From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id B50855A004F
	for <passt-dev@passt.top>; Wed, 07 Aug 2024 10:51:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1723020695;
	bh=URwkwwFhNecQZXTXbU52stQ3XOFeRXP+j4KvD4Z5KGM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=KF9RL3IdBxJPOGjbbElg9+lVcTnlwZ77Gvlbwo6Gz+0ZeXs+HxJIFQRpbY+0l3QDd
	 aIWHWxBPaX9aAPSJF8xLdzLDpvpKvctNZr6ZZVKVZOtd+ViAd6CLH81xCrwq3v9qSm
	 p4EnXG8JTqAEY95C8x1B/p9WwKPTfYzQM0kYVIvXKSIb69yW03DUAocnsAEwlvDfQD
	 didclgrkFulPcTVaSeKBnl4CXLw+axtAkYDCEAHYXXmy6kohj3P23Pmv8OgiMbvh3x
	 xLTSiC2rCzmQ9dl3E9wl9b+27YZWFy2dGIWWK+8ER+UaHSVu5h/DIvoUd4VedqVq3n
	 8LKQN3HpQemRQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4Wf3nM54gsz4wcl; Wed,  7 Aug 2024 18:51:35 +1000 (AEST)
Date: Wed, 7 Aug 2024 18:51:29 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v2] passt, util: Close any open file that the parent
 might have leaked
Message-ID: <ZrM1kbROKSyAqbRj@zatzit.fritz.box>
References: <20240807082745.1939437-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="QBwcBO6M05PL2A59"
Content-Disposition: inline
In-Reply-To: <20240807082745.1939437-1-sbrivio@redhat.com>
Message-ID-Hash: ZC7S7WPYPJUGR5KBPALKDLKHY4UM7GCD
X-Message-ID-Hash: ZC7S7WPYPJUGR5KBPALKDLKHY4UM7GCD
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZrM1kbROKSyAqbRj@zatzit.fritz.box/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/ZC7S7WPYPJUGR5KBPALKDLKHY4UM7GCD/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--QBwcBO6M05PL2A59
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 07, 2024 at 10:27:45AM +0200, Stefano Brivio wrote:
> If a parent accidentally or due to implementation reasons leaks any
> open file, we don't want to have access to them, except for the file
> passed via --fd, if any.
>=20
> This is the case for Podman when Podman's parent leaks files into
> Podman: it's not practical for Podman to close unrelated files before
> starting pasta, as reported by Paul.
>=20
> Use close_range(2) to close all open files except for standard streams
> and the one from --fd.
>=20
> Given that parts of conf() depend on other files to be already opened,
> such as the epoll file descriptor, we can't easily defer this to a
> more convenient point, where --fd was already parsed. Introduce a
> minimal, duplicate version of --fd parsing to keep this simple.
>=20
> Suggested-by: Paul Holzinger <pholzing@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
> v2: Move call to close_open_files() to isolate_initial()
>=20
>  conf.c      |  1 +
>  isolation.c | 12 +++++++++---
>  isolation.h |  2 +-
>  passt.c     |  2 +-
>  util.c      | 36 ++++++++++++++++++++++++++++++++++++
>  util.h      |  1 +
>  6 files changed, 49 insertions(+), 5 deletions(-)
>=20
> diff --git a/conf.c b/conf.c
> index 14d8ece..89f5b3d 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -1260,6 +1260,7 @@ void conf(struct ctx *c, int argc, char **argv)
>  	c->tcp.fwd_in.mode =3D c->tcp.fwd_out.mode =3D FWD_UNSET;
>  	c->udp.fwd_in.mode =3D c->udp.fwd_out.mode =3D FWD_UNSET;
> =20
> +	optind =3D 1;
>  	do {
>  		name =3D getopt_long(argc, argv, optstring, options, NULL);
> =20
> diff --git a/isolation.c b/isolation.c
> index 4956d7e..45fba1e 100644
> --- a/isolation.c
> +++ b/isolation.c
> @@ -29,7 +29,8 @@
>   *
>   * Executed immediately after startup, drops capabilities we don't
>   * need at any point during execution (or which we gain back when we
> - * need by joining other namespaces).
> + * need by joining other namespaces), and closes any leaked file we
> + * might have inherited from the parent process.
