From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 543C35A004F for ; Wed, 07 Aug 2024 11:34:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723023279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Eh+MV8OAcZQV9FEfUdU2vvb/i06JXc0fHVgDWv/jl34=; b=eFjDmLCulc5tJ8HPE2SfSU3TQlAi7/yUA8Q3QPervyl3SF5qAUfjU2IY2vvD+Y6/Ysrns/ 64Oxu68N9DOzMTTN7mIIpH0aGAfthCSwNSsfdAn2/xS7toxyY/saoBXko/p61gQL5gvZih GUOvZpTtsGUjv2zOWx9XM4B9y9omF2o= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-509-d3C_SnysMvuAXv4wV2jEuA-1; Wed, 07 Aug 2024 05:34:37 -0400 X-MC-Unique: d3C_SnysMvuAXv4wV2jEuA-1 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-4280c0b3017so11444105e9.1 for ; Wed, 07 Aug 2024 02:34:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723023276; x=1723628076; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Eh+MV8OAcZQV9FEfUdU2vvb/i06JXc0fHVgDWv/jl34=; b=px/VcP1lxUjLIQU7W0PTsMJSx5CyjAyptnxcAzuCaYGRsn+NqBgJDIk0aWbja+pIGn ksg1cjhZHcV6FkEiQG9+crHum+YUIhNlBlcUcPIEotgDb8CZFbsjYkpr/qzTH2jrEbT4 wuFabBZUAcG17RF9kzK9TEsWQP7TaNl7XVDXxso2a1VZXklRK05x+AjjAzd0Qi3OyPVO H8eHs8cmkdLoAEUuza/I1lqR6Z1NVHjKS108fhkRDHdGDAs6pn543f0i7yLsPDVsLhbj Dn1NmpEAED59M9OZjnWLqql1f5lm0ixzY+GbVrib5b743/wS4b5eZGI7yfeul0dgzYb1 TUog== X-Forwarded-Encrypted: i=1; AJvYcCW5VsUFP78/PXb0emBKg6mwiRJX6Tt9CKvaS4SxxEydXOrLvs4vgM4fymwtuApFKfYHxGeMNgeYPwybh4jUO5eyLC9P X-Gm-Message-State: AOJu0Yyz1ZO0Q9fN8RxNN66yoC2f/FWd4UpLko+FX8lLyTZ8J4bMXhhG 9qHaMMSWQG2mQPb82a7+Wym8vEHy26YlIckaFQwvzcD9v8mGYEkrs9PJ2QBt/ySHXEhl9x+Lui7 HQfVb/QI7ACIPNPtPWtUJzN0jbpwlhtioV63JeIr/tseR9kl+Pw== X-Received: by 2002:a05:600c:4fc3:b0:426:627e:37af with SMTP id 5b1f17b1804b1-428ec6bf40bmr93167815e9.3.1723023276478; Wed, 07 Aug 2024 02:34:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEymc7sPOGT83vvw8p5gIjB9piETeMayHMclhqnX/1wZtXXFUBDl61ITJl9nJsuHCcnKn3k9A== X-Received: by 2002:a05:600c:4fc3:b0:426:627e:37af with SMTP id 5b1f17b1804b1-428ec6bf40bmr93167625e9.3.1723023275839; Wed, 07 Aug 2024 02:34:35 -0700 (PDT) Received: from [192.168.188.25] ([80.243.52.136]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429059623besm19350365e9.2.2024.08.07.02.34.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Aug 2024 02:34:35 -0700 (PDT) Message-ID: <59e8daad-cd5a-4723-8ae8-807b72ec10c2@redhat.com> Date: Wed, 7 Aug 2024 11:34:34 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] passt, util: Close any open file that the parent might have leaked To: Stefano Brivio , passt-dev@passt.top References: <20240807082745.1939437-1-sbrivio@redhat.com> From: Paul Holzinger In-Reply-To: <20240807082745.1939437-1-sbrivio@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: CY4V4GDWZO7DGWXH45BPDVJ57T2R6475 X-Message-ID-Hash: CY4V4GDWZO7DGWXH45BPDVJ57T2R6475 X-MailFrom: pholzing@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 07/08/2024 10:27, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. > > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. > > Use close_range(2) to close all open files except for standard streams > and the one from --fd. > > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. > > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio > --- > v2: Move call to close_open_files() to isolate_initial() > > conf.c | 1 + > isolation.c | 12 +++++++++--- > isolation.h | 2 +- > passt.c | 2 +- > util.c | 36 ++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 6 files changed, 49 insertions(+), 5 deletions(-) > > diff --git a/conf.c b/conf.c > index 14d8ece..89f5b3d 100644 > --- a/conf.c > +++ b/conf.c > @@ -1260,6 +1260,7 @@ void conf(struct ctx *c, int argc, char **argv) > c->tcp.fwd_in.mode = c->tcp.fwd_out.mode = FWD_UNSET; > c->udp.fwd_in.mode = c->udp.fwd_out.mode = FWD_UNSET; > > + optind = 1; > do { > name = getopt_long(argc, argv, optstring, options, NULL); > > diff --git a/isolation.c b/isolation.c > index 4956d7e..45fba1e 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -29,7 +29,8 @@ > * > * Executed immediately after startup, drops