From 34e82f81bdbdd26b82501bc2d27d18aaab5747dd Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Fri, 31 Jul 2020 10:17:08 -0400 Subject: validate fds --preserve-fds validate file descriptors passed from podman run and podman exec --preserve-fds. Signed-off-by: Qi Wang --- cmd/podman/containers/exec.go | 7 +++++++ cmd/podman/containers/run.go | 5 +++++ pkg/rootless/rootless_linux.c | 10 ++++++++++ pkg/rootless/rootless_linux.go | 6 ++++++ pkg/rootless/rootless_unsupported.go | 5 +++++ test/e2e/run_test.go | 7 +++++++ test/system/030-run.bats | 1 - 7 files changed, 40 insertions(+), 1 deletion(-) diff --git a/cmd/podman/containers/exec.go b/cmd/podman/containers/exec.go index da450054f..e301ca588 100644 --- a/cmd/podman/containers/exec.go +++ b/cmd/podman/containers/exec.go @@ -10,6 +10,7 @@ import ( "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/pkg/domain/entities" envLib "github.com/containers/podman/v2/pkg/env" + "github.com/containers/podman/v2/pkg/rootless" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -110,6 +111,12 @@ func exec(_ *cobra.Command, args []string) error { execOpts.Envs = envLib.Join(execOpts.Envs, cliEnv) + for fd := 3; fd < int(3+execOpts.PreserveFDs); fd++ { + if !rootless.IsFdInherited(fd) { + return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd) + } + } + if !execDetach { streams := define.AttachStreams{} streams.OutputStream = os.Stdout diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index d26aed826..43484e2e4 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -125,6 +125,11 @@ func run(cmd *cobra.Command, args []string) error { if err := createInit(cmd); err != nil { return err } + for fd := 3; fd < int(3+runOpts.PreserveFDs); fd++ { + if !rootless.IsFdInherited(fd) { + return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd) + } + } imageName := args[0] if !cliVals.RootFS { diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 0223c35ee..2e1fddc48 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -225,6 +225,16 @@ can_use_shortcut () return ret; } +int +is_fd_inherited(int fd) +{ + if (open_files_set == NULL || fd > open_files_max_fd || fd < 0) + { + return 0; + } + return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0; +} + static void __attribute__((constructor)) init() { const char *xdg_runtime_dir; diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index ccc8a1d94..c3f1fc7fa 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -32,6 +32,7 @@ extern uid_t rootless_gid(); extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd); extern int reexec_in_user_namespace_wait(int pid, int options); extern int reexec_userns_join(int pid, char *pause_pid_file_path); +extern int is_fd_inherited(int fd); */ import "C" @@ -520,3 +521,8 @@ func ConfigurationMatches() (bool, error) { return matches(GetRootlessGID(), gids, currentGIDs), nil } + +// IsFdInherited checks whether the fd is opened and valid to use +func IsFdInherited(fd int) bool { + return int(C.is_fd_inherited(C.int(fd))) > 0 +} diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go index 1499b737f..7dfb4a4b2 100644 --- a/pkg/rootless/rootless_unsupported.go +++ b/pkg/rootless/rootless_unsupported.go @@ -64,3 +64,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { func ReadMappingsProc(path string) ([]idtools.IDMap, error) { return nil, nil } + +// IsFdInherited checks whether the fd is opened and valid to use +func IsFdInherited(fd int) bool { + return false +} diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index f2a6d14eb..574c5c3f2 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -1063,6 +1063,13 @@ USER mail` Expect(session.ExitCode()).To(Equal(0)) }) + It("podman run --preserve-fds invalid fd", func() { + session := podmanTest.Podman([]string{"run", "--preserve-fds", "2", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + Expect(session.ErrorToString()).To(ContainSubstring("file descriptor 3 is not available")) + }) + It("podman run --privileged and --group-add", func() { groupName := "kvm" session := podmanTest.Podman([]string{"run", "-t", "-i", "--group-add", groupName, "--privileged", fedoraMinimal, "groups"}) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index e93a2efe2..e2199335f 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -63,7 +63,6 @@ echo $rand | 0 | $rand # 'run --preserve-fds' passes a number of additional file descriptors into the container @test "podman run --preserve-fds" { - skip "enable this once #6653 is fixed" skip_if_remote content=$(random_string 20) -- cgit v1.2.3-54-g00ecf