public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 2/6] isolation: Move close_open_files() to isolate_fds()
Date: Fri, 17 Jul 2026 15:46:30 +1000	[thread overview]
Message-ID: <20260717054634.1293553-3-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20260717054634.1293553-1-david@gibson.dropbear.id.au>

Most functions in util.c are, well, utilities, that are useful in a bunch
of places.  close_open_files(), however, is very specific, it's only called
from isolate_initial(), and performs a very specific step of our self
isolation.  So, it makes more sense as a function in isolate.c - move it
there and rename it to isolate_fds().

In addition, call it directly from main() rather than from
isolate_initial().  That's pretty arbitrary now, but will make some
subsequent changes easier.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 isolation.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++-------
 isolation.h |  3 ++-
 passt.c     |  3 ++-
 util.c      | 49 ---------------------------------------
 util.h      |  1 -
 5 files changed, 63 insertions(+), 60 deletions(-)

diff --git a/isolation.c b/isolation.c
index c868e668..ea85fdba 100644
--- a/isolation.c
+++ b/isolation.c
@@ -24,13 +24,18 @@
  * done anything we need to do with those resources, so we have
  * multiple stages of self-isolation.  In order these are:
  *
- * 1. isolate_initial()
+ * 1a. isolate_initial()
  * ====================
  *
  * Executed immediately after startup, drops capabilities we don't
  * need at any point during execution (or which we gain back when we
- * need by joining other namespaces), and closes any leaked file we
- * might have inherited from the parent process.
+ * need by joining other namespaces).
+ *
+ * 1b. isolate_fds()
+ * ================
+ *
+ * Executed immediately after isolate_initial().  Closes any leaked
+ * files we might have inherited from the parent process.
  *
  * 2. isolate_user()
  * =================
@@ -58,6 +63,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <getopt.h>
 #include <grp.h>
 #include <inttypes.h>
 #include <limits.h>
@@ -88,6 +94,7 @@
 #include "passt.h"
 #include "log.h"
 #include "isolation.h"
+#include "conf.h"
 
 #define CAP_VERSION	_LINUX_CAPABILITY_VERSION_3
 #define CAP_WORDS	_LINUX_CAPABILITY_U32S_3
@@ -193,16 +200,13 @@ static int move_root(void)
 
 /**
  * isolate_initial() - Early, mostly config independent self isolation
- * @argc:	Argument count
- * @argv:	Command line options: only --fd (if present) is relevant here
  *
  * Should:
  *  - drop unneeded capabilities
- *  - close all open files except for standard streams and the one from --fd
  * Mustn't:
  *  - remove filesystem access (we need to access files during setup)
  */
-void isolate_initial(int argc, char **argv)
+void isolate_initial(void)
 {
 	uint64_t keep;
 
@@ -243,8 +247,55 @@ void isolate_initial(int argc, char **argv)
 		keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
 
 	drop_caps_ep_except(keep);
+}
+
+
+/*
+ * isolate_fds() - Close leaked files, but not --fd, stdin, stdout, stderr
+ * @argc:	Argument count
+ * @argv:	Command line options, as we need to skip any file given via --fd
+ *
+ * Should:
+ *  - close all open files except for standard streams and the one from --fd
+ */
+void isolate_fds(int argc, char **argv)
+{
+	const struct option optfd[] = { { "fd", required_argument, NULL, 'F' },
+					{ 0 }, };
+	long fd = -1;
+	int name, rc;
+
+	do {
+		name = getopt_long(argc, argv, "-:F:", optfd, NULL);
+
+		if (name == 'F')
+			fd = conf_tap_fd(optarg);
+	} while (name != -1);
+
+	if (fd == -1) {
+		rc = close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE);
+	} else if (fd == STDERR_FILENO + 1) { /* Still a single range */
+		rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE);
+	} else {
+		rc = close_range(STDERR_FILENO + 1, fd - 1,
+				 CLOSE_RANGE_UNSHARE);
+		if (!rc)
+			rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE);
+	}
 
-	close_open_files(argc, argv);
+	if (rc) {
+		if (errno == ENOSYS || errno == EINVAL) {
+			/* This probably means close_range() or the
+			 * CLOSE_RANGE_UNSHARE flag is not supported by the
+			 * kernel.  Not much we can do here except carry on and
+			 * hope for the best.
+			 */
+			warn(
+"Can't use close_range() to ensure no files leaked by parent");
+		} else {
+			die_perror("Failed to close files leaked by parent");
+		}
+	}
 }
 
 /**
diff --git a/isolation.h b/isolation.h
index 66b6968d..e1b1bc5d 100644
--- a/isolation.h
+++ b/isolation.h
@@ -10,7 +10,8 @@
 #include <stdbool.h>
 #include <unistd.h>
 
