refactor closing of file descriptors

author: smitsohu <smitsohu@gmail.com> 2022-01-12 18:25:11 +0100
committer: smitsohu <smitsohu@gmail.com> 2022-01-12 18:25:11 +0100
commit: 4efbd78c7438aa5b869103ef9fe24f7035b984ba (patch)
tree: d60fe52b95b7140c13473a0f8dd98a6ef15b0b52
parent: merges (diff)
download: firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.gz
firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.zst
firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.zip
4 files changed, 55 insertions, 11 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index e1475870c..12256b833 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) {
        if (dbus_proxy_pid == -1)
                errExit("fork");
        if (dbus_proxy_pid == 0) {
-                int i;
+                // close open files
-                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
+                int keep_list[2];
-                        if (i != status_pipe[1] && i != args_pipe[0])
+                keep_list[0] = status_pipe[1];
-                                close(i); // close open files
+                keep_list[1] = args_pipe[0];
-                }
+                close_all(keep_list, ARRAY_SIZE(keep_list));
                if (arg_dbus_log_file != NULL) {
                        int output_fd = creat(arg_dbus_log_file, 0666);
                        if (output_fd < 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7529256d0..7314c5350 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -551,6 +551,7 @@ int remount_by_fd(int dst, unsigned long mountflags);
 int bind_mount_by_fd(int src, int dst);
 int bind_mount_path_to_fd(const char *srcname, int dst);
 int bind_mount_fd_to_path(int src, const char *destname);
+void close_all(int *keep_list, size_t sz);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
@@ -881,7 +882,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
 #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
-#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index e5e67c09d..7b5b61f2f 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -72,11 +72,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
        }
        // close all other file descriptors
-        if ((filtermask & SBOX_KEEP_FDS) == 0) {
+        if ((filtermask & SBOX_KEEP_FDS) == 0)
-                int i;
+                close_all(NULL, 0);
-                for (i = 3; i < FIREJAIL_MAX_FD; i++)
-                        close(i); // close open files
-        }
        umask(027);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index dbbc1ea28..5b8fd0b0f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1398,6 +1398,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) {
        return rv;
 }
+void close_all(int *keep_list, size_t sz) {
+        DIR *dir;
+        if (!(dir = opendir("/proc/self/fd"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/proc/self/fd"))) {
+                        fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
+                        exit(1);
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 ||
+                    strcmp(entry->d_name, "..") == 0)
+                        continue;
+                int fd = atoi(entry->d_name);
+                // don't close standard streams
+                if (fd == STDIN_FILENO ||
+                    fd == STDOUT_FILENO ||
+                    fd == STDERR_FILENO)
+                        continue;
+                if (fd == dirfd(dir))
+                        continue; // just postponed
+                // dont't close file descriptors in keep list
+                int keep = 0;
+                if (keep_list) {
+                        size_t i;
+                        for (i = 0; i < sz; i++) {
+                                if (keep_list[i] == fd) {
+                                        keep = 1;
+                                        break;
+                                }
+                        }
+                }
+                if (keep)
+                        continue;
+                close(fd);
+        }
+        closedir(dir);
+}
 int has_handler(pid_t pid, int signal) {
        if (signal > 0 && signal <= SIGRTMAX) {
                char *fname;
author	smitsohu <smitsohu@gmail.com>	2022-01-12 18:25:11 +0100
committer	smitsohu <smitsohu@gmail.com>	2022-01-12 18:25:11 +0100
commit	4efbd78c7438aa5b869103ef9fe24f7035b984ba (patch)
tree	d60fe52b95b7140c13473a0f8dd98a6ef15b0b52
parent	merges (diff)
download	firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.gz firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.tar.zst firejail-4efbd78c7438aa5b869103ef9fe24f7035b984ba.zip

diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index e1475870c..12256b833 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) {
297	if (dbus_proxy_pid == -1)	297	if (dbus_proxy_pid == -1)
298	errExit("fork");	298	errExit("fork");
299	if (dbus_proxy_pid == 0) {	299	if (dbus_proxy_pid == 0) {
300	int i;	300	// close open files
301	for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {	301	int keep_list[2];
302	if (i != status_pipe[1] && i != args_pipe[0])	302	keep_list[0] = status_pipe[1];
303	close(i); // close open files	303	keep_list[1] = args_pipe[0];
304	}	304	close_all(keep_list, ARRAY_SIZE(keep_list));
		305
305	if (arg_dbus_log_file != NULL) {	306	if (arg_dbus_log_file != NULL) {
306	int output_fd = creat(arg_dbus_log_file, 0666);	307	int output_fd = creat(arg_dbus_log_file, 0666);
307	if (output_fd < 0)	308	if (output_fd < 0)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7529256d0..7314c5350 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -551,6 +551,7 @@ int remount_by_fd(int dst, unsigned long mountflags);
551	int bind_mount_by_fd(int src, int dst);	551	int bind_mount_by_fd(int src, int dst);
552	int bind_mount_path_to_fd(const char *srcname, int dst);	552	int bind_mount_path_to_fd(const char *srcname, int dst);
553	int bind_mount_fd_to_path(int src, const char *destname);	553	int bind_mount_fd_to_path(int src, const char *destname);
		554	void close_all(int *keep_list, size_t sz);
554	int has_handler(pid_t pid, int signal);	555	int has_handler(pid_t pid, int signal);
555	void enter_network_namespace(pid_t pid);	556	void enter_network_namespace(pid_t pid);
556	int read_pid(const char name, pid_t pid);	557	int read_pid(const char name, pid_t pid);
@@ -881,7 +882,6 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
881	#define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon	882	#define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon
882	#define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services	883	#define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
883	#define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open	884	#define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
884	#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
885		885
886	// run sbox	886	// run sbox
887	int sbox_run(unsigned filter, int num, ...);	887	int sbox_run(unsigned filter, int num, ...);


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index e5e67c09d..7b5b61f2f 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -72,11 +72,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
72	}	72	}
73		73
74	// close all other file descriptors	74	// close all other file descriptors
75	if ((filtermask & SBOX_KEEP_FDS) == 0) {	75	if ((filtermask & SBOX_KEEP_FDS) == 0)
76	int i;	76	close_all(NULL, 0);
77	for (i = 3; i < FIREJAIL_MAX_FD; i++)
78	close(i); // close open files
79	}
80		77
81	umask(027);	78	umask(027);
82		79


diff --git a/src/firejail/util.c b/src/firejail/util.c index dbbc1ea28..5b8fd0b0f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1398,6 +1398,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) {
1398	return rv;	1398	return rv;
1399	}	1399	}
1400		1400
		1401	void close_all(int *keep_list, size_t sz) {
		1402	DIR *dir;
		1403	if (!(dir = opendir("/proc/self/fd"))) {
		1404	// sleep 2 seconds and try again
		1405	sleep(2);
		1406	if (!(dir = opendir("/proc/self/fd"))) {
		1407	fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
		1408	exit(1);
		1409	}
		1410	}
		1411	struct dirent *entry;
		1412	while ((entry = readdir(dir)) != NULL) {
		1413	if (strcmp(entry->d_name, ".") == 0 \|\|
		1414	strcmp(entry->d_name, "..") == 0)
		1415	continue;
		1416
		1417	int fd = atoi(entry->d_name);
		1418
		1419	// don't close standard streams
		1420	if (fd == STDIN_FILENO \|\|
		1421	fd == STDOUT_FILENO \|\|
		1422	fd == STDERR_FILENO)
		1423	continue;
		1424
		1425	if (fd == dirfd(dir))
		1426	continue; // just postponed
		1427
		1428	// dont't close file descriptors in keep list
		1429	int keep = 0;
		1430	if (keep_list) {
		1431	size_t i;
		1432	for (i = 0; i < sz; i++) {
		1433	if (keep_list[i] == fd) {
		1434	keep = 1;
		1435	break;
		1436	}
		1437	}
		1438	}
		1439	if (keep)
		1440	continue;
		1441
		1442	close(fd);
		1443	}
		1444	closedir(dir);
		1445	}
		1446
1401	int has_handler(pid_t pid, int signal) {	1447	int has_handler(pid_t pid, int signal) {
1402	if (signal > 0 && signal <= SIGRTMAX) {	1448	if (signal > 0 && signal <= SIGRTMAX) {
1403	char *fname;	1449	char *fname;