Attachment 225343 Details for Bug 255339 – Quick fix (v2)

[patch] Quick fix (v2)

libcasper.diff (text/plain), 4.05 KB, created by Jung-uk Kim on 2021-05-28 18:17:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jung-uk Kim

Created: 2021-05-28 18:17:05 UTC

Size: 4.05 KB

patch

obsolete

>diff --git a/lib/libcasper/libcasper/service.c b/lib/libcasper/libcasper/service.c
>index 5c1c64d9a9d7..bfc00d3607f6 100644
>--- a/lib/libcasper/libcasper/service.c
>+++ b/lib/libcasper/libcasper/service.c
>@@ -386,24 +386,51 @@ stdnull(void)
> }
> 
> static void
>-service_clean(int sock, int procfd, uint64_t flags)
>+fix_fd_nums(int *fdp)
>+{
>+	int nullfd, nfd;
>+
>+	if (*fdp > STDERR_FILENO)
>+		return;
>+
>+	nullfd = open(_PATH_DEVNULL, O_RDWR);
>+	if (nullfd == -1)
>+		errx(1, "Unable to open %s", _PATH_DEVNULL);
>+
>+	while (*fdp <= STDERR_FILENO) {
>+		nfd = dup(*fdp);
>+		if (nfd == -1)
>+			errx(1, "Unable to secure fd");
>+		if (dup2(nullfd, *fdp) == -1)
>+			errx(1, "Unable to secure fd");
>+		*fdp = nfd;
>+	}
>+
>+	close(nullfd);
>+}
>+
>+static void
>+service_clean(int *sockp, int *procfdp, uint64_t flags)
> {
> 	int fd, maxfd, minfd;
> 
>-	assert(sock > STDERR_FILENO);
>-	assert(procfd > STDERR_FILENO);
>-	assert(sock != procfd);
>+	fix_fd_nums(sockp);
>+	fix_fd_nums(procfdp);
>+
>+	assert(*sockp > STDERR_FILENO);
>+	assert(*procfdp > STDERR_FILENO);
>+	assert(*sockp != *procfdp);
> 
> 	if ((flags & CASPER_SERVICE_STDIO) == 0)
> 		stdnull();
> 
> 	if ((flags & CASPER_SERVICE_FD) == 0) {
>-		if (procfd > sock) {
>-			maxfd = procfd;
>-			minfd = sock;
>+		if (*procfdp > *sockp) {
>+			maxfd = *procfdp;
>+			minfd = *sockp;
> 		} else {
>-			maxfd = sock;
>-			minfd = procfd;
>+			maxfd = *sockp;
>+			minfd = *procfdp;
> 		}
> 
> 		for (fd = STDERR_FILENO + 1; fd < maxfd; fd++) {
>@@ -424,7 +451,7 @@ service_start(struct service *service, int sock, int procfd)
> 	assert(service != NULL);
> 	assert(service->s_magic == SERVICE_MAGIC);
> 	setproctitle("%s", service->s_name);
>-	service_clean(sock, procfd, service->s_flags);
>+	service_clean(&sock, &procfd, service->s_flags);
> 
> 	if (service_connection_add(service, sock, NULL) == NULL)
> 		_exit(1);
>diff --git a/lib/libcasper/libcasper/zygote.c b/lib/libcasper/libcasper/zygote.c
>index 2b84bb49a695..60b63a0aaf52 100644
>--- a/lib/libcasper/libcasper/zygote.c
>+++ b/lib/libcasper/libcasper/zygote.c
>@@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$");
> #include <assert.h>
> #include <err.h>
> #include <errno.h>
>+#include <paths.h>
> #include <stdbool.h>
> #include <stdlib.h>
> #include <strings.h>
>@@ -97,6 +98,30 @@ zygote_clone_service_execute(int *chanfdp, int *procfdp)
> 	return (zygote_clone(ZYGOTE_SERVICE_EXECUTE, chanfdp, procfdp));
> }
> 
>+static void
>+fix_fd_nums(int *fdp)
>+{
>+	int nullfd, nfd;
>+
>+	if (*fdp > STDERR_FILENO)
>+		return;
>+
>+	nullfd = open(_PATH_DEVNULL, O_RDWR);
>+	if (nullfd == -1)
>+		errx(1, "Unable to open %s", _PATH_DEVNULL);
>+
>+	while (*fdp <= STDERR_FILENO) {
>+		nfd = dup(*fdp);
>+		if (nfd == -1)
>+			errx(1, "Unable to secure fd");
>+		if (dup2(nullfd, *fdp) == -1)
>+			errx(1, "Unable to secure fd");
>+		*fdp = nfd;
>+	}
>+
>+	close(nullfd);
>+}
>+
> /*
>  * This function creates sandboxes on-demand whoever has access to it via
>  * 'sock' socket. Function sends two descriptors to the caller: process
>@@ -104,7 +129,7 @@ zygote_clone_service_execute(int *chanfdp, int *procfdp)
>  * between sandbox and its owner.
>  */
> static void
>-zygote_main(int sock)
>+zygote_main(int *sockp)
> {
> 	int error, procfd;
> 	int chanfd[2];
>@@ -113,12 +138,14 @@ zygote_main(int sock)
> 	zygote_func_t *func;
> 	pid_t pid;
> 
>-	assert(sock > STDERR_FILENO);
>+	fix_fd_nums(sockp);
>+
>+	assert(*sockp > STDERR_FILENO);
> 
> 	setproctitle("zygote");
> 
> 	for (;;) {
>-		nvlin = nvlist_recv(sock, 0);
>+		nvlin = nvlist_recv(*sockp, 0);
> 		if (nvlin == NULL) {
> 			if (errno == ENOTCONN) {
> 				/* Casper exited. */
>@@ -157,7 +184,7 @@ zygote_main(int sock)
> 			break;
> 		case 0:
> 			/* Child. */
>-			close(sock);
>+			close(*sockp);
> 			close(chanfd[0]);
> 			func(chanfd[1]);
> 			/* NOTREACHED */
>@@ -179,7 +206,7 @@ zygote_main(int sock)
> 			nvlist_move_descriptor(nvlout, "chanfd", chanfd[0]);
> 			nvlist_move_descriptor(nvlout, "procfd", procfd);
> 		}
>-		(void)nvlist_send(sock, nvlout);
>+		(void)nvlist_send(*sockp, nvlout);
> 		nvlist_destroy(nvlout);
> 	}
> 	/* NOTREACHED */
>@@ -206,7 +233,7 @@ zygote_init(void)
> 	case 0:
> 		/* Child. */
> 		close(sp[0]);
>-		zygote_main(sp[1]);
>+		zygote_main(sp + 1);
> 		/* NOTREACHED */
> 		abort();
> 	default:

Actions: View | Diff

Attachments on bug 255339: 225324 | 225343