Re: [PATCH v7] passt, util: Close any open file that the parent might have leaked

On 08/08/2024 05:42, Stefano Brivio wrote:

If a parent accidentally or due to implementation reasons leaks any open file, we don't want to have access to them, except for the file passed via --fd, if any.

This is the case for Podman when Podman's parent leaks files into Podman: it's not practical for Podman to close unrelated files before starting pasta, as reported by Paul.

Use close_range(2) to close all open files except for standard streams and the one from --fd.

Given that parts of conf() depend on other files to be already opened, such as the epoll file descriptor, we can't easily defer this to a more convenient point, where --fd was already parsed. Introduce a minimal, duplicate version of --fd parsing to keep this simple.

As we need to check that the passed --fd option doesn't exceed INT_MAX, because we'll parse it with strtol() but file descriptor indices are signed ints (regardless of the arguments close_range() take), extend the existing check in the actual --fd parsing in conf(), also rejecting file descriptors numbers that match standard streams, while at it.

Suggested-by: Paul Holzinger Signed-off-by: Stefano Brivio Reviewed-by: Paul Holzinger --- v7: (yes, seriously) don't close STDERR_FILENO in the general case, start from STDERR_FILENO + 1

v6: (seriously?) fix STDERR_FILENO comparison in conf()

v5: Reject any --fd matching standard streams

v4: c->fd_tap, as used in conf(), is an int: don't assign to it directly from strtol(), or we won't catch overflows

v3: Handle --fd 3 case, and don't overflow if the --fd number exceeds UINT_MAX: add an explicit check to ensure it's less than INT_MAX

v2: Move call to close_open_files() to isolate_initial()

conf.c | 8 ++++++-- isolation.c | 12 +++++++++--- isolation.h | 2 +- passt.c | 2 +- util.c | 41 +++++++++++++++++++++++++++++++++++++++++ util.h | 1 + 6 files changed, 59 insertions(+), 7 deletions(-)

-- Paul Holzinger