From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=hBJuTFoO; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id C1D655A0265 for ; Fri, 17 Jul 2026 07:46:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202606; t=1784267197; bh=g1uYQX5paaPE29SJDHdhDx5faGo+mxw9D8iPO4gxCm4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hBJuTFoOR9876/a48dstiszukn23kQKtDk1sLJshaCThhP6kEDHDMFTmeRfRprm6b jpHVlv2wjDjBZUn05ItF6GCFrJ4s1a8cTQ9pq7hYoNdk92RRZu1jZws5hO59hFiM6V Tsqql4kR2PF58z+xSZCm7oTPuPl70aFqN5va9/uyrXK+uDb2Rw6baIUCpxrVOLDBXy VJLrVblrEK9tKV+uOBc6IuOtoApSUoD5h40TtbWhoz+bk4uXphFIugxlrIRPn/d/mz CXljcImYEfqD7lzuliTCiqoDm95evaBUUf9qwZWAw2oKqV6wXlkz7xtD6zdA7jA7IG i20e8d2MmEg7A== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4h1f6j0J4Jz4w9h; Fri, 17 Jul 2026 15:46:37 +1000 (AEST) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 2/6] isolation: Move close_open_files() to isolate_fds() Date: Fri, 17 Jul 2026 15:46:30 +1000 Message-ID: <20260717054634.1293553-3-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260717054634.1293553-1-david@gibson.dropbear.id.au> References: <20260717054634.1293553-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: AIP2TLBPV4ORI2MKKG3OJPVM345XJP2R X-Message-ID-Hash: AIP2TLBPV4ORI2MKKG3OJPVM345XJP2R X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Most functions in util.c are, well, utilities, that are useful in a bunch of places. close_open_files(), however, is very specific, it's only called from isolate_initial(), and performs a very specific step of our self isolation. So, it makes more sense as a function in isolate.c - move it there and rename it to isolate_fds(). In addition, call it directly from main() rather than from isolate_initial(). That's pretty arbitrary now, but will make some subsequent changes easier. Signed-off-by: David Gibson --- isolation.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++------- isolation.h | 3 ++- passt.c | 3 ++- util.c | 49 --------------------------------------- util.h | 1 - 5 files changed, 63 insertions(+), 60 deletions(-) diff --git a/isolation.c b/isolation.c index c868e668..ea85fdba 100644 --- a/isolation.c +++ b/isolation.c @@ -24,13 +24,18 @@ * done anything we need to do with those resources, so we have * multiple stages of self-isolation. In order these are: * - * 1. isolate_initial() + * 1a. isolate_initial() * ==================== * * Executed immediately after startup, drops capabilities we don't * need at any point during execution (or which we gain back when we - * need by joining other namespaces), and closes any leaked file we - * might have inherited from the parent process. + * need by joining other namespaces). + * + * 1b. isolate_fds() + * ================ + * + * Executed immediately after isolate_initial(). Closes any leaked + * files we might have inherited from the parent process. * * 2. isolate_user() * ================= @@ -58,6 +63,7 @@ #include #include +#include #include #include #include @@ -88,6 +94,7 @@ #include "passt.h" #include "log.h" #include "isolation.h" +#include "conf.h" #define CAP_VERSION _LINUX_CAPABILITY_VERSION_3 #define CAP_WORDS _LINUX_CAPABILITY_U32S_3 @@ -193,16 +200,13 @@ static int move_root(void) /** * isolate_initial() - Early, mostly config independent self isolation - * @argc: Argument count - * @argv: Command line options: only --fd (if present) is relevant here * * Should: * - drop unneeded capabilities - * - close all open files except for standard streams and the one from --fd * Mustn't: * - remove filesystem access (we need to access files during setup) */ -void isolate_initial(int argc, char **argv) +void isolate_initial(void) { uint64_t keep; @@ -243,8 +247,55 @@ void isolate_initial(int argc, char **argv) keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); drop_caps_ep_except(keep); +} + + +/* + * isolate_fds() - Close leaked files, but not --fd, stdin, stdout, stderr + * @argc: Argument count + * @argv: Command line options, as we need to skip any file given via --fd + * + * Should: + * - close all open files except for standard streams and the one from --fd + */ +void isolate_fds(int argc, char **argv) +{ + const struct option optfd[] = { { "fd", required_argument, NULL, 'F' }, + { 0 }, }; + long fd = -1; + int name, rc; + + do { + name = getopt_long(argc, argv, "-:F:", optfd, NULL); + + if (name == 'F') + fd = conf_tap_fd(optarg); + } while (name != -1); + + if (fd == -1) { + rc = close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE); + } else if (fd == STDERR_FILENO + 1) { /* Still a single range */ + rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE); + } else { + rc = close_range(STDERR_FILENO + 1, fd - 1, + CLOSE_RANGE_UNSHARE); + if (!rc) + rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE); + } - close_open_files(argc, argv); + if (rc) { + if (errno == ENOSYS || errno == EINVAL) { + /* This probably means close_range() or the + * CLOSE_RANGE_UNSHARE flag is not supported by the + * kernel. Not much we can do here except carry on and + * hope for the best. + */ + warn( +"Can't use close_range() to ensure no files leaked by parent"); + } else { + die_perror("Failed to close files leaked by parent"); + } + } } /** diff --git a/isolation.h b/isolation.h index 66b6968d..e1b1bc5d 100644 --- a/isolation.h +++ b/isolation.h @@ -10,7 +10,8 @@ #include #include -void isolate_initial(int argc, char **argv); +void isolate_initial(void); +void isolate_fds(int argc, char **argv); void isolate_user(const struct ctx *c, uid_t uid, gid_t gid, bool use_userns, const char *userns); int isolate_prefork(const struct ctx *c); diff --git a/passt.c b/passt.c index cc847ec2..ce20cedb 100644 --- a/passt.c +++ b/passt.c @@ -341,7 +341,8 @@ int main(int argc, char **argv) arch_avx2_exec(argv); - isolate_initial(argc, argv); + isolate_initial(); + isolate_fds(argc, argv); sigemptyset(&sa.sa_mask); sa.sa_flags = 0; diff --git a/util.c b/util.c index 4bc5d6f8..ce5021a9 100644 --- a/util.c +++ b/util.c @@ -26,7 +26,6 @@ #include #include #include -#include #include "linux_dep.h" #include "util.h" @@ -38,7 +37,6 @@ #include "epoll_ctl.h" #include "pasta.h" #include "serialise.h" -#include "conf.h" #ifdef HAS_GETRANDOM #include #endif @@ -924,53 +922,6 @@ const char *str_ee_origin(const struct sock_extended_err *ee) return ""; } -/** - * close_open_files() - Close leaked files, but not --fd, stdin, stdout, stderr - * @argc: Argument count - * @argv: Command line options, as we need to skip any file given via --fd - */ -void close_open_files(int argc, char **argv) -{ - const struct option optfd[] = { { "fd", required_argument, NULL, 'F' }, - { 0 }, - }; - long fd = -1; - int name, rc; - - do { - name = getopt_long(argc, argv, "-:F:", optfd, NULL); - - if (name == 'F') - fd = conf_tap_fd(optarg); - } while (name != -1); - - if (fd == -1) { - rc = close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE); - } else if (fd == STDERR_FILENO + 1) { /* Still a single range */ - rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE); - } else { - rc = close_range(STDERR_FILENO + 1, fd - 1, - CLOSE_RANGE_UNSHARE); - if (!rc) - rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE); - } - - if (rc) { - if (errno == ENOSYS || errno == EINVAL) { - /* This probably means close_range() or the - * CLOSE_RANGE_UNSHARE flag is not supported by the - * kernel. Not much we can do here except carry on and - * hope for the best. - */ - warn( -"Can't use close_range() to ensure no files leaked by parent"); - } else { - die_perror("Failed to close files leaked by parent"); - } - } - -} - /** * snprintf_check() - snprintf() wrapper, checking for truncation and errors * @str: Output buffer diff --git a/util.h b/util.h index 90e8a20d..2435f536 100644 --- a/util.h +++ b/util.h @@ -168,7 +168,6 @@ intmax_t read_file_integer(const char *path, intmax_t fallback); int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip, size_t length); int read_remainder(int fd, const struct iovec *iov, size_t cnt, size_t skip); -void close_open_files(int argc, char **argv); bool snprintf_check(char *str, size_t size, const char *format, ...); long clamped_scale(long x, long y, long lo, long hi, long f); -- 2.55.0