>   *
>   * 2. isolate_user()
>   * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> @@ -166,14 +167,17 @@ static void clamp_caps(void)
>  }
> =20
>  /**
> - * isolate_initial() - Early, config independent self isolation
> + * isolate_initial() - Early, mostly config independent self isolation
> + * @argc:	Argument count
> + * @argv:	Command line options: only --fd (if present) is relevant here
>   *
>   * Should:
>   *  - drop unneeded capabilities
> + *  - close all open files except for standard streams and the one from =
--fd
>   * Musn't:
>   *  - remove filesytem access (we need to access files during setup)
>   */
> -void isolate_initial(void)
> +void isolate_initial(int argc, char **argv)
>  {
>  	uint64_t keep;
> =20
> @@ -207,6 +211,8 @@ void isolate_initial(void)
>  		keep |=3D BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
> =20
>  	drop_caps_ep_except(keep);
> +
> +	close_open_files(argc, argv);
>  }
> =20
>  /**
> diff --git a/isolation.h b/isolation.h
> index 846b2af..80bb68d 100644
> --- a/isolation.h
> +++ b/isolation.h
> @@ -7,7 +7,7 @@
>  #ifndef ISOLATION_H
>  #define ISOLATION_H
> =20
> -void isolate_initial(void);
> +void isolate_initial(int argc, char **argv);
>  void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *use=
rns,
>  		  enum passt_modes mode);
>  int isolate_prefork(const struct ctx *c);
> diff --git a/passt.c b/passt.c
> index ea5bece..4b3c306 100644
> --- a/passt.c
> +++ b/passt.c
> @@ -211,7 +211,7 @@ int main(int argc, char **argv)
> =20
>  	arch_avx2_exec(argv);
> =20
> -	isolate_initial();
> +	isolate_initial(argc, argv);
> =20
>  	c.pasta_netns_fd =3D c.fd_tap =3D c.pidfile_fd =3D -1;
> =20
> diff --git a/util.c b/util.c
> index 07fb21c..bd65b5a 100644
> --- a/util.c
> +++ b/util.c
> @@ -26,6 +26,7 @@
>  #include <errno.h>
>  #include <stdbool.h>
>  #include <linux/errqueue.h>
> +#include <getopt.h>
> =20
>  #include "util.h"
>  #include "iov.h"
> @@ -694,3 +695,38 @@ const char *str_ee_origin(const struct sock_extended=
_err *ee)
> =20
>  	return "<invalid>";
>  }
> +
> +/**
> + * close_open_files() - Close leaked files, but not --fd, stdin, stdout,=
 stderr
> + * @argc:	Argument count
> + * @argv:	Command line options, as we need to skip any file given via --=
fd
> + */
> +void close_open_files(int argc, char **argv)
> +{
> +	const struct option optfd[] =3D { { "fd", required_argument, NULL, 'F' =
},
> +					{ 0 },
> +				      };
> +	long fd =3D -1;
> +	int name;
> +
> +	do {
> +		name =3D getopt_long(argc, argv, ":F", optfd, NULL);
> +
> +		if (name =3D=3D 'F') {
> +			errno =3D 0;
> +			fd =3D strtol(optarg, NULL, 0);
> +
> +			if (fd < 0 || errno)
> +				die("Invalid --fd: %s", optarg);
> +		}
> +	} while (name !=3D -1);
> +
> +	if (fd =3D=3D -1) {
> +		if (close_range(3,	~0U,	CLOSE_RANGE_UNSHARE))
> +			die_perror("Failed to close files leaked by parent");
> +	} else {
> +		if (close_range(3,	fd - 1,	CLOSE_RANGE_UNSHARE) ||
> +		    close_range(fd + 1,	~0U,	CLOSE_RANGE_UNSHARE))
> +			die_perror("Failed to close files leaked by parent");
> +	}
> +}
> diff --git a/util.h b/util.h
> index 83d2b53..cb4d181 100644
> --- a/util.h
> +++ b/util.h
> @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd);
>  int fls(unsigned long x);
>  int write_file(const char *path, const char *buf);
>  int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size=
_t skip);
> +void close_open_files(int argc, char **argv);
> =20
>  /**
>   * af_name() - Return name of an address family

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--QBwcBO6M05PL2A59
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmazNY0ACgkQzQJF27ox
2Gc+3xAAkNs0e7zkJ9aqgLnDVkNA5BCuA2gvN7AQ5SV7SeO7al9c/bUZ/3bQXDaH
KYYIfhFLg6SBwIgiaMwYLp0PyWSCnjm5+CCErh2//RvUf7hI/bU7qw1OnaMKq651
ObtEDW0oTcTSV3wAieVDeJd32Gr66rugol3XefiPoacrwmaESh38SvZXO8hrzJFf
4ueIW0zjJdO9QA/7//0svrzAdz3GCtw5jfGxd7CueODEEFeUJ6KPHVwSVpcuJHZ/
cHQOC91yU5Fm8rcufZVJrYrQpeCH3aqPdPupMsGWmDo9twCKGCjiCZ1we/NSihh7
PEhS/roC+OFCANYEYTH8s6NxWDjSXNfOLi4rG1SnHBX1vRqFzfCF7EnDor4w6ycv
dJV0Omxxfc4kJBFPV8SCYw9WFDZmwv2upfd7DIUTyGnQ3lQKWzBipqVMSLDJIcIY
WXb3kJTDpzYHSmELj7b2azQPieVYXuqVZTAYofzwQhWPRgQpeTL0vfettBj4uKIe
PXEk3bwaQSiuTIGXMwK2AVeh2/AQwMAm0sABQhgN2mjhX7q1URyHVT6/d3WTyiw8
NSYu2MNjSAN1Gk8EOGgcF8dVciNZSMLOGgXEcNy8nL6jyUe2y6itnRuWR6D6lEw+
VI+3Gwk/2OmelQpndQBXossK951RN0iTP9iSJPWRymkUFdWysNU=
=ASeN
-----END PGP SIGNATURE-----

--QBwcBO6M05PL2A59--