This shouldn't be needed per-se. Security manager shouldn't disappear during transactions - it's immutable. However, it doesn't hurt to grab a reference either - transaction code uses it after all. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; ---

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 056637e4cb..31e42afee7 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -156,6 +156,7 @@ virSecuritySELinuxContextListFree(void *opaque) for (i = 0; i < list->nItems; i++) virSecuritySELinuxContextItemFree(list->items[i]);

+ virObjectUnref(list->manager); VIR_FREE(list); } @@ -1054,12 +1055,12 @@ virSecuritySELinuxTransactionStart(virSecurityManagerPtr mgr) if (VIR_ALLOC(list) < 0) return -1; - list->manager = mgr; + list->manager = virObjectRef(mgr); if (virThreadLocalSet(&contextList, list) < 0) { virReportSystemError(errno, "%s", _("Unable to set thread local variable")); - VIR_FREE(list); + virSecuritySELinuxContextListFree(list); return -1; } -- 2.16.4 -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

If there was a caller which would dup the client FD without CLOEXEC flag and later decided to change the flag it wouldn't be safe to do because fork() might have had occurred meantime.

Switch to the other pattern - always dup FD with the flag set and let callers clear the flag if they need to do so.

Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/libxl/libxl_migration.c | 4 ++-- src/qemu/qemu_migration.c | 2 +- src/rpc/virnetclient.c | 10 +++++++++- src/rpc/virnetsocket.c | 7 ++----- src/rpc/virnetsocket.h | 2 +- 5 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/libxl/libxl_migration.c b/src/libxl/libxl_migration.c index fc7ccb53d0..5eb8eb1203 100644 --- a/src/libxl/libxl_migration.c +++ b/src/libxl/libxl_migration.c @@ -310,7 +310,7 @@ libxlMigrateDstReceive(virNetSocketPtr sock, } VIR_DEBUG("Accepted migration connection." " Spawning thread to process migration data"); - recvfd = virNetSocketDupFD(client_sock, true); + recvfd = virNetSocketDupFD(client_sock); virObjectUnref(client_sock); /* @@ -1254,7 +1254,7 @@ libxlDomainMigrationSrcPerform(libxlDriverPrivatePtr driver, goto cleanup; } - sockfd = virNetSocketDupFD(sock, true); + sockfd = virNetSocketDupFD(sock); virObjectUnref(sock); if (virDomainLockProcessPause(driver->lockManager, vm, &priv->lockState) < 0) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 825a9d399b..129be0a11a 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3303,7 +3303,7 @@ qemuMigrationSrcConnect(virQEMUDriverPtr driver, if (virNetSocketNewConnectTCP(host, port, AF_UNSPEC, &sock) == 0) { - spec->dest.fd.qemu = virNetSocketDupFD(sock, true); + spec->dest.fd.qemu = virNetSocketDupFD(sock); virObjectUnref(sock); } if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0 || diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c index b4d8fb2187..40ed3fde6d 100644 --- a/src/rpc/virnetclient.c +++ b/src/rpc/virnetclient.c @@ -715,8 +715,16 @@ int virNetClientGetFD(virNetClientPtr client) int virNetClientDupFD(virNetClientPtr client, bool cloexec) { int fd; + virObjectLock(client); - fd = virNetSocketDupFD(client->sock, cloexec); + + fd = virNetSocketDupFD(client->sock); + if (!cloexec && fd >= 0 && virSetInherit(fd, true)) { + virReportSystemError(errno, "%s", + _("Cannot disable close-on-exec flag")); + VIR_FORCE_CLOSE(fd); + } +

virObjectUnlock(client); return fd; } diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 55de3b2aad..27ffa23bcd 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -1372,14 +1372,11 @@ int virNetSocketGetFD(virNetSocketPtr sock) } -int virNetSocketDupFD(virNetSocketPtr sock, bool cloexec) +int virNetSocketDupFD(virNetSocketPtr sock) { int fd; - if (cloexec) - fd = fcntl(sock->fd, F_DUPFD_CLOEXEC, 0); - else - fd = dup(sock->fd); + fd = fcntl(sock->fd, F_DUPFD_CLOEXEC, 0);

if (fd < 0) { virReportSystemError(errno, "%s", _("Unable to copy socket file handle")); diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h index de795af917..e6bac27566 100644 --- a/src/rpc/virnetsocket.h +++ b/src/rpc/virnetsocket.h @@ -124,7 +124,7 @@ virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object); virJSONValuePtr virNetSocketPreExecRestart(virNetSocketPtr sock); int virNetSocketGetFD(virNetSocketPtr sock); -int virNetSocketDupFD(virNetSocketPtr sock, bool cloexec); +int virNetSocketDupFD(virNetSocketPtr sock); bool virNetSocketIsLocal(virNetSocketPtr sock);

