On Fri, Jun 5, 2020 at 9:54 PM Kyle Evans <kevans@xxxxxxxxxxx> wrote: > > On Fri, Jun 5, 2020 at 9:55 AM Szabolcs Nagy <nsz@xxxxxxxxxx> wrote: > > > > * Christian Brauner <christian.brauner@xxxxxxxxxx> [2020-06-02 22:42:17 +0200]: > > > [... snip ...] > > > > > > First, it helps to close all file descriptors of an exec()ing task. This > > > can be done safely via (quoting Al's example from [1] verbatim): > > > > > > /* that exec is sensitive */ > > > unshare(CLONE_FILES); > > > /* we don't want anything past stderr here */ > > > close_range(3, ~0U); > > > execve(....); > > > > this api needs a documentation patch if there isn't yet. > > > > currently there is no libc interface contract in place that > > says which calls may use libc internal fds e.g. i've seen > > > > openlog(...) // opens libc internal syslog fd > > ... > > fork() > > closefrom(...) // close syslog fd > > open(...) // something that reuses the closed fd > > syslog(...) // unsafe: uses the wrong fd > > execve(...) > > > > syslog uses a libc internal fd that the user trampled on and > > this can go bad in many ways depending on what libc apis are > > used between closefrom (or equivalent) and exec. > > > > Documentation is good. :-) I think you'll find that while this example > seems to be innocuous on FreeBSD (and likely other *BSD), this is an > atypical scenario and generally not advised. You would usually not > start closing until you're actually ready to exec/fail. > Minor correction: not innocuous here, either; O_CLOFORK is not yet a thing. :-)
