aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQi Wang <qiwan@redhat.com>2020-07-31 10:17:08 -0400
committerQi Wang <qiwan@redhat.com>2020-08-04 15:09:17 -0400
commit34e82f81bdbdd26b82501bc2d27d18aaab5747dd (patch)
treeed55fcaa4134fd868af07ff981af5d0eb5e4c809
parentd4cf3c589d09dd395a3b63e82f5a5c198535cb46 (diff)
downloadpodman-34e82f81bdbdd26b82501bc2d27d18aaab5747dd.tar.gz
podman-34e82f81bdbdd26b82501bc2d27d18aaab5747dd.tar.bz2
podman-34e82f81bdbdd26b82501bc2d27d18aaab5747dd.zip
validate fds --preserve-fds
validate file descriptors passed from podman run and podman exec --preserve-fds. Signed-off-by: Qi Wang <qiwan@redhat.com>
-rw-r--r--cmd/podman/containers/exec.go7
-rw-r--r--cmd/podman/containers/run.go5
-rw-r--r--pkg/rootless/rootless_linux.c10
-rw-r--r--pkg/rootless/rootless_linux.go6
-rw-r--r--pkg/rootless/rootless_unsupported.go5
-rw-r--r--test/e2e/run_test.go7
-rw-r--r--test/system/030-run.bats1
7 files changed, 40 insertions, 1 deletions
diff --git a/cmd/podman/containers/exec.go b/cmd/podman/containers/exec.go
index da450054f..e301ca588 100644
--- a/cmd/podman/containers/exec.go
+++ b/cmd/podman/containers/exec.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/podman/v2/libpod/define"
"github.com/containers/podman/v2/pkg/domain/entities"
envLib "github.com/containers/podman/v2/pkg/env"
+ "github.com/containers/podman/v2/pkg/rootless"
"github.com/pkg/errors"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
@@ -110,6 +111,12 @@ func exec(_ *cobra.Command, args []string) error {
execOpts.Envs = envLib.Join(execOpts.Envs, cliEnv)
+ for fd := 3; fd < int(3+execOpts.PreserveFDs); fd++ {
+ if !rootless.IsFdInherited(fd) {
+ return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd)
+ }
+ }
+
if !execDetach {
streams := define.AttachStreams{}
streams.OutputStream = os.Stdout
diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go
index d26aed826..43484e2e4 100644
--- a/cmd/podman/containers/run.go
+++ b/cmd/podman/containers/run.go
@@ -125,6 +125,11 @@ func run(cmd *cobra.Command, args []string) error {
if err := createInit(cmd); err != nil {
return err
}
+ for fd := 3; fd < int(3+runOpts.PreserveFDs); fd++ {
+ if !rootless.IsFdInherited(fd) {
+ return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd)
+ }
+ }
imageName := args[0]
if !cliVals.RootFS {
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index 0223c35ee..2e1fddc48 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -225,6 +225,16 @@ can_use_shortcut ()
return ret;
}
+int
+is_fd_inherited(int fd)
+{
+ if (open_files_set == NULL || fd > open_files_max_fd || fd < 0)
+ {
+ return 0;
+ }
+ return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0;
+}
+
static void __attribute__((constructor)) init()
{
const char *xdg_runtime_dir;
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index ccc8a1d94..c3f1fc7fa 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -32,6 +32,7 @@ extern uid_t rootless_gid();
extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd);
extern int reexec_in_user_namespace_wait(int pid, int options);
extern int reexec_userns_join(int pid, char *pause_pid_file_path);
+extern int is_fd_inherited(int fd);
*/
import "C"
@@ -520,3 +521,8 @@ func ConfigurationMatches() (bool, error) {
return matches(GetRootlessGID(), gids, currentGIDs), nil
}
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+ return int(C.is_fd_inherited(C.int(fd))) > 0
+}
diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go
index 1499b737f..7dfb4a4b2 100644
--- a/pkg/rootless/rootless_unsupported.go
+++ b/pkg/rootless/rootless_unsupported.go
@@ -64,3 +64,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
func ReadMappingsProc(path string) ([]idtools.IDMap, error) {
return nil, nil
}
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+ return false
+}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index f2a6d14eb..574c5c3f2 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1063,6 +1063,13 @@ USER mail`
Expect(session.ExitCode()).To(Equal(0))
})
+ It("podman run --preserve-fds invalid fd", func() {
+ session := podmanTest.Podman([]string{"run", "--preserve-fds", "2", ALPINE})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Not(Equal(0)))
+ Expect(session.ErrorToString()).To(ContainSubstring("file descriptor 3 is not available"))
+ })
+
It("podman run --privileged and --group-add", func() {
groupName := "kvm"
session := podmanTest.Podman([]string{"run", "-t", "-i", "--group-add", groupName, "--privileged", fedoraMinimal, "groups"})
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index e93a2efe2..e2199335f 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -63,7 +63,6 @@ echo $rand | 0 | $rand
# 'run --preserve-fds' passes a number of additional file descriptors into the container
@test "podman run --preserve-fds" {
- skip "enable this once #6653 is fixed"
skip_if_remote
content=$(random_string 20)