Skip to content

Commit

Permalink
src: use O_CLOEXEC for all open/openat calls
Browse files Browse the repository at this point in the history 
Signed-off-by: Giuseppe Scrivano <[email protected]>
  • Loading branch information
@giuseppe
giuseppe committed Dec 1, 2023
1 parent 0f0d5be commit 3ad89be
Show file tree
Hide file tree
Showing 12 changed files with 76 additions and 76 deletions.
38 changes: 19 additions & 19 deletions src/libcrun/cgroup-resources.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,19 +41,19 @@
static inline int
write_cgroup_file (int dirfd, const char *name, const void *data, size_t len, libcrun_error_t *err)
{
return write_file_at_with_flags (dirfd, O_WRONLY, 0, name, data, len, err);
return write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, name, data, len, err);
}

static int
write_cgroup_file_or_alias (int dirfd, const char *name, const char *alias, const void *data, size_t len, libcrun_error_t *err)
{
int ret;

ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, name, data, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, name, data, len, err);
if (UNLIKELY (alias != NULL && ret < 0 && crun_error_get_errno (err) == ENOENT))
{
crun_error_release (err);
ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, alias, data, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, alias, data, len, err);
}
return ret;
}
Expand Down Expand Up @@ -189,7 +189,7 @@ write_blkio_v1_resources_throttling (int dirfd, const char *name, throttling_s *
if (throttling == NULL)
return 0;

fd = openat (dirfd, name, O_WRONLY);
fd = openat (dirfd, name, O_WRONLY | O_CLOEXEC);
if (UNLIKELY (fd < 0))
return crun_make_error (err, errno, "open `%s`", name);

Expand Down Expand Up @@ -288,7 +288,7 @@ write_blkio_resources (int dirfd, bool cgroup2, runtime_spec_schema_config_linux
cleanup_close int wfd = -1;
size_t i;

wfd = openat (dirfd, "io.bfq.weight", O_WRONLY);
wfd = openat (dirfd, "io.bfq.weight", O_WRONLY | O_CLOEXEC);
if (UNLIKELY (wfd < 0))
return crun_make_error (err, errno, "open io.weight");
for (i = 0; i < blkio->weight_device_len; i++)
Expand All @@ -313,12 +313,12 @@ write_blkio_resources (int dirfd, bool cgroup2, runtime_spec_schema_config_linux
size_t i;

w_device_fd = openat_with_alias (dirfd, "blkio.weight_device", "blkio.bfq.weight_device",
&weight_device_file_name, O_WRONLY, err);
&weight_device_file_name, O_WRONLY | O_CLOEXEC, err);
if (UNLIKELY (w_device_fd < 0))
return w_device_fd;

w_leafdevice_fd = openat_with_alias (dirfd, "blkio.leaf_weight_device", "blkio.bfq.leaf_weight_device",
&leaf_weight_device_file_name, O_WRONLY, err);
&leaf_weight_device_file_name, O_WRONLY | O_CLOEXEC, err);
if (UNLIKELY (w_leafdevice_fd < 0))
{
/* If the .leaf_weight_device file is missing, just ignore it. */
Expand Down Expand Up @@ -349,7 +349,7 @@ write_blkio_resources (int dirfd, bool cgroup2, runtime_spec_schema_config_linux
cleanup_close int wfd = -1;
const char *name = "io.max";

wfd = openat (dirfd, name, O_WRONLY);
wfd = openat (dirfd, name, O_WRONLY | O_CLOEXEC);
if (UNLIKELY (wfd < 0))
{
ret = crun_make_error (err, errno, "open `%s`", name);
Expand Down Expand Up @@ -423,7 +423,7 @@ write_network_resources (int dirfd_netclass, int dirfd_netprio, runtime_spec_sch
{
size_t i;
cleanup_close int fd = -1;
fd = openat (dirfd_netprio, "net_prio.ifpriomap", O_WRONLY);
fd = openat (dirfd_netprio, "net_prio.ifpriomap", O_WRONLY | O_CLOEXEC);
if (UNLIKELY (fd < 0))
return crun_make_error (err, errno, "open `net_prio.ifpriomap`");

