From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id B50855A004F for ; Wed, 07 Aug 2024 10:51:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1723020695; bh=URwkwwFhNecQZXTXbU52stQ3XOFeRXP+j4KvD4Z5KGM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KF9RL3IdBxJPOGjbbElg9+lVcTnlwZ77Gvlbwo6Gz+0ZeXs+HxJIFQRpbY+0l3QDd aIWHWxBPaX9aAPSJF8xLdzLDpvpKvctNZr6ZZVKVZOtd+ViAd6CLH81xCrwq3v9qSm p4EnXG8JTqAEY95C8x1B/p9WwKPTfYzQM0kYVIvXKSIb69yW03DUAocnsAEwlvDfQD didclgrkFulPcTVaSeKBnl4CXLw+axtAkYDCEAHYXXmy6kohj3P23Pmv8OgiMbvh3x xLTSiC2rCzmQ9dl3E9wl9b+27YZWFy2dGIWWK+8ER+UaHSVu5h/DIvoUd4VedqVq3n 8LKQN3HpQemRQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Wf3nM54gsz4wcl; Wed, 7 Aug 2024 18:51:35 +1000 (AEST) Date: Wed, 7 Aug 2024 18:51:29 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v2] passt, util: Close any open file that the parent might have leaked Message-ID: References: <20240807082745.1939437-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QBwcBO6M05PL2A59" Content-Disposition: inline In-Reply-To: <20240807082745.1939437-1-sbrivio@redhat.com> Message-ID-Hash: ZC7S7WPYPJUGR5KBPALKDLKHY4UM7GCD X-Message-ID-Hash: ZC7S7WPYPJUGR5KBPALKDLKHY4UM7GCD X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --QBwcBO6M05PL2A59 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 07, 2024 at 10:27:45AM +0200, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. >=20 > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. >=20 > Use close_range(2) to close all open files except for standard streams > and the one from --fd. >=20 > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. >=20 > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > v2: Move call to close_open_files() to isolate_initial() >=20 > conf.c | 1 + > isolation.c | 12 +++++++++--- > isolation.h | 2 +- > passt.c | 2 +- > util.c | 36 ++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 6 files changed, 49 insertions(+), 5 deletions(-) >=20 > diff --git a/conf.c b/conf.c > index 14d8ece..89f5b3d 100644 > --- a/conf.c > +++ b/conf.c > @@ -1260,6 +1260,7 @@ void conf(struct ctx *c, int argc, char **argv) > c->tcp.fwd_in.mode =3D c->tcp.fwd_out.mode =3D FWD_UNSET; > c->udp.fwd_in.mode =3D c->udp.fwd_out.mode =3D FWD_UNSET; > =20 > + optind =3D 1; > do { > name =3D getopt_long(argc, argv, optstring, options, NULL); > =20 > diff --git a/isolation.c b/isolation.c > index 4956d7e..45fba1e 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -29,7 +29,8 @@ > * > * Executed immediately after startup, drops capabilities we don't > * need at any point during execution (or which we gain back when we > - * need by joining other namespaces). > + * need by joining other namespaces), and closes any leaked file we > + * might have inherited from the parent process. > * > * 2. isolate_user() > * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > @@ -166,14 +167,17 @@ static void clamp_caps(void) > } > =20 > /** > - * isolate_initial() - Early, config independent self isolation > + * isolate_initial() - Early, mostly config independent self isolation > + * @argc: Argument count > + * @argv: Command line options: only --fd (if present) is relevant here > * > * Should: > * - drop unneeded capabilities > + * - close all open files except for standard streams and the one from = --fd > * Musn't: > * - remove filesytem access (we need to access files during setup) > */ > -void isolate_initial(void) > +void isolate_initial(int argc, char **argv) > { > uint64_t