"Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:
> Some of the existing usage of fork/exec in libvirt is done such that the
> child process is daemonized. In particular the libvirt_proxy and the
> auto-spawned libvirtd for qemu:///session. Since we want to switch these
> to use virExec, we need to suport a daemon mode.
>
> This patch removes the two alternate virExec and virExecNonBlock functions
> and renames the internal __virExec to virExec. It then gains a 'flags'
> parameter which can be used to specify non-blocking mode, or daemon mode.
>
> We also add the ability to pass in a list of environment variables which
> get passed on to execve(). We also now explicitly close all file handles.
> Although libvirt code is careful to set O_CLOSEXEC on all its file handles,
> in multi-threaded apps there is a race condition between opening a FD and
> setting O_CLOSEXEC. Furthermore, we can't guarentee that all applications
> using libvirt are careful to set O_CLOSEXEC. Leaking FDs to a child is a
> potential security risk and often causes SELinux AVCs to be raised. Thus
> explicitely closing all FDs is a important safety net.
How about closing those FDs in the child instead, right after the fork?
Then, if a virExec caller has an open socket or file descriptor,
it won't be closed behind its back.
> diff -r 28ddf9f5791c src/util.c
...
> + for (i = 3; i < openmax; i++)
> + if (i != infd &&
> + i != null &&
> + i != childout &&
> + i != childerr)
> + close(i);
> +
> + if (flags & VIR_EXEC_DAEMON) {
> + if (setsid() < 0) {
> + ReportError(conn, VIR_ERR_INTERNAL_ERROR,
> + _("cannot become session leader: %s"),
> + strerror(errno));
> + _exit(1);
> + }
> +
> + if (chdir("/") < 0) {
> + ReportError(conn, VIR_ERR_INTERNAL_ERROR,
> + _("cannot change to root directory: %s"),
> + strerror(errno));
> + _exit(1);
> + }
> +
> + pid = fork();
...
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list