Expand Down Expand Up @@ -1072,7 +1072,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_blkio = open (path_to_blkio, O_DIRECTORY | O_RDONLY);
dirfd_blkio = open (path_to_blkio, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_blkio < 0))
return crun_make_error (err, errno, "open `%s`", path_to_blkio);

Expand All @@ -1097,11 +1097,11 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_netclass = open (path_to_netclass, O_DIRECTORY | O_RDONLY);
dirfd_netclass = open (path_to_netclass, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_netclass < 0))
return crun_make_error (err, errno, "open `%s`", path_to_netclass);

dirfd_netprio = open (path_to_netprio, O_DIRECTORY | O_RDONLY);
dirfd_netprio = open (path_to_netprio, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_netprio < 0))
return crun_make_error (err, errno, "open `%s`", path_to_netprio);

Expand All @@ -1118,7 +1118,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
ret = append_paths (&path_to_htlb, err, CGROUP_ROOT "/hugetlb", path, NULL);
if (UNLIKELY (ret < 0))
return ret;
dirfd_htlb = open (path_to_htlb, O_DIRECTORY | O_RDONLY);
dirfd_htlb = open (path_to_htlb, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_htlb < 0))
return crun_make_error (err, errno, "open `%s`", path_to_htlb);

Expand All @@ -1137,7 +1137,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_devs = open (path_to_devs, O_DIRECTORY | O_RDONLY);
dirfd_devs = open (path_to_devs, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_devs < 0))
return crun_make_error (err, errno, "open `%s`", path_to_devs);

Expand All @@ -1155,7 +1155,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_mem = open (path_to_mem, O_DIRECTORY | O_RDONLY);
dirfd_mem = open (path_to_mem, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_mem < 0))
return crun_make_error (err, errno, "open `%s`", path_to_mem);

Expand All @@ -1173,7 +1173,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_pid = open (path_to_pid, O_DIRECTORY | O_RDONLY);
dirfd_pid = open (path_to_pid, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_pid < 0))
return crun_make_error (err, errno, "open `%s`", path_to_pid);

Expand All @@ -1193,7 +1193,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_cpu = open (path_to_cpu, O_DIRECTORY | O_RDONLY);
dirfd_cpu = open (path_to_cpu, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_cpu < 0))
return crun_make_error (err, errno, "open `%s`", path_to_cpu);
ret = write_cpu_resources (dirfd_cpu, false, resources->cpu, err);
Expand All @@ -1207,7 +1207,7 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

dirfd_cpuset = open (path_to_cpuset, O_DIRECTORY | O_RDONLY);
dirfd_cpuset = open (path_to_cpuset, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd_cpuset < 0))
return crun_make_error (err, errno, "open `%s`", path_to_cpuset);

Expand Down Expand Up @@ -1259,7 +1259,7 @@ update_cgroup_v2_resources (runtime_spec_schema_config_linux_resources *resource
if (UNLIKELY (ret < 0))
return ret;

cgroup_dirfd = open (cgroup_path, O_DIRECTORY);
cgroup_dirfd = open (cgroup_path, O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (cgroup_dirfd < 0))
return crun_make_error (err, errno, "open `%s`", cgroup_path);

Expand Down
12 changes: 6 additions & 6 deletions src/libcrun/cgroup-setup.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,15 @@ initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *
cleanup_close int cpus_fd = -1;
int b_len;

dirfd = open (path, O_DIRECTORY | O_RDONLY);
dirfd = open (path, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd < 0))
return crun_make_error (err, errno, "open `%s`", path);

if (cpus[0] == '\0')
{
cpus_fd = openat (dirfd, "cpuset.cpus", O_RDWR);
cpus_fd = openat (dirfd, "cpuset.cpus", O_RDWR | O_CLOEXEC);
if (UNLIKELY (cpus_fd < 0 && errno == ENOENT))
cpus_fd = openat (dirfd, "cpus", O_RDWR);
cpus_fd = openat (dirfd, "cpus", O_RDWR | O_CLOEXEC);
if (UNLIKELY (cpus_fd < 0))
return crun_make_error (err, errno, "open `%s/%s`", path, "cpuset.cpus");

