On Wed, Aug 07, 2024 at 03:20:25PM +0200, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. > > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. > > Use close_range(2) to close all open files except for standard streams > and the one from --fd. > > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. > > As we need to check that the passed --fd option doesn't exceed > INT_MAX, because we'll parse it with strtol() but file descriptor > indices are signed ints (regardless of the arguments close_range() > take), extend the existing check in the actual --fd parsing in conf(), > also rejecting file descriptors numbers that match standard streams, > while at it. > > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio I hate to do this to you, but there's still an off-by one error.. [snip] > + if (fd == -1) { > + rc = close_range(STDERR_FILENO, ~0U, CLOSE_RANGE_UNSHARE); ..this case will incorrectly close stderr. > + } else if (fd == STDERR_FILENO + 1) { /* Still a single range */ > + rc = close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE); > + } else { > + rc = close_range(STDERR_FILENO + 1, fd - 1, > + CLOSE_RANGE_UNSHARE); > + if (!rc) > + rc = close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE); > + } > + > + if (rc) > + die_perror("Failed to close files leaked by parent"); > +} -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson