[PATCH] pasta: do not leak netlink sock into child
When spawning a child command with pasta command... pasta should not
leak fds that it opened. Only the fds that were already open should be
given to the child.
Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where
only stdin/out/err are open. The fd 3 was opend by ls to read the
/proc/self/fd dir. But fd 5 is the netlink socket that was opend in
pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.
Signed-off-by: Paul Holzinger
On Tue, 7 Feb 2023 16:10:46 +0100
Paul Holzinger
When spawning a child command with pasta command... pasta should not leak fds that it opened. Only the fds that were already open should be given to the child.
Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where only stdin/out/err are open. The fd 3 was opend by ls to read the /proc/self/fd dir. But fd 5 is the netlink socket that was opend in pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.
Signed-off-by: Paul Holzinger
Thanks for the patch, and welcome to the git log! I'll push this out in a bit (still sorting some unrelated test failures first). -- Stefano
On Tue, 7 Feb 2023 16:10:46 +0100
Paul Holzinger
When spawning a child command with pasta command... pasta should not leak fds that it opened. Only the fds that were already open should be given to the child.
Run `pasta --config-net -- ls -l /proc/self/fd` from a terminal where only stdin/out/err are open. The fd 3 was opend by ls to read the /proc/self/fd dir. But fd 5 is the netlink socket that was opend in pasta. To prevent such a leak we will open the socket with SOCK_CLOEXEC.
Signed-off-by: Paul Holzinger
Applied. -- Stefano
participants (2)
-
Paul Holzinger
-
Stefano Brivio