From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id D24CD5A031A for ; Wed, 07 Aug 2024 04:04:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1722996251; bh=Uj8kVoODrH6uS6qgsVlLweX76aOq8/ycutTWZiEBqpw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ls/9cxbhbaBNX0TRbi33HyVFRHakGQ7nvResGPS8uA6jSotw4kh+vav644GCGhn/p 1wK0Kzb9mdpOI4Q5CfNF168HG8WMshnY2HK202OQs6d1gHZRScOVoq3zFns60HIumk K6Vo2yTL33xTB1rTM/a69NH6L0QAQXVX6urIWkwjobFXuzR3vHn8LwxnuQm/bhj4Sh 9wp1pyFo4s7iWlny132swtVSgpfQlsdKSLksVCvqT8YgpY+neo0zDreeNJ60yAn8o1 WHH0x7rHNwpjC8Xg/Jg2gF2GHPQQscaQ4Qv+ClLvFUNyJNTJvZihcAd8PTLBGsaui0 KXjG0bEJt7QLA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WdtlH3mmtz4wbp; Wed, 7 Aug 2024 12:04:11 +1000 (AEST) Date: Wed, 7 Aug 2024 11:44:01 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] passt, util: Close any open file that the parent might have leaked Message-ID: References: <20240806183837.548257-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fANVJn43QHOJKDQe" Content-Disposition: inline In-Reply-To: <20240806183837.548257-1-sbrivio@redhat.com> Message-ID-Hash: HDZG2NNY2U6LZYJG5OQSHXVACUGNKF2X X-Message-ID-Hash: HDZG2NNY2U6LZYJG5OQSHXVACUGNKF2X X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --fANVJn43QHOJKDQe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 06, 2024 at 08:38:37PM +0200, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. >=20 > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. >=20 > Use close_range(2) to close all open files except for standard streams > and the one from --fd. >=20 > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. >=20 > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio > --- > conf.c | 1 + > passt.c | 2 ++ > util.c | 36 ++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 4 files changed, 40 insertions(+) >=20 > diff --git a/conf.c b/conf.c > index 14d8ece..89f5b3d 100644 > --- a/conf.c > +++ b/conf.c > @@ -1260,6 +1260,7 @@ void conf(struct ctx *c, int argc, char **argv) > c->tcp.fwd_in.mode =3D c->tcp.fwd_out.mode =3D FWD_UNSET; > c->udp.fwd_in.mode =3D c->udp.fwd_out.mode =3D FWD_UNSET; > =20 > + optind =3D 1; > do { > name =3D getopt_long(argc, argv, optstring, options, NULL); > =20 > diff --git a/passt.c b/passt.c > index ea5bece..be7e84a 100644 > --- a/passt.c > +++ b/passt.c > @@ -211,6 +211,8 @@ int main(int argc, char **argv) > =20 > arch_avx2_exec(argv); > =20 > + close_open_files(argc, argv); Any reason not to fold this logic into isolate_initial()? Seems like it is part of self-isolation handling. Also, I think this could wait until after the existing isolate_initial() logic. Dropping caps before examining the command line seems like a sensible precaution. > isolate_initial(); > =20 > c.pasta_netns_fd =3D c.fd_tap =3D c.pidfile_fd =3D -1; > diff --git a/util.c b/util.c > index 54a9f58..ca627c6 100644 > --- a/util.c > +++ b/util.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > =20 > #include "util.h" > #include "iov.h" > @@ -694,3 +695,38 @@ const char *str_ee_origin(const struct sock_extended= _err *ee) > =20 > return ""; > } > + > +/** > + * close_open_files() - Close leaked files, but not --fd, stdin, stdout,= stderr > + * @argc: Argument count > + * @argv: Command line options, as we need to skip any file given via --= fd > + */ > +void close_open_files(int argc, char **argv) > +{ > + const struct option optfd[] =3D { { "fd", required_argument, NULL, 'F' = }, > + { 0 }, > + }; > + long fd =3D -1; > + int name; > + > + do { > + name =3D getopt_long(argc, argv, ":F", optfd, NULL); > + > + if (name =3D=3D 'F') { > + errno =3D 0; > + fd =3D strtol(optarg, NULL, 0); > + > + if (fd < 0 || errno) > + die("Invalid --fd: %s", optarg); > + } > + } while (name !=3D -1); > + > + if (fd =3D=3D -1) { > + if (close_range(3, ~0U, CLOSE_RANGE_UNSHARE)) It's weird that close_range() takes unsigneds, although fds are near-universally signed ints. > + die_perror("Failed to close files leaked by parent"); > + } else { > + if (close_range(3, fd - 1, CLOSE_RANGE_UNSHARE) || > + close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } > +} > diff --git a/util.h b/util.h > index e8bf957..ab11ee7 100644 > --- a/util.h > +++ b/util.h > @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); > int write_file(const char *path, const char *buf); > int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size= _t skip); > +void close_open_files(int argc, char **argv); > =20 > /** > * af_name() - Return name of an address family --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --fANVJn43QHOJKDQe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmay0WAACgkQzQJF27ox 2GfLCxAAiIWEtKUn3O+fgiAR2fkacEI40Y6VJ8fO2f3zDrJ33XqjnsBioNO9slB8 PLRtd3lUzsFbS1UQMN9+ObxeP/BOd97PftIVk+40T859qdGV8KvZVKYQzI2TNY9w yA9kuZqaZXEogaJhrlBIxUv475c4OwK6/c8ZxfWtmkZ9MOELFBgW/3RzZPmROUjk exwEgvAwaLEgUnESRWg4bS+WJw88OefuhKtuslmbAsTdcr5bEvePNf0x/iCA6kLZ qWYi4XH879nZa8696V3p+HNIgimsJjrU19PwHzMdVxMdsQ130T8tJzkpf+BXZO30 vmLsuPBJ3dstSaL0ACj01Mb6XVXnKmb0Noskbb8CNBmgfTxImgSdhvjq52sBvlBO syNwjqQGoBOi3k0cfJ2SYefPZ68pNOT4Gd8zjrbhW6WOV+J/4G2AMNqvuGDH7g0N Ho146fUU1m1WdZs91Jd1GY8Sim+UpRSW2x28wNyg6nqPGh6kS6FrJlhue6NbFtzH vPPydFItnrzx/Ms55PlxjKfzADbhfkBS9+DlFV9JdaH441Ot3X+nEJ87Ue6ZQh+l jrtdcGBldxWnZoadYoM9Jyx5Mxrofc7UY/HMC1FLUUWWZ722XVWWebyeNNnun0cj adMGv4UnskOvPaE9w8yCfUgzIqh2Rd10fkOrorlrRWP24WBIv4A= =FwVu -----END PGP SIGNATURE----- --fANVJn43QHOJKDQe--