[lxc-devel] [lxd/master] forkexec: log unexpected fds

Fri, 10 Apr 2020 08:12:47 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7169

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>

From 254a018f2640e8783d6c0a8ed7a9e1f372546c35 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Fri, 10 Apr 2020 17:11:40 +0200
Subject: [PATCH] forkexec: log unexpected fds

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 lxd/main_forkexec.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/lxd/main_forkexec.go b/lxd/main_forkexec.go
index 3d69fa80ad..d9e282a60c 100644
--- a/lxd/main_forkexec.go
+++ b/lxd/main_forkexec.go
@@ -187,7 +187,21 @@ restart:
                if (match_stdfds(fd))
                        continue;
 
-               close(fd);
+               if (close(fd)) {
+                       return log_error(-errno, "%s - Failed to close file 
descriptor %d", strerror(errno), fd);
+               } else {
+                       char fdpath[PATH_MAX], realpath[PATH_MAX];
+
+                       snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", 
fd);
+                       ret = readlink(fdpath, realpath, PATH_MAX);
+                       if (ret < 0)
+                               snprintf(realpath, sizeof(realpath), "unknown");
+                       else if (ret >= sizeof(realpath))
+                               realpath[sizeof(realpath) - 1] = '\0';
+
+                       log_error(-errno, "Closing unexpected file descriptor 
%d -> %s", fd, realpath);
+               }
+
                closedir(dir);
                goto restart;
        }
@@ -272,7 +286,9 @@ __attribute__ ((noinline)) static int __forkexec(void)
        if (!argvp || !*argvp)
                return log_error(EXIT_FAILURE, "No command specified");
 
-       close_inherited(fds_to_ignore, ARRAY_SIZE(fds_to_ignore));
+       ret = close_inherited(fds_to_ignore, ARRAY_SIZE(fds_to_ignore));
+       if (ret)
+               return log_error(EXIT_FAILURE, "Aborting attach to prevent 
leaking file descriptors into container");
 
        ret = fd_cloexec(status_pipe, true);
        if (ret)

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to