From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id EEB735A004F
	for <passt-dev@passt.top>; Thu, 08 Aug 2024 03:02:36 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1723078946;
	bh=4EJAwzdJVJwbEzILH8Ehb0tspIzj0n75BJKQUmzQLi8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=Cr7tErSox5BSGtIqXDRUJuo7lqbb/9xsE58hkdYOVEvdkCvLfcGNtuH+5q8ppauGH
	 6/L3JnsA3pNJw+bm1H3Z0/hGksrlzNucV6xHNRpz0HxL9tyKcV8auBjgjTaoZY5q8u
	 GAk3oUZbJLdfNU8Q7fcFIroGr6bRdImZlPSVBMU0sMzyZCmZUkIsvHkM4iq6Ntlu6b
	 xb9KdIMgulf5zCnHOm75puDGRV9YRd4uzwskroUcqQyFUQ2Ywyk2lubUbgNM9ocQil
	 mfMEc6U5igU9ndTWGZdd4Je8mUTEtPUCXT0Q6AO1y7XmkGllxgelLlJ1V/zgjzM5nm
	 77PgtNFvRnUUg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WfTKZ6Vxlz4x3J; Thu,  8 Aug 2024 11:02:26 +1000 (AEST)
Date: Thu, 8 Aug 2024 11:02:21 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v6] passt, util: Close any open file that the parent
 might have leaked
Message-ID: <ZrQZHZjklGsVvCTK@zatzit.fritz.box>
References: <20240807132025.2166652-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="LKVlHnJrpnKKkRt0"
Content-Disposition: inline
In-Reply-To: <20240807132025.2166652-1-sbrivio@redhat.com>
Message-ID-Hash: ZJQPESJJXWQH5DN426XORKZZK2ZF5NQM
X-Message-ID-Hash: ZJQPESJJXWQH5DN426XORKZZK2ZF5NQM
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZrQZHZjklGsVvCTK@zatzit.fritz.box/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/ZJQPESJJXWQH5DN426XORKZZK2ZF5NQM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--LKVlHnJrpnKKkRt0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 07, 2024 at 03:20:25PM +0200, Stefano Brivio wrote:
> If a parent accidentally or due to implementation reasons leaks any
> open file, we don't want to have access to them, except for the file
> passed via --fd, if any.
>=20
> This is the case for Podman when Podman's parent leaks files into
> Podman: it's not practical for Podman to close unrelated files before
> starting pasta, as reported by Paul.
>=20
> Use close_range(2) to close all open files except for standard streams
> and the one from --fd.
>=20
> Given that parts of conf() depend on other files to be already opened,
> such as the epoll file descriptor, we can't easily defer this to a
> more convenient point, where --fd was already parsed. Introduce a
> minimal, duplicate version of --fd parsing to keep this simple.
>=20
> As we need to check that the passed --fd option doesn't exceed
> INT_MAX, because we'll parse it with strtol() but file descriptor
> indices are signed ints (regardless of the arguments close_range()
> take), extend the existing check in the actual --fd parsing in conf(),
> also rejecting file descriptors numbers that match standard streams,
> while at it.
>=20
> Suggested-by: Paul Holzinger <pholzing@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

I hate to do this to you, but there's still an off-by one error..

[snip]
> +	if (fd =3D=3D -1) {
> +		rc =3D close_range(STDERR_FILENO,     ~0U, CLOSE_RANGE_UNSHARE);

=2E.this case will incorrectly close stderr.

> +	} else if (fd =3D=3D STDERR_FILENO + 1) { /* Still a single range */
> +		rc =3D close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE);
> +	} else {
> +		rc =3D close_range(STDERR_FILENO + 1, fd - 1,
> +				 CLOSE_RANGE_UNSHARE);
> +		if (!rc)
> +			rc =3D close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE);
> +	}
> +
> +	if (rc)
> +		die_perror("Failed to close files leaked by parent");
> +}

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--LKVlHnJrpnKKkRt0
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAma0GRwACgkQzQJF27ox
2GcrGRAAj7NlydBXK0XJ6p2dZ0HOH2OvVv1oobN2hJpYROdlHYXiz3Y4RSuFEZZ3
/U4V+0xwRNeTOOBRT52nZQ3Hlv9YZNnpoAgosDpCxx3NAVl9/T7ObWIAnil0qkMy
RMzu36qPbCTwP9e2FoFfmXsDz5sKtYcaEf4LAOmEIeNSHmI7+DVmrG+WIKTbA2y/
h4QP42zYKmQ095zoK4MGy5U2tPt/owelzFmmb1YdmjDpXzmU6DYv3UcWesIjnfqF
BQprY8JqTDdZDXsmpORDYZCa7yorUNM54MRbalFtE175pfhSB5DMA5XtuUiaDcpC
1vyxSOyCnLSU2Xvd0kjbGbCHRNgNx9Bj1pAw9oKRCR33r2h29jmf8O+8HTwy/G2x
6arv9U/VrJ0U/3+qCb/UK62CvzBD36q6FXJom0kqia5Iv73DMOyGPV6ymKjDG7Ug
gap/KPoq6snFDcrLaXbhN7QpV8YseCMszsUxR8oDz/NnEWcZv+4ffGdTR9h5FT5U
3yunjNWwwXvfvdgAuAdVzR/z4e6Hw32ZFYim+0OyQ1tc5zZDFB0qEmK+wMhTPdn+
leIRyl8B1G32HdOhyD68ziyS8LF2QQd+37cUF6m4nw3cnzdtCEZYoUKef2mlWV5u
bNFA61/Eqqxx+Os3+U2enbtbCDPMqImMIBe3Pmn3wLqMQvjW5e4=
=GMJO
-----END PGP SIGNATURE-----

--LKVlHnJrpnKKkRt0--