Merge pull request #3648 from brauner/2021-02-03/fixes

conf: open hardening & fd-only operations

Merge pull request #3648 from brauner/2021-02-03/fixes
f8dcf07f · Stéphane Graber · GitHub · b5e75029 · a26822c5 · f8dcf07f
Unverified Commit f8dcf07f authored Feb 03, 2021 by Stéphane Graber Committed by GitHub Feb 03, 2021
7 changed files
--- a/configure.ac
+++ b/configure.ac
@@ -644,7 +644,7 @@ AC_CHECK_HEADER([ifaddrs.h],
 AC_HEADER_MAJOR

 # Check for some syscalls functions
-AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree execveat clone3 fsopen fspick fsconfig fsmount, openat2])
+AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree execveat clone3 fsopen fspick fsconfig fsmount, openat2, close_range])
 AC_CHECK_TYPES([struct open_how], [], [], [[#include <linux/openat2.h>]])
 AC_CHECK_TYPES([struct clone_args], [], [], [[#include <linux/sched.h>]])
 AC_CHECK_MEMBERS([struct clone_args.set_tid],[],[],[[#include <linux/sched.h>]])

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -672,4 +672,6 @@ enum {

 #define ENOCGROUP2 ENOMEDIUM

+#define MAX_FILENO ~0U
+
 #endif /* __LXC_MACRO_H */
--- a/src/lxc/rexec.c
+++ b/src/lxc/rexec.c
@@ -127,10 +127,13 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 		sent = lxc_sendfile_nointr(memfd >= 0 ? memfd : tmpfd, fd, NULL,
 					   st.st_size - bytes_sent);
 		if (sent < 0) {
-			/* Fallback to shoveling data between kernel- and
+			/*
+			 * Fallback to shoveling data between kernel- and
 			 * userspace.
 			 */
-			lseek(fd, 0, SEEK_SET);
+			if (lseek(fd, 0, SEEK_SET) == (off_t) -1)
+				fprintf(stderr, "Failed to seek to beginning of file");
+
 			if (fd_to_fd(fd, memfd >= 0 ? memfd : tmpfd))
 				break;

@@ -159,6 +162,9 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 	if (execfd < 0)
 		return;

+	ret = close_range(STDERR_FILENO, MAX_FILENO, CLOSE_RANGE_CLOEXEC);
+	if (ret && (errno != ENOSYS && errno != EINVAL))
+		fprintf(stderr, "%m - Failed to mark all file descriptors as close-on-exec\n");
 	fexecve(execfd, argv, envp);
 }


--- a/src/lxc/syscall_numbers.h
+++ b/src/lxc/syscall_numbers.h
@@ -660,4 +660,24 @@
 	#endif
 #endif

+#ifndef __NR_close_range
+	#if defined __alpha__
+		#define __NR_close_range 546
+	#elif defined _MIPS_SIM
+		#if _MIPS_SIM == _MIPS_SIM_ABI32	/* o32 */
+			#define __NR_close_range (436 + 4000)
+		#endif
+		#if _MIPS_SIM == _MIPS_SIM_NABI32	/* n32 */
+			#define __NR_close_range (436 + 6000)
+		#endif
+		#if _MIPS_SIM == _MIPS_SIM_ABI64	/* n64 */
+			#define __NR_close_range (436 + 5000)
+		#endif
+	#elif defined __ia64__
+		#define __NR_close_range (436 + 1024)
+	#else
+		#define __NR_close_range 436
+	#endif
+#endif
+
 #endif /* __LXC_SYSCALL_NUMBERS_H */
--- a/src/lxc/syscall_wrappers.h
+++ b/src/lxc/syscall_wrappers.h
@@ -257,10 +257,12 @@ struct lxc_open_how {
 #define PROTECT_LOOKUP_BENEATH  (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS)
 #define PROTECT_LOOKUP_BENEATH_WITH_SYMLINKS (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_SYMLINKS)
 #define PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS (PROTECT_LOOKUP_BENEATH & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS))
+#define PROTECT_LOOKUP_BENEATH_XDEV (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_XDEV)

 #define PROTECT_LOOKUP_ABSOLUTE (PROTECT_LOOKUP_BENEATH & ~RESOLVE_BENEATH)
 #define PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_SYMLINKS)
 #define PROTECT_LOOKUP_ABSOLUTE_WITH_MAGICLINKS (PROTECT_LOOKUP_ABSOLUTE & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS))
+#define PROTECT_LOOKUP_ABSOLUTE_XDEV (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_XDEV)

 #define PROTECT_OPATH_FILE (O_NOFOLLOW | O_PATH | O_CLOEXEC)
 #define PROTECT_OPATH_DIRECTORY (PROTECT_OPATH_FILE | O_DIRECTORY)
@@ -282,4 +284,19 @@ static inline int openat2(int dfd, const char *filename, struct lxc_open_how *ho
 }
 #endif /* HAVE_OPENAT2 */

+#ifndef CLOSE_RANGE_UNSHARE
+#define CLOSE_RANGE_UNSHARE	(1U << 1)
+#endif
+
+#ifndef CLOSE_RANGE_CLOEXEC
+#define CLOSE_RANGE_CLOEXEC	(1U << 2)
+#endif
+
+#ifndef HAVE_CLOSE_RANGE
+static inline int close_range(unsigned int fd, unsigned int max_fd, unsigned int flags)
+{
+	return syscall(__NR_close_range, fd, max_fd, flags);
+}
+#endif
+
 #endif /* __LXC_SYSCALL_WRAPPER_H */
--- a/src/tests/device_add_remove.c
+++ b/src/tests/device_add_remove.c
@@ -36,8 +36,8 @@ int main(int argc, char *argv[])
 	__do_close int fd_log = -EBADF;
 	int ret = 1;
 	struct lxc_log log = {};
+	struct lxc_container *c = NULL;
 	char template[sizeof(P_tmpdir"/attach_XXXXXX")];
-	struct lxc_container *c;

 	(void)strlcpy(template, P_tmpdir"/attach_XXXXXX", sizeof(template));

@@ -107,6 +107,7 @@ out:
 	}
 	(void)unlink(template);

-	lxc_container_put(c);
+	if (c)
+		lxc_container_put(c);
 	return ret;
 }