Merge pull request #7125 from QiWang19/fd-validate

validate fds --preserve-fds

3 files changed, 21 insertions, 0 deletions

diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index 0223c35ee..2e1fddc48 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -225,6 +225,16 @@ can_use_shortcut ()
   return ret;
 }
 
+int
+is_fd_inherited(int fd)
+{
+  if (open_files_set == NULL || fd > open_files_max_fd || fd < 0)
+  {
+    return 0;
+  }
+  return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0;
+}
+
 static void __attribute__((constructor)) init()
 {
   const char *xdg_runtime_dir;
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index ccc8a1d94..c3f1fc7fa 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -32,6 +32,7 @@ extern uid_t rootless_gid();
 extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd);
 extern int reexec_in_user_namespace_wait(int pid, int options);
 extern int reexec_userns_join(int pid, char *pause_pid_file_path);
+extern int is_fd_inherited(int fd);
 */
 import "C"
 
@@ -520,3 +521,8 @@ func ConfigurationMatches() (bool, error) {
 
 	return matches(GetRootlessGID(), gids, currentGIDs), nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return int(C.is_fd_inherited(C.int(fd))) > 0
+}
diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go
index 1499b737f..7dfb4a4b2 100644
--- a/pkg/rootless/rootless_unsupported.go
+++ b/pkg/rootless/rootless_unsupported.go
@@ -64,3 +64,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
 func ReadMappingsProc(path string) ([]idtools.IDMap, error) {
 	return nil, nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return false
+}