From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 7A82E5A004E for ; Thu, 08 Aug 2024 06:47:28 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1723092444; bh=zu3Sw89Z1Ofx8lk2O88rSmoz5SQSkR2gy0YbzF1c+UA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=oD8yioc+fft37pwdhLc19H1nZGw+JGu5YnIMgWXJnxkhgAEARFaI/g7kYs2jZBjyL QtObUnD1EJBkYIF/+1I9T0tHiJaNOtM1SpJP1Zvgp+/zAlVcm21C+NP0hndA235b2R aMbSHfNR+WHodiAOZDhnSSZL4xm9QcTKUvnjTY5Ub2Wt1qTb5PXX9OhsfjFJUa+BG1 m9jI9RkHPwh8yELERp0xXAxV58UQJ3JNssj/ElhRNiKPdNnb7Iiq6C54gkd/AJurcj ZqCxZhy0iXEfp434D6BF27hAXSeTq+OiSpYzBpM+S0QhmuptSZxFq+DfUUuhnRs/1Z 7JwnPX47pJQzw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WfZK83c11z4x3J; Thu, 8 Aug 2024 14:47:24 +1000 (AEST) Date: Thu, 8 Aug 2024 14:47:19 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v7] passt, util: Close any open file that the parent might have leaked Message-ID: References: <20240808034249.2554779-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FtHcraoip4ngbxeW" Content-Disposition: inline In-Reply-To: <20240808034249.2554779-1-sbrivio@redhat.com> Message-ID-Hash: RAZQ3YGI4JXSGUQKNM2GMI5JWHLLA6HE X-Message-ID-Hash: RAZQ3YGI4JXSGUQKNM2GMI5JWHLLA6HE X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --FtHcraoip4ngbxeW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 08, 2024 at 05:42:49AM +0200, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. >=20 > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. >=20 > Use close_range(2) to close all open files except for standard streams > and the one from --fd. >=20 > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. >=20 > As we need to check that the passed --fd option doesn't exceed > INT_MAX, because we'll parse it with strtol() but file descriptor > indices are signed ints (regardless of the arguments close_range() > take), extend the existing check in the actual --fd parsing in conf(), > also rejecting file descriptors numbers that match standard streams, > while at it. >=20 > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > v7: (yes, seriously) don't close STDERR_FILENO in the general case, > start from STDERR_FILENO + 1 >=20 > v6: (seriously?) fix STDERR_FILENO comparison in conf() >=20 > v5: Reject any --fd matching standard streams >=20 > v4: c->fd_tap, as used in conf(), is an int: don't assign to it > directly from strtol(), or we won't catch overflows >=20 > v3: Handle --fd 3 case, and don't overflow if the --fd number exceeds > UINT_MAX: add an explicit check to ensure it's less than INT_MAX >=20 > v2: Move call to close_open_files() to isolate_initial() >=20 > conf.c | 8 ++++++-- > isolation.c | 12 +++++++++--- > isolation.h | 2 +- > passt.c | 2 +- > util.c | 41 +++++++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 6 files changed, 59 insertions(+), 7 deletions(-) >=20 > diff --git a/conf.c b/conf.c > index 14d8ece..2f5d649 100644 > --- a/conf.c > +++ b/conf.c > @@ -1245,6 +1245,7 @@ void conf(struct ctx *c, int argc, char **argv) > const char *optstring; > size_t logsize =3D 0; > char *runas =3D NULL; > + long fd_tap_opt; > int name, ret; > uid_t uid; > gid_t gid; > @@ -1260,6 +1261,7 @@ void conf(struct ctx *c, int argc, char **argv) > c->tcp.fwd_in.mode =3D c->tcp.fwd_out.mode =3D FWD_UNSET; > c->udp.fwd_in.mode =3D c->udp.fwd_out.mode =3D FWD_UNSET; > =20 > + optind =3D 1; > do { > name =3D getopt_long(argc, argv, optstring, options, NULL); > =20 > @@ -1424,11 +1426,13 @@ void conf(struct ctx *c, int argc, char **argv) > break; > case 'F': > errno =3D 0; > - c->fd_tap =3D strtol(optarg, NULL, 0); > + fd_tap_opt =3D strtol(optarg, NULL, 0); > =20 > - if (c->fd_tap < 0 || errno) > + if (errno || > + fd_tap_opt <=3D STDERR_FILENO || fd_tap_opt > INT_MAX) > die("Invalid --fd: %s", optarg); > =20 > + c->fd_tap =3D fd_tap_opt; > c->one_off =3D true; > *c->sock_path =3D 0; > break; > diff --git a/isolation.c b/isolation.c > index 4956d7e..45fba1e 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -29,7 +29,8 @@ > * > * Executed immediately after startup, drops capabilities we don't > * need at any point during execution (or which we gain back when we > - * need by joining other namespaces). > + * need by joining other namespaces), and closes any leaked file we > + * might have inherited from the parent process. > * > * 2. isolate_user() > * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > @@ -166,14 +167,17 @@ static void clamp_caps(void) > } > =20 > /** > - * isolate_initial() - Early, config independent self isolation > + * isolate_initial() - Early, mostly config independent self isolation > + * @argc: Argument count > + * @argv: Command line options: only --fd (if present) is relevant here > * > * Should: > * - drop unneeded capabilities > + * - close all open files except for standard streams and the one from = --fd > * Musn't: > * - remove filesytem access (we need to access files during setup) > */ > -void isolate_initial(void) > +void isolate_initial(int argc, char **argv) > { > uint64_t keep; > =20 > @@ -207,6 +211,8 @@ void isolate_initial(void) > keep |=3D BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); > =20 > drop_caps_ep_except(keep); > + > + close_open_files(argc, argv); > } > =20 > /** > diff --git a/isolation.h b/isolation.h > index 846b2af..80bb68d 100644 > --- a/isolation.h > +++ b/isolation.h > @@ -7,7 +7,7 @@ > #ifndef ISOLATION_H > #define ISOLATION_H > =20 > -void isolate_initial(void); > +void isolate_initial(int argc, char **argv); > void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *use= rns, > enum passt_modes mode); > int isolate_prefork(const struct ctx *c); > diff --git a/passt.c b/passt.c > index ea5bece..4b3c306 100644 > --- a/passt.c > +++ b/passt.c > @@ -211,7 +211,7 @@ int main(int argc, char **argv) > =20 > arch_avx2_exec(argv); > =20 > - isolate_initial(); > + isolate_initial(argc, argv); > =20 > c.pasta_netns_fd =3D c.fd_tap =3D c.pidfile_fd =3D -1; > =20 > diff --git a/util.c b/util.c > index 07fb21c..7761bd3 100644 > --- a/util.c > +++ b/util.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > =20 > #include "util.h" > #include "iov.h" > @@ -694,3 +695,43 @@ const char *str_ee_origin(const struct sock_extended= _err *ee) > =20 > return ""; > } > + > +/** > + * close_open_files() - Close leaked files, but not --fd, stdin, stdout,= stderr > + * @argc: Argument count > + * @argv: Command line options, as we need to skip any file given via --= fd > + */ > +void close_open_files(int argc, char **argv) > +{ > + const struct option optfd[] =3D { { "fd", required_argument, NULL, 'F' = }, > + { 0 }, > + }; > + long fd =3D -1; > + int name, rc; > + > + do { > + name =3D getopt_long(argc, argv, ":F", optfd, NULL); > + > + if (name =3D=3D 'F') { > + errno =3D 0; > + fd =3D strtol(optarg, NULL, 0); > + > + if (errno || fd <=3D STDERR_FILENO || fd > INT_MAX) > + die("Invalid --fd: %s", optarg); > + } > + } while (name !=3D -1); > + > + if (fd =3D=3D -1) { > + rc =3D close_range(STDERR_FILENO + 1, ~0U, CLOSE_RANGE_UNSHARE); > + } else if (fd =3D=3D STDERR_FILENO + 1) { /* Still a single range */ > + rc =3D close_range(STDERR_FILENO + 2, ~0U, CLOSE_RANGE_UNSHARE); > + } else { > + rc =3D close_range(STDERR_FILENO + 1, fd - 1, > + CLOSE_RANGE_UNSHARE); > + if (!rc) > + rc =3D close_range(fd + 1, ~0U, CLOSE_RANGE_UNSHARE); > + } > + > + if (rc) > + die_perror("Failed to close files leaked by parent"); > +} > diff --git a/util.h b/util.h > index 83d2b53..cb4d181 100644 > --- a/util.h > +++ b/util.h > @@ -183,6 +183,7 @@ int __daemon(int pidfile_fd, int devnull_fd); > int fls(unsigned long x); > int write_file(const char *path, const char *buf); > int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size= _t skip); > +void close_open_files(int argc, char **argv); > =20 > /** > * af_name() - Return name of an address family --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --FtHcraoip4ngbxeW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAma0TdYACgkQzQJF27ox 2Gf0RRAAlLhOsxUn55KJ9F9v4U2PhnwL78ygpkLPY2JD5Hs1yxB30tCeWtGZGKJ7 0HAHavv8jbEX6n7AJeN9h/RTaHTTgEQgs8NwamifxI/clFEIM8wCREpYMqS4QeJF /dr5HSQVZ7M0VWR8K0v6LhMNCWTtCSlSV/KybFx/i5g3yorrvcCR5T0HQrmRGj8n YwYZIBdvaM9GiyNVUncck48+d33J7bZT9UbQ/Y4bldKEzidMqp06zDx5wONwHHee LRhKIi5/OcEJEHjvGvXgIomr5fbc5PoU0JMgfgmwkBa1w/HpaKSXNzvjV4X2/DBX tY5U1u3PAFfABPt5FNGFUYE8h8J+JpTE4yL51QZzJqugkIlU7zhlbois6b7YbDxw rNCX6S0AsHMo051aAJQGnUxi+1DvGLOaaXz9YtpHxjM3hkP07+jnXhDJefB4Hsl5 k/gFyC2lbf/8pcxLxD/bcv2BYgmniPXdc/lKgbY6gobf57abJmIEXn/RJDnIYohg 1s8DDYi5b1mUfCB+VqzTWaQbuVCIchcmoGd40RtRm4a3difttAMGiUyhu8HuEBtd z/xzM1uhgfXAk52wmiStcoDqLET7kfCiSgeW6NjQ6n49XnX3zRc522gm+Z4espwh uhHG2wy1k3p++VhEtwo5UfWsxKatd2LctiQjRCDLvgPmbf/2CIk= =xJBi -----END PGP SIGNATURE----- --FtHcraoip4ngbxeW--