Commit 57f5d52a942 ("common-main: call sanitize_stdfds()") added the
sanitization for standard file descriptors (stdin, stdout, stderr) to
all binaries. The lead to all binaries unconditionally opening
/dev/null with the flag O_RDWR (read and write). Most of the time the
standard file descriptors should be set up properly and the sanitization
ends up doing nothing.
There are many git operations, like `git status` or `git stash list`,
which might be called by a parent to gather information about the
repository and should work on a read-only repository. That parent might
run under a seccomp filter to avoid accidental modification or unwanted
command execution on memory corruptions. As part of that seccomp filter
open(2) and openat(2) might be only allowed in read-only mode
(O_RDONLY), thus preventing git's sanitation and stopping the
application.
Check the need of sanitization with a file descriptor in read-only mode,
keep it as replacement for stdin and open replacement file descriptors
for stdout and stderr in write-only mode.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
v2:
- switch to xopen("/dev/null", O_RDONLY) to stay at 2 syscalls in the
common case and use O_WRONLY for stdout and stderr, as suggested
by René Scharfe
---
setup.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/setup.c b/setup.c
index cefd5f6..c57582b 100644
--- a/setup.c
+++ b/setup.c
@@ -1669,7 +1669,15 @@ const char *resolve_gitdir_gently(const char *suspect, int *return_error_code)
/* if any standard file descriptor is missing open it to /dev/null */
void sanitize_stdfds(void)
{
- int fd = xopen("/dev/null", O_RDWR);
+ int fd;
+
+ fd = xopen("/dev/null", O_RDONLY);
+ if (fd > 0)
+ close(fd);
+ if (fd > 2)
+ return;
+
+ fd = xopen("/dev/null", O_WRONLY);
while (fd < 2)
fd = xdup(fd);
if (fd > 2)
--
2.39.0