capabilities we don't > * need at any point during execution (or which we gain back when we > - * need by joining other namespaces). > + * need by joining other namespaces), and closes any leaked file we > + * might have inherited from the parent process. > * > * 2. isolate_user() > * ================= > @@ -166,14 +167,17 @@ static void clamp_caps(void) > } > > /** > - * isolate_initial() - Early, config independent self isolation > + * isolate_initial() - Early, mostly config independent self isolation > + * @argc: Argument count > + * @argv: Command line options: only --fd (if present) is relevant here > * > * Should: > * - drop unneeded capabilities > + * - close all open files except for standard streams and the one from --fd > * Musn't: > * - remove filesytem access (we need to access files during setup) > */ > -void isolate_initial(void) > +void isolate_initial(int argc, char **argv) > { > uint64_t keep; > > @@ -207,6 +211,8 @@ void isolate_initial(void) > keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); > > drop_caps_ep_except(keep); > + > + close_open_files(argc, argv); > } > > /** > diff --git a/isolation.h b/isolation.h > index 846b2af..80bb68d 100644 > --- a/isolation.h > +++ b/isolation.h > @@ -7,7 +7,7 @@ > #ifndef ISOLATION_H > #define ISOLATION_H > > -void isolate_initial(void); > +void isolate_initial(int argc, char **argv); > void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns, > enum passt_modes mode); > int isolate_prefork(const struct ctx *c); > diff --git a/passt.c b/passt.c > index ea5bece..4b3c306 100644 > --- a/passt.c > +++ b/passt.c > @@ -211,7 +211,7 @@ int main(int argc, char **argv) > > arch_avx2_exec(argv); > > - isolate_initial(); > + isolate_initial(argc, argv); > > c.pasta_netns_fd = c.fd_tap = c.pidfile_fd = -1; > > diff --git a/util.c b/util.c > index 07fb21c..bd65b5a 100644 > --- a/util.c > +++ b/util.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > > #include "util.h" > #include "iov.h" > @@ -694,3 +695,38 @@ const char *str_ee_origin(const struct sock_extended_err *ee) > > return ""; > } > + > +/** > + * close_open_files() - Close leaked files, but not --fd, stdin, stdout, stderr > + * @argc: Argument count > + * @argv: Command line options, as we need to skip any file given via --fd > + */ > +void close_open_files(int argc, char **argv) > +{ > + const struct option optfd[] = { { "fd", required_argument, NULL, 'F' }, > + { 0 }, > + }; > + long fd = -1; > + int name; > + > + do { > + name = getopt_long(argc, argv, ":F", optfd, NULL); > + > + if (name == 'F') { > + errno = 0; > + fd = strtol(optarg, NULL, 0); > + > + if (fd < 0 || errno) > + die("Invalid --fd: %s", optarg); > + } > + } while (name != -1); > + > + if (fd == -1) { > + if (close_range(3, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } else { > + if (close_range(3, fd - 1, CLOSE_RANGE_UNSHARE) || > + close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); This will fail for fd == 3 as the first range is 3 - 2 in that case which causes EINVAL which could be a common choice for the extra passed fd. On the other end of the range it is the same issue, you seem to parse the fd as long so allows values > 4294967295 which then overflows when passed to close_range as uint which causes issues and even allows us to close stderr streams. Less likely that users would pass such a number but no reason to allow it in the first place. $ strace -e close_range ./pasta --config-net --fd 4294967296 echo test close_range(3, 4294967295, CLOSE_RANGE_UNSHARE) = 0 close_range(1, 4294967295, CLOSE_RANGE_UNSHARE) = 0 > + } > +} > diff --git a/util.h b/util.h > index 83d2b53..cb4d181 100644 > --- a/util.h > +++ b/util.h > @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); > int write_file(const char *path, const char *buf); > int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip); > +void close_open_files(int argc, char **argv); > > /** > * af_name() - Return name of an address family -- Paul Holzinger