keep; > =20 > @@ -207,6 +211,8 @@ void isolate_initial(void) > keep |=3D BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); > =20 > drop_caps_ep_except(keep); > + > + close_open_files(argc, argv); > } > =20 > /** > diff --git a/isolation.h b/isolation.h > index 846b2af..80bb68d 100644 > --- a/isolation.h > +++ b/isolation.h > @@ -7,7 +7,7 @@ > #ifndef ISOLATION_H > #define ISOLATION_H > =20 > -void isolate_initial(void); > +void isolate_initial(int argc, char **argv); > void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *use= rns, > enum passt_modes mode); > int isolate_prefork(const struct ctx *c); > diff --git a/passt.c b/passt.c > index ea5bece..4b3c306 100644 > --- a/passt.c > +++ b/passt.c > @@ -211,7 +211,7 @@ int main(int argc, char **argv) > =20 > arch_avx2_exec(argv); > =20 > - isolate_initial(); > + isolate_initial(argc, argv); > =20 > c.pasta_netns_fd =3D c.fd_tap =3D c.pidfile_fd =3D -1; > =20 > diff --git a/util.c b/util.c > index 07fb21c..bd65b5a 100644 > --- a/util.c > +++ b/util.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > =20 > #include "util.h" > #include "iov.h" > @@ -694,3 +695,38 @@ const char *str_ee_origin(const struct sock_extended= _err *ee) > =20 > return ""; > } > + > +/** > + * close_open_files() - Close leaked files, but not --fd, stdin, stdout,= stderr > + * @argc: Argument count > + * @argv: Command line options, as we need to skip any file given via --= fd > + */ > +void close_open_files(int argc, char **argv) > +{ > + const struct option optfd[] =3D { { "fd", required_argument, NULL, 'F' = }, > + { 0 }, > + }; > + long fd =3D -1; > + int name; > + > + do { > + name =3D getopt_long(argc, argv, ":F", optfd, NULL); > + > + if (name =3D=3D 'F') { > + errno =3D 0; > + fd =3D strtol(optarg, NULL, 0); > + > + if (fd < 0 || errno) > + die("Invalid --fd: %s", optarg); > + } > + } while (name !=3D -1); > + > + if (fd =3D=3D -1) { > + if (close_range(3, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } else { > + if (close_range(3, fd - 1, CLOSE_RANGE_UNSHARE) || > + close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE)) > + die_perror("Failed to close files leaked by parent"); > + } > +} > diff --git a/util.h b/util.h > index 83d2b53..cb4d181 100644 > --- a/util.h > +++ b/util.h > @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); > int write_file(const char *path, const char *buf); > int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size= _t skip); > +void close_open_files(int argc, char **argv); > =20 > /** > * af_name() - Return name of an address family --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --QBwcBO6M05PL2A59 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmazNY0ACgkQzQJF27ox 2Gc+3xAAkNs0e7zkJ9aqgLnDVkNA5BCuA2gvN7AQ5SV7SeO7al9c/bUZ/3bQXDaH KYYIfhFLg6SBwIgiaMwYLp0PyWSCnjm5+CCErh2//RvUf7hI/bU7qw1OnaMKq651 ObtEDW0oTcTSV3wAieVDeJd32Gr66rugol3XefiPoacrwmaESh38SvZXO8hrzJFf 4ueIW0zjJdO9QA/7//0svrzAdz3GCtw5jfGxd7CueODEEFeUJ6KPHVwSVpcuJHZ/ cHQOC91yU5Fm8rcufZVJrYrQpeCH3aqPdPupMsGWmDo9twCKGCjiCZ1we/NSihh7 PEhS/roC+OFCANYEYTH8s6NxWDjSXNfOLi4rG1SnHBX1vRqFzfCF7EnDor4w6ycv dJV0Omxxfc4kJBFPV8SCYw9WFDZmwv2upfd7DIUTyGnQ3lQKWzBipqVMSLDJIcIY WXb3kJTDpzYHSmELj7b2azQPieVYXuqVZTAYofzwQhWPRgQpeTL0vfettBj4uKIe PXEk3bwaQSiuTIGXMwK2AVeh2/AQwMAm0sABQhgN2mjhX7q1URyHVT6/d3WTyiw8 NSYu2MNjSAN1Gk8EOGgcF8dVciNZSMLOGgXEcNy8nL6jyUe2y6itnRuWR6D6lEw+ VI+3Gwk/2OmelQpndQBXossK951RN0iTP9iSJPWRymkUFdWysNU= =ASeN -----END PGP SIGNATURE----- --QBwcBO6M05PL2A59--