crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

Close file fds by default, introduce policy->keep_fds_open

Browse Source 
The better default is to close them, not keeping them open.

Does not close sockets and pipes to not interfere with IPC.

Issue: #10
This commit is contained in:
Albert S. 2022-07-17 11:28:43 +02:00
parent 8f38dc4480
commit 3fa73b0b97
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
exile.c
View File

@ -1446,7 +1446,20 @@ static void close_file_fds()
long max_files = sysconf(_SC_OPEN_MAX); long max_files = sysconf(_SC_OPEN_MAX);
for(long i = 3; i <= max_files; i++) for(long i = 3; i <= max_files; i++)
{ {
close((int)i); struct stat statbuf;
int fd = (int) max_files;
int result = fstat(i, &statbuf);
if(result == -1 && errno != EBADF && errno != EACCES)
{
EXILE_LOG_ERROR("Could not fstat %i: %s\n", fd, strerror(errno));
abort();
}
int type = statbuf.st_mode & S_IFMT;
if(type != S_IFIFO && type != S_IFSOCK)
{
/* No error check, retrying not recommended */
close(fd);
}
} }
} }
@ -1509,6 +1522,11 @@ int exile_enable_policy(struct exile_policy *policy)
return -EINVAL; return -EINVAL;
} }
if(policy->keep_fds_open != 1)
{
close_file_fds();
}
if(enter_namespaces(policy->namespace_options) < 0) if(enter_namespaces(policy->namespace_options) < 0)
{ {
EXILE_LOG_ERROR("Error while trying to enter namespaces\n"); EXILE_LOG_ERROR("Error while trying to enter namespaces\n");

1
exile.h
View File

@ -364,6 +364,7 @@ struct exile_policy
int no_new_privs; int no_new_privs;
int no_fs; int no_fs;
int no_new_fds; int no_new_fds;
int keep_fds_open;
int namespace_options; int namespace_options;
int disable_syscall_filter; int disable_syscall_filter;
/* Bind mounts all paths in path_policies into the chroot and applies /* Bind mounts all paths in path_policies into the chroot and applies