-void isolate_initial(int argc, char **argv);
+void isolate_initial(void);
+void isolate_fds(int argc, char **argv);
 void isolate_user(const struct ctx *c, uid_t uid, gid_t gid, bool use_userns,
 		  const char *userns);
 int isolate_prefork(const struct ctx *c);
diff --git a/passt.c b/passt.c
index cc847ec2..ce20cedb 100644
--- a/passt.c
+++ b/passt.c
@@ -341,7 +341,8 @@ int main(int argc, char **argv)
 
 	arch_avx2_exec(argv);
 
-	isolate_initial(argc, argv);
+	isolate_initial();
+	isolate_fds(argc, argv);
 
 	sigemptyset(&sa.sa_mask);
 	sa.sa_flags = 0;
diff --git a/util.c b/util.c
index 4bc5d6f8..ce5021a9 100644
--- a/util.c
+++ b/util.c
@@ -26,7 +26,6 @@
 #include <stdbool.h>
 #include <linux/errqueue.h>
 #include <linux/in6.h>
-#include <getopt.h>
 
 #include "linux_dep.h"
 #include "util.h"
@@ -38,7 +37,6 @@
 #include "epoll_ctl.h"
 #include "pasta.h"
 #include "serialise.h"
-#include "conf.h"
 #ifdef HAS_GETRANDOM
 #include <sys/random.h>
 #endif
@@ -924,53 +922,6 @@ const char *str_ee_origin(const struct sock_extended_err *ee)
 	return "<invalid>";
 }
 
-/**
- * close_open_files() - Close leaked files, but not --fd, stdin, stdout, stderr
- * @argc:	Argument count
- * @argv:	Command line options, as we need to skip any file given via --fd
- */
-void close_open_files(int argc, char **argv)
-{
-	const struct option optfd[] = { { "fd", required_argument, NULL, 'F' },
-					{ 0 },
-				      };
-	long fd = -1;
-	int name, rc;
-
-	do {
-		name = getopt_long(argc, argv, "-:F:", optfd, NULL);
-
-		if (name == 'F')
-			fd = conf_tap_fd(optarg);
-	} while (name != -1);
-
-	if (fd == -1) {
-		rc = close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE);
-	} else if (fd == STDERR_FILENO + 1) { /* Still a single range */
-		rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE);
-	} else {
-		rc = close_range(STDERR_FILENO + 1, fd - 1,
-				 CLOSE_RANGE_UNSHARE);
-		if (!rc)
-			rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE);
-	}
-
-	if (rc) {
-		if (errno == ENOSYS || errno == EINVAL) {
-			/* This probably means close_range() or the
-			 * CLOSE_RANGE_UNSHARE flag is not supported by the
-			 * kernel.  Not much we can do here except carry on and
-			 * hope for the best.
-			 */
-			warn(
-"Can't use close_range() to ensure no files leaked by parent");
-		} else {
-			die_perror("Failed to close files leaked by parent");
-		}
-	}
-
-}
-
 /**
  * snprintf_check() - snprintf() wrapper, checking for truncation and errors
  * @str:	Output buffer
diff --git a/util.h b/util.h
index 90e8a20d..2435f536 100644
--- a/util.h
+++ b/util.h
@@ -168,7 +168,6 @@ intmax_t read_file_integer(const char *path, intmax_t fallback);
 int write_remainder(int fd, const struct iovec *iov, size_t iovcnt,
 		    size_t skip, size_t length);
 int read_remainder(int fd, const struct iovec *iov, size_t cnt, size_t skip);
-void close_open_files(int argc, char **argv);
 bool snprintf_check(char *str, size_t size, const char *format, ...);
 long clamped_scale(long x, long y, long lo, long hi, long f);
 
-- 
2.55.0


  parent reply	other threads:[~2026-07-17  5:46 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-17  5:46 [PATCH v2 0/6] Fix bug 215 and some related issues with fd handling David Gibson
2026-07-17  5:46 ` [PATCH v2 1/6] passt: Always close pidfile_fd, not just when daemonizing David Gibson
2026-07-17  5:46 ` David Gibson [this message]
2026-07-17  5:46 ` [PATCH v2 3/6] isolation, conf: Set c->fd_tap from early parse of --fd David Gibson
2026-07-17  5:46 ` [PATCH v2 4/6] conf: Make conf_tap_fd() operate more like conf_mode() David Gibson
2026-07-17  5:46 ` [PATCH v2 5/6] isolation: Move --fd descriptor to a number of our choosing David Gibson
2026-07-17  5:46 ` [PATCH v2 6/6] main: Ensure fds 0-2 are populated David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260717054634.1293553-3-david@gibson.dropbear.id.au \
    --to=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).