EEjCX0S6Kx85sFFoQ/KhkJ9bN4TU ItSlFPaYaxMaFKWR8kIH4SmSGb2bPzGPV0hVs5dEbIz/Ob4W+G7znJLfggSkmokK0g0E gPzhcx5BhtuTAENdx8vzDSSPG3JRuixoCLh/bPqpBuWZ7ZN9s1wo7YUah7H7/j2JOeEI X1QpE3BHMIO0pPn83BXbz1sHQ217wIZYaT152gG7bd5rBIcFSy23Lqa1Pf8fCvy8KoeN lxIdCghCm1hm9EcQoeFGNX5a6WxexKwnZtCrJV/35U5VkfbU9qWoLJWWFliawPDIuRTw gGnw== X-Gm-Message-State: AOJu0YzskxNYNZ3DWBM+wVJMyM9Rl0fllC0wzDibEMcA73ZpGGIUSXHs qECmwF97eSwYLTnGMYWcNsSwKYB4ODdmHpSBlK9WFLnn3RvXjP28mgnexmlgp6uSYiuKv0qPbzj 5Q54RBkmk0txu72gysIPN2wXHJhrvx2scCRMCvOurM69bqFdUuHn8ss3yNFEHDA== X-Gm-Gg: AfdE7cl/9zk5CHu3LFXUXeyIOwNuHa3EZ3LKaVp23CufGELR8PVxp41NXCBBIvuSCpp BgXY/OJmw+hUCzupMYxUyHl67a+iX7sWri7NZcfRfKeIN9Nx6L3O9neERghShwAC8YE0yfNHNI4 5ActB2/5MUUpz5wrayc4WzAO5XEhGgcecD1/wXTcsx47od8V96UbJnMSEOncI0hq5Bhzgwlxo+t uw/KgNbSVGz98B2gyOHjXNgYu1F/6ldHuCXr3oPAHZvoyiVSFaRdingAKxP/afBz6ueXLRcEcZS NExK1CH96yji8XH4HkPLpRea7QgvA6eSk+1+NawHXq5OFToMIwuYZj7ykuwCBSe1eMyWhdXuZek lUgUu3/iQcgqLghURJUNuosZ5bar+ X-Received: by 2002:a05:6000:25fc:b0:47d:e548:9b2 with SMTP id ffacd0b85a97d-47f488995a8mr11351811f8f.2.1784186552067; Thu, 16 Jul 2026 00:22:32 -0700 (PDT) X-Received: by 2002:a05:6000:25fc:b0:47d:e548:9b2 with SMTP id ffacd0b85a97d-47f488995a8mr11351749f8f.2.1784186551344; Thu, 16 Jul 2026 00:22:31 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-47f464bbb0esm22639976f8f.28.2026.07.16.00.22.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jul 2026 00:22:30 -0700 (PDT) From: Stefano Brivio To: David Gibson Subject: Re: [PATCH 0/6] Fix bug 215 and some related issues with fd handling Message-ID: <20260716092228.698aa80e@elisabeth> In-Reply-To: References: <20260714092926.2881848-1-david@gibson.dropbear.id.au> <20260715183946.6121580a@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Thu, 16 Jul 2026 09:22:30 +0200 (CEST) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: pQxksdvfdJMAVttiEvWXQRlcLixbZi5MOhMcNv0SWi8_1784186552 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: B3O6C466FTWD563PKLTO447HN4RC73PS X-Message-ID-Hash: B3O6C466FTWD563PKLTO447HN4RC73PS X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 16 Jul 2026 15:25:08 +1000 David Gibson wrote: > On Wed, Jul 15, 2026 at 06:39:47PM +0200, Stefano Brivio wrote: > > On Tue, 14 Jul 2026 19:29:20 +1000 > > David Gibson wrote: > > > > > Stefano, you called it correctly. While working on bug 215, as usual, > > > I found a bunch of adjacent things to clean up. > > > > So, I finally finished reviewing the series. > > > > Other than 1/6 and 2/6 on which I already commented (long story short, > > I think we should avoid 1/6, and about 2/6, it would be nice to parse -F > > just once in general but I think we shouldn't "force" it like that... > > maybe just parse / get it outside conf()?), > > Hm, I'm not entirely sure of the distinction you're drawing between > the two cases. > > > I don't see any substantial > > issue with the other patches, but I have some general comments about the > > approach. > > > > As a detail, though, I would recommend Cc'ing everybody who might be > > interested or affected by this (reporter of bug #215, Rich as he fixed > > the original https://github.com/libguestfs/libguestfs/issues/360, and > > Alyssa as author of aa1cc8922867 ("conf: allow --fd 0"). > > Ah, good point, I'll do that for the next spin. > > > > I did start by attempting the appoach you suggested for bug 215 - > > > remembering which of the low fds were standard streams and avoiding > > > closing them in __daemon(). It is indeed shorter, but only by 1-2 > > > lines. Looking at possible interactions with other things, I became > > > more and more convinced that leaving anything other than