Expand All @@ -69,9 +69,9 @@ initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *

if (mems[0] == '\0')
{
mems_fd = openat (dirfd, "cpuset.mems", O_RDWR);
mems_fd = openat (dirfd, "cpuset.mems", O_RDWR | O_CLOEXEC);
if (UNLIKELY (mems_fd < 0 && errno == ENOENT))
mems_fd = openat (dirfd, "mems", O_RDWR);
mems_fd = openat (dirfd, "mems", O_RDWR | O_CLOEXEC);
if (UNLIKELY (mems_fd < 0))
return crun_make_error (err, errno, "open `%s/%s`", path, "cpuset.mems");

Expand Down Expand Up @@ -160,7 +160,7 @@ initialize_memory_subsystem (const char *path, libcrun_error_t *err)
cleanup_close int dirfd = -1;
int i;

dirfd = open (path, O_DIRECTORY | O_RDONLY);
dirfd = open (path, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (UNLIKELY (dirfd < 0))
return crun_make_error (err, errno, "open `%s`", path);

Expand Down
8 changes: 4 additions & 4 deletions src/libcrun/cgroup-systemd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,12 +174,12 @@ setup_rt_runtime (runtime_spec_schema_config_linux_resources *resources,

if (need_set_parent)
{
ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, "../cpu.rt_period_us", fmt_buf, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, "../cpu.rt_period_us", fmt_buf, len, err);
if (UNLIKELY (ret < 0))
return ret;
}

ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, "cpu.rt_period_us", fmt_buf, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, "cpu.rt_period_us", fmt_buf, len, err);
if (UNLIKELY (ret < 0))
return ret;
}
Expand All @@ -190,12 +190,12 @@ setup_rt_runtime (runtime_spec_schema_config_linux_resources *resources,

if (need_set_parent)
{
ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, "../cpu.rt_runtime_us", fmt_buf, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, "../cpu.rt_runtime_us", fmt_buf, len, err);
if (UNLIKELY (ret < 0))
return ret;
}

ret = write_file_at_with_flags (dirfd, O_WRONLY, 0, "cpu.rt_runtime_us", fmt_buf, len, err);
ret = write_file_at_with_flags (dirfd, O_WRONLY | O_CLOEXEC, 0, "cpu.rt_runtime_us", fmt_buf, len, err);
if (UNLIKELY (ret < 0))
return ret;
}
Expand Down
2 changes: 1 addition & 1 deletion src/libcrun/cgroup-utils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -584,7 +584,7 @@ chown_cgroups (const char *path, uid_t uid, gid_t gid, libcrun_error_t *err)
if (UNLIKELY (ret < 0))
return ret;

dfd = open (cgroup_path, O_PATH);
dfd = open (cgroup_path, O_CLOEXEC | O_PATH);

ret = read_all_file ("/sys/kernel/cgroup/delegate", &delegate, &delegate_size, err);
if (UNLIKELY (ret < 0))
Expand Down
4 changes: 2 additions & 2 deletions src/libcrun/container.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1308,15 +1308,15 @@ open_hooks_output (libcrun_container_t *container, int *out_fd, int *err_fd, lib
annotation = find_annotation (container, "run.oci.hooks.stdout");
if (annotation)
{
*out_fd = TEMP_FAILURE_RETRY (open (annotation, O_CREAT | O_WRONLY | O_APPEND, 0700));
*out_fd = TEMP_FAILURE_RETRY (open (annotation, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0700));
if (UNLIKELY (*out_fd < 0))
return crun_make_error (err, errno, "open `%s`", annotation);
}

