From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 0B2DB5A004E for ; Thu, 08 Aug 2024 11:19:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723108760; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tyCoyros6Suh58H3e6F7qv5Pn/5AR6pndq23Z1G/XAw=; b=JTb0CHh/YDkwTQ2GsCDYtjaC5r9GSFAcUCJyYzg4B6NTDTExDm0GPqaHRUd3sZv1hWL7Pf QN6RPQaHYzojQoC4fGwSBmQpSpu1ml5zDlHaQ3Cqi89FDObVHP+T3X9kYWgy8xhUW5c+Aq xZg4Pp9t57ERLx1o/qvEGsJyx2KXnMo= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-133-XFWC8ZswMO6HY9z7Zz8uag-1; Thu, 08 Aug 2024 05:19:19 -0400 X-MC-Unique: XFWC8ZswMO6HY9z7Zz8uag-1 Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-5af786d643aso758054a12.3 for ; Thu, 08 Aug 2024 02:19:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723108758; x=1723713558; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tyCoyros6Suh58H3e6F7qv5Pn/5AR6pndq23Z1G/XAw=; b=gZ5BBJIToyMezLDeuaNuykNRXZ3eXZNZotE7Vl7Mx/OHwU7mgfRzR9fn6lBJJ9K93u seg49Bq8/s0zeYZd2F5OcUGV7nfwRUeZCfjG0tp4/9fo7RRQmP5yE/xj2h3O7XKYg2q8 wApG99RBZSDqc80Llfu7vsLwSNM0NI22O8A3bm6mLJBMUr1C47xJETLGDjbYEfNstntJ KGqhYSPfA5FwtZ4sC1CC22VVgDi4X8GXrCLe683ERsYreDlrSDa/njyA+3nnZFdc3zQM lR9qdVDw8ZnWPbmeXalVJDvfyZ7w2zBxbPFQn+pXpnokaZgZo27fBr9/6fEJJaUE8wNY E6Qw== X-Forwarded-Encrypted: i=1; AJvYcCVh9DfkqTxcEJFjISmsjHX6YSMthENm1bFtCDQ6dCe8iaZbdt3Nb+5JSVd7gUxWvOUWx34nELImlLk=@passt.top X-Gm-Message-State: AOJu0Yw0KjO1g6U6rrsXyrEo2vKDV19ie8HktDHDn5gQrI5+ROXdUxaV CINzCIaReMeN50qmM3ZJr1rR3DUMMeoiE2g6iFfUOugcQzPTrfa3KdWw1MkMbj+AtQ0J1233Qra aY/rOOC52k8vHSs5xYSBEUsz/W/GTYTZRMUiJL3gktBSOan1eEQ== X-Received: by 2002:a17:907:7ba1:b0:a7a:9760:9aec with SMTP id a640c23a62f3a-a8090e5f9b6mr95034566b.43.1723108757912; Thu, 08 Aug 2024 02:19:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFIbh4vL/HRyD8Zc0DzA/tBMnY6CKy7hBHrr1E6M9sZYAnJICxu+JglNdM6lFYGWdC2+v5keQ== X-Received: by 2002:a17:907:7ba1:b0:a7a:9760:9aec with SMTP id a640c23a62f3a-a8090e5f9b6mr95033066b.43.1723108757376; Thu, 08 Aug 2024 02:19:17 -0700 (PDT) Received: from [192.168.188.25] ([80.243.52.133]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a7dc9ecb129sm718490166b.222.2024.08.08.02.19.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 08 Aug 2024 02:19:17 -0700 (PDT) Message-ID: Date: Thu, 8 Aug 2024 11:19:16 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v7] passt, util: Close any open file that the parent might have leaked To: Stefano Brivio , passt-dev@passt.top References: <20240808034249.2554779-1-sbrivio@redhat.com> From: Paul Holzinger In-Reply-To: <20240808034249.2554779-1-sbrivio@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: 2KSRJLQZLNQTT7IGQ7VW7YPW5SPMR4H3 X-Message-ID-Hash: 2KSRJLQZLNQTT7IGQ7VW7YPW5SPMR4H3 X-MailFrom: pholzing@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 08/08/2024 05:42, Stefano Brivio wrote: > If a parent accidentally or due to implementation reasons leaks any > open file, we don't want to have access to them, except for the file > passed via --fd, if any. > > This is the case for Podman when Podman's parent leaks files into > Podman: it's not practical for Podman to close unrelated files before > starting pasta, as reported by Paul. > > Use close_range(2) to close all open files except for standard streams > and the one from --fd. > > Given that parts of conf() depend on other files to be already opened, > such as the epoll file descriptor, we can't easily defer this to a > more convenient point, where --fd was already parsed. Introduce a > minimal, duplicate version of --fd parsing to keep this simple. > > As we need to check that the passed --fd option doesn't exceed > INT_MAX, because we'll parse it with strtol() but file descriptor > indices are signed ints (regardless of the arguments close_range() > take), extend the existing check in the actual --fd parsing in conf(), > also rejecting file descriptors numbers that match standard streams, > while at it. > > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio Reviewed-by: Paul Holzinger > --- > v7: (yes, seriously) don't close STDERR_FILENO in the general case, > start from STDERR_FILENO + 1 > > v6: (seriously?) fix STDERR_FILENO comparison in conf() > > v5: Reject any --fd matching standard streams > > v4: c->fd_tap, as used in conf(), is an int: don't assign to it > directly from strtol(), or we won't catch overflows > > v3: Handle --fd 3 case, and don't overflow if the --fd number exceeds > UINT_MAX: add an explicit check to ensure it's less than INT_MAX > > v2: Move call to close_open_files() to isolate_initial() > > conf.c | 8 ++++++-- > isolation.c | 12 +++++++++--- > isolation.h | 2 +- > passt.c | 2 +- > util.c | 41 +++++++++++++++++++++++++++++++++++++++++ > util.h | 1 + > 6 files changed, 59 insertions(+), 7 deletions(-) -- Paul Holzinger