the standard > > > streams in fds 0-2 was an accident waiting to happen. > > > > It did actually happen, see c66f0341d94d ("log: Don't report syslog > > failures to stderr after initialisation"). I didn't consider that, > > and it's indeed a strong argument in favour of this approach. > > > > I still have some remarks and doubts about it though: > > > > 1. we might have users passing a given file descriptor with the > > expectation that it won't change its number as seen from procfs > > (and dup2() changes that, right?), even just for debugging, and 4/6 > > breaks that. It's not a very legitimate expectation maybe but it > > might be one, we simply don't know > > That... really seems like taking bug for bug compatibility too far to > me. > > > > > 2. the reason behind my proposal (check if file descriptors are open > > when we start and avoid closing them) was simplicity and avoiding > > the risk of a number of side effects (more below). > > > > Yes, it's just a bit shorter (depending on how we count), but this > > diff (build tested only) should be equivalent to patches 4/6 and 5/6, > > which look considerably more complicated to me (even though the > > simplification in close_open_files() is significant... but we could > > get the same outcome also with just 4/6): > > > > --- > > diff --git a/passt.c b/passt.c > > index 65a07d7..e2ea613 100644 > > --- a/passt.c > > +++ b/passt.c > > @@ -330,8 +330,9 @@ static void passt_worker(void *opaque, int nfds, struct epoll_event *events) > > int main(int argc, char **argv) > > { > > struct epoll_event events[NUM_EPOLL_EVENTS]; > > + bool close_low_fd[STDERR_FILENO + 1]; > > + int nfds, devnull_fd = -1, i; > > struct ctx *c = &passt_ctx; > > - int nfds, devnull_fd = -1; > > struct rlimit limit; > > struct timespec now; > > struct sigaction sa; > > @@ -339,6 +340,9 @@ int main(int argc, char **argv) > > if (clock_gettime(CLOCK_MONOTONIC, &log_start)) > > die_perror("Failed to get CLOCK_MONOTONIC time"); > > > > + for (i = STDIN_FILENO; i <= STDERR_FILENO; i++) > > + close_low_fd[i] = !fcntl(i, F_GETFD); > > Nit: needs to have a >= 0, F_GETFD returns flags, not 0 on success. > > > + > > arch_avx2_exec(argv); > > > > isolate_initial(argc, argv); > > @@ -419,7 +423,10 @@ int main(int argc, char **argv) > > die("Failed to sandbox process, exiting"); > > > > if (!c->foreground) { > > - __daemon(c->pidfile_fd, devnull_fd); > > + if (c->fd_tap != -1 && c->fd_tap < STDERR_FILENO) > > + close_low_fd[c->fd_tap] = false; > > + > > + __daemon(close_low_fd, c->pidfile_fd, devnull_fd); > > close(c->pidfile_fd); > > c->pidfile_fd = -1; > > log_stderr = false; > > diff --git a/util.c b/util.c > > index 4bc5d6f..57d42e1 100644 > > --- a/util.c > > +++ b/util.c > > @@ -501,13 +501,14 @@ int output_file_open(const char *path, int flags) > > > > /** > > * __daemon() - daemon()-like function writing PID file before parent exits > > + * @close_fd: Standard stream descriptors numbers to close > > * @pidfile_fd: Open PID file descriptor > > * @devnull_fd: Open file descriptor for /dev/null > > * > > * Return: 0 in the child process on success. The parent process exits. > > * Does not return in either process on failure (calls _exit). > > */ > > -int __daemon(int pidfile_fd, int devnull_fd) > > +int __daemon(bool close_fd[STDERR_FILENO + 1], int pidfile_fd, int devnull_fd) > > { > > pid_t pid = fork(); > > > > @@ -522,9 +523,9 @@ int __daemon(int pidfile_fd, int devnull_fd) > > } > > > > if (setsid() < 0 || > > - dup2(devnull_fd, STDIN_FILENO) < 0 || > > - dup2(devnull_fd, STDOUT_FILENO) < 0 || > > - dup2(devnull_fd, STDERR_FILENO) < 0 || > > + (close_fd[STDIN_FILENO] && dup2(devnull_fd, STDIN_FILENO) < 0) || > > + (close_fd[STDOUT_FILENO] && dup2(devnull_fd, STDOUT_FILENO) < 0) || > > + (close_fd[STDERR_FILENO] && dup2(devnull_fd, STDERR_FILENO) < 0) || > > close(devnull_fd)) > > passt_exit(EXIT_FAILURE); > > > > diff --git a/util.h b/util.h > > index 90e8a20..246ac67 100644 > > --- a/util.h > > +++ b/util.h > > @@ -160,7 +160,7 @@ bool ns_is_init(void); > > int open_in_ns(const struct ctx *c, const char *path, int flags); > > int output_file_open(const char *path, int flags); > > void pidfile_write(int fd, pid_t pid); > > -int __daemon(int pidfile_fd, int devnull_fd); > > +int __daemon(bool close_fd[STDERR_FILENO + 1], int pidfile_fd, int devnull_fd); > > int fls(unsigned long x); > > int ilog2(unsigned long x); > > int write_file(const char *path, const char *buf); > > --- > > Yes, that will do the job. I still think avoiding anything but the > standard streams in 0-2 is worthwhile. > > > 3. I have a generic worry that LSMs might get in the way. This would be solved > > by testing your series against current AppArmor and SELinux policies but I > > didn't get the chance yet (it would be nice if you could...) > > That seems really far-fetched to me. I assume you're meaning they > would block the dup2()? That would break nearly anything that spawns > child processes. No, not dup2() specifically. AppArmor and SELinux don't operate (in general) on specific system calls. I'm rather thinking of some issue manipulating file descriptors that correspond to console devices. For example, pasta's SELinux policy currently has: allow pasta_t console_device_t:chr_file { open write getattr ioctl }; allow pasta_t user_devpts_t:chr_file { getattr read write ioctl }; are those sufficient if we call dup2() on those? > > 4. if the concern is a misused fprintf() or printf(), shouldn't we prevent > > direct usage anyway with, say: > > > > #define printf(x) @ "Don't call printf() directly, use err() / warn() / debug() etc." > > > > and similar for fprintf(), that could only be called directly from > > FPRINTF() and wherever we really need it? At that point I'm not sure > > we would have any remaining concern about risks of using standard > > streams by mistake > > I guess. I feel like that's even uglier than what I've proposed. I was actually proposing to do that regardless of this series, it didn't really look ugly to me (we already do that for strerror() and I think it's quite convenient). > > 5. assuming we go with both 4/6 and 5/6: can we finally assume that sockets > > will never be numbered 0 and save a lot of initialisations to -1 and > > related checks, at that point? If we can achieve that as side effect, > > that would be another argument in favour of it in my eyes > > Huh, interesting, I guess it would allow that. > > > > > > Much of the > > > rest of the series is, for example, dealing with the possibility of > > > --fd [012]. > > > > ...well, yes, but the possibility of --fd [12] was introduced by the > > series itself. :) > > Well, true, but dealing with -fd [12] was basically free while dealing > with --fd 0. > > > Anyway, summing up my feedback, *maybe* other advantages outweigh 1. (I > > haven't checked what happens in procfs though), and once we check that > > 3. is not a problem, I'm fine with this approach (even though still a > > bit reluctant because we're adding substantial changes for a problem > > that doesn't even exist anymore as it's already fixed in libguestfs). > > Hm, ok. Well I have some ideas that might mitigate at least some of > your concerns, so I'll apply those, respin and see what you think. Sure. -- Stefano