annotation = find_annotation (container, "run.oci.hooks.stderr");
if (annotation)
{
*err_fd = TEMP_FAILURE_RETRY (open (annotation, O_CREAT | O_WRONLY | O_APPEND, 0700));
*err_fd = TEMP_FAILURE_RETRY (open (annotation, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0700));
if (UNLIKELY (*err_fd < 0))
return crun_make_error (err, errno, "open `%s`", annotation);
}
Expand Down
12 changes: 6 additions & 6 deletions src/libcrun/criu.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,7 +435,7 @@ libcrun_container_checkpoint_linux_criu (libcrun_container_status_t *status, lib
if (UNLIKELY ((ret == -1) && (errno != EEXIST)))
return crun_make_error (err, errno, "error creating checkpoint directory `%s`", cr_options->image_path);

image_fd = open (cr_options->image_path, O_DIRECTORY);
image_fd = open (cr_options->image_path, O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (image_fd == -1))
return crun_make_error (err, errno, "error opening checkpoint directory `%s`", cr_options->image_path);

Expand All @@ -455,7 +455,7 @@ libcrun_container_checkpoint_linux_criu (libcrun_container_status_t *status, lib
* crun to set it if the user has not selected a specific directory. */
if (cr_options->work_path != NULL)
{
work_fd = open (cr_options->work_path, O_DIRECTORY);
work_fd = open (cr_options->work_path, O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (work_fd == -1))
return crun_make_error (err, errno, "error opening CRIU work directory `%s`", cr_options->work_path);

Expand Down Expand Up @@ -758,7 +758,7 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
if (UNLIKELY (cr_options->image_path == NULL))
return crun_make_error (err, 0, "image path not set");

image_fd = open (cr_options->image_path, O_DIRECTORY);
image_fd = open (cr_options->image_path, O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (image_fd == -1))
return crun_make_error (err, errno, "error opening checkpoint directory `%s`", cr_options->image_path);

Expand Down Expand Up @@ -814,7 +814,7 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
* crun to set it if the user has not selected a specific directory. */
if (cr_options->work_path != NULL)
{
work_fd = open (cr_options->work_path, O_DIRECTORY);
work_fd = open (cr_options->work_path, O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (work_fd == -1))
return crun_make_error (err, errno, "error opening CRIU work directory `%s`", cr_options->work_path);

Expand Down Expand Up @@ -902,7 +902,7 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru

if (value == CLONE_NEWNET && def->linux->namespaces[i]->path != NULL)
{
inherit_new_net_fd = open (def->linux->namespaces[i]->path, O_RDONLY);
inherit_new_net_fd = open (def->linux->namespaces[i]->path, O_RDONLY | O_CLOEXEC);
if (UNLIKELY (inherit_new_net_fd < 0))
return crun_make_error (err, errno, "unable to open(): `%s`", def->linux->namespaces[i]->path);

Expand All @@ -911,7 +911,7 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru

if (value == CLONE_NEWPID && def->linux->namespaces[i]->path != NULL)
{
inherit_new_pid_fd = open (def->linux->namespaces[i]->path, O_RDONLY);
inherit_new_pid_fd = open (def->linux->namespaces[i]->path, O_RDONLY | O_CLOEXEC);
if (UNLIKELY (inherit_new_pid_fd < 0))
return crun_make_error (err, errno, "unable to open(): `%s`", def->linux->namespaces[i]->path);

Expand Down
4 changes: 2 additions & 2 deletions src/libcrun/handlers/krun.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
rootfsfd = AT_FDCWD;
else
{
rootfsfd = rootfsfd_cleanup = open (rootfs, O_PATH);
rootfsfd = rootfsfd_cleanup = open (rootfs, O_PATH | O_CLOEXEC);
if (UNLIKELY (rootfsfd < 0))
return crun_make_error (err, errno, "open `%s`", rootfs);
}
Expand Down Expand Up @@ -232,7 +232,7 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
}
}

devfd = openat (rootfsfd, "dev", O_RDONLY | O_DIRECTORY);
devfd = openat (rootfsfd, "dev", O_RDONLY | O_DIRECTORY | O_CLOEXEC);
if (UNLIKELY (devfd < 0))
return crun_make_error (err, errno, "open /dev directory in `%s`", rootfs);

Expand Down
Loading

0 comments on commit 3ad89be

Please sign in to comment.