Before starting the intermediate process, close all non-stdio open files

Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-11-23 01:11:58 +01:00 · 2024-01-27 21:48:35 +09:00 · 2024-01-27 21:48:35 +09:00 · 6c9f997093
commit 6c9f997093
parent e178bbdf79
2 changed files with 15 additions and 1 deletions
--- a/crates/libcontainer/src/process/container_init_process.rs
+++ b/crates/libcontainer/src/process/container_init_process.rs
@ -844,6 +844,8 @@ fn sync_seccomp(
 fn verify_cwd() -> Result<()> {
    let cwd = unistd::getcwd().map_err(|err| {
        if let nix::errno::Errno::ENOENT = err {
+            // https://man7.org/linux/man-pages/man2/getcwd.2.html
+            // ENOENT The current working directory has been unlinked.
            InitProcessError::InvalidCwd(err)
        } else {
            InitProcessError::NixOther(err)
@ -855,7 +857,7 @@ fn verify_cwd() -> Result<()> {
        return Err(InitProcessError::InvalidCwd(nix::errno::Errno::ENOENT));
    }

-    return Ok(());
+    Ok(())
 }

 #[cfg(test)]
--- a/crates/libcontainer/src/process/container_main_process.rs
+++ b/crates/libcontainer/src/process/container_main_process.rs
@ -5,6 +5,7 @@ use crate::{
        fork::{self, CloneCb},
        intel_rdt::setup_intel_rdt,
    },
+    syscall::SyscallError,
    user_ns::UserNamespaceConfig,
 };
 use nix::sys::wait::{waitpid, WaitStatus};
@ -29,6 +30,8 @@ pub enum ProcessError {
    #[error("failed seccomp listener")]
    #[cfg(feature = "libseccomp")]
    SeccompListener(#[from] crate::process::seccomp_listener::SeccompListenerError),
+    #[error("failed syscall")]
+    SyscallOther(#[source] SyscallError),
 }

 type Result<T> = std::result::Result<T, ProcessError>;
@ -69,6 +72,15 @@ pub fn container_main_process(container_args: &ContainerArgs) -> Result<(Pid, bo
        })
    };

+    // Before starting the intermediate process, mark all non-stdio open files as O_CLOEXEC
+    // to ensure we don't leak any file descriptors to the intermediate process.
+    // Please refer to XXXXXXX(TODO(utam0k): fill in) for more details.
+    let syscall = container_args.syscall.create_syscall();
+    syscall.close_range(0).map_err(|err| {
+        tracing::error!(?err, "failed to cleanup extra fds");
+        ProcessError::SyscallOther(err)
+    })?;
+
    let intermediate_pid = fork::container_clone(cb).map_err(|err| {
        tracing::error!("failed to fork intermediate process: {}", err);
        ProcessError::IntermediateProcessFailed(err)