On 09/25/2018 06:25 PM, John Ferlan wrote: > > > On 9/21/18 5:29 AM, Michal Privoznik wrote: >> If there was a caller which would dup the client FD without >> CLOEXEC flag and later decided to change the flag it wouldn't be >> safe to do because fork() might have had occurred meantime. > > blank line > >> Switch to the other pattern - always dup FD with the flag set and >> let callers clear the flag if they need to do so. > > I don't see this last sentence as happening in this patch... > >> >> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; >> --- >> src/libxl/libxl_migration.c | 4 ++-- >> src/qemu/qemu_migration.c | 2 +- >> src/rpc/virnetclient.c | 10 +++++++++- >> src/rpc/virnetsocket.c | 7 ++----- >> src/rpc/virnetsocket.h | 2 +- >> 5 files changed, 15 insertions(+), 10 deletions(-) >> > > I'm with Marc on this - documenting virNetSocketDupFD is a good thing. > Although it could be considered out of the scope of what you're doing, > since you are changing the semantics describing the nuance that fork > brings about w/r/t fd duplication in the code rather than the commit > message doesn't make someone have to go back and look at the commit > message to gain more insight. It also should provide the reader with > the knowledge of what virSetInherit would provide to remove if so desired. > > Of course while you're at it, documenting virNetClientDupFD similarly > would be quite beneficial. > >> diff --git a/src/libxl/libxl_migration.c b/src/libxl/libxl_migration.c >> index fc7ccb53d0..5eb8eb1203 100644 >> --- a/src/libxl/libxl_migration.c >> +++ b/src/libxl/libxl_migration.c >> @@ -310,7 +310,7 @@ libxlMigrateDstReceive(virNetSocketPtr sock, >> } >> VIR_DEBUG("Accepted migration connection." >> " Spawning thread to process migration data"); >> - recvfd = virNetSocketDupFD(client_sock, true); >> + recvfd = virNetSocketDupFD(client_sock); >> virObjectUnref(client_sock); >> >> /* >> @@ -1254,7 +1254,7 @@ libxlDomainMigrationSrcPerform(libxlDriverPrivatePtr driver, >> goto cleanup; >> } >> >> - sockfd = virNetSocketDupFD(sock, true); >> + sockfd = virNetSocketDupFD(sock); >> virObjectUnref(sock); >> >> if (virDomainLockProcessPause(driver->lockManager, vm, &priv->lockState) < 0) >> diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c >> index 825a9d399b..129be0a11a 100644 >> --- a/src/qemu/qemu_migration.c >> +++ b/src/qemu/qemu_migration.c >> @@ -3303,7 +3303,7 @@ qemuMigrationSrcConnect(virQEMUDriverPtr driver, >> if (virNetSocketNewConnectTCP(host, port, >> AF_UNSPEC, >> &sock) == 0) { >> - spec->dest.fd.qemu = virNetSocketDupFD(sock, true); >> + spec->dest.fd.qemu = virNetSocketDupFD(sock); >> virObjectUnref(sock); >> } >> if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0 || >> diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c >> index b4d8fb2187..40ed3fde6d 100644 >> --- a/src/rpc/virnetclient.c >> +++ b/src/rpc/virnetclient.c >> @@ -715,8 +715,16 @@ int virNetClientGetFD(virNetClientPtr client) >> int virNetClientDupFD(virNetClientPtr client, bool cloexec) >> { >> int fd; >> + >> virObjectLock(client); >> - fd = virNetSocketDupFD(client->sock, cloexec); >> + >> + fd = virNetSocketDupFD(client->sock); >> + if (!cloexec && fd >= 0 && virSetInherit(fd, true)) { >> + virReportSystemError(errno, "%s", >> + _("Cannot disable close-on-exec flag")); >> + VIR_FORCE_CLOSE(fd); >> + } >> + > > Caveat: my sock knowledge of setting or duplication of the socket fd > isn't that deep, especially as it relates to fork "mechanics". > > So prior to this change, the call to virNetSocketDupFD(fd, false) would: > > fd = dup(sock->fd); > > Or essentially create a new socket fd from the existing one copying > everything it already has... > > With this change you have (discounting some new error paths) > > fd = fcntl(sock->fd, F_DUPFD_CLOEXEC, 0); > fcntl(fd, F_SETFD, ~FD_CLOEXEC) > > which seems to be a nop and/or unnecessary to me. > > Beyond that if the sock->fd didn't have CLOEXEC already, then what > impact does briefly changing CLOEXEC have on something that arrives > while set? So imagine the following happening. There are two threads A,B and they do the following: thread A | thread B | child ----------------+-------------+-------- copy = dup(fd); | | | fork(); | fcntl(copy); | | | | exec(); (the fcntl() call is there to set CLOEXEC flag) This will obviously not work as expected because when B does fork() both @copy and @fd descriptors are copied to child. So even when A then tries to set CLOEXEC flag it won't matter as it doesn't affect FDs inside child. In the end, @copy is leaked to a process that child exec()-s.

My patches make this safer: thread A | thread B | child ------------------+-------------+-------- copy = fcntl(fd); | | | XXX | | fork(); | | | exec(); (here, the fcntl() call is to atomically duplicate the @fd and set CLOEXEC flag) It's clean to see that no matter where fork() is placed, @copy is not leaked into the new process. Either @copy exists in child but it's closed on exec() (because of the flag), or fork() happened before fcntl() call and there is no @copy in child at all. The XXX can be replaced with virSetInherit() if the code intentionally wants to leak @copy into exec(). > > And of course if sock->fd had CLOEXEC and then you clear it on the > 'shared' socket, that doesn't seem right either. In fact it does. When starting a domain, we fork() plenty of times. Also, fork() happens in secdriver transactions, when fetching qemu caps, on every virCommandRun(), etc. What I'm trying to say is that fork() + exec() happen pretty asynchronously and therefore we can't do dup() + fcntl() because that is not atomic (as shown above). In fact, it's fairly easy to see this problem in action. What was sufficient for me was to start two domains at once from a loop. As I say in the cover letter. While one thread was doing the metada lock (where connection FD to virtlockd is duplicated), the other did fork() to start qemu and the connection FD got leaked there. > > Seems to me the dup() does the trick and then lets the caller decide > what CLOEXEC semantics they want with the duplicated fd without perhaps > changing the sock->fd semantics. No, this is not atomic and therefore it's plain wrong. Michal

There is one caller (virSecurityManagerMetadataLock) which duplicates the connection FD and wants to have the flag set. However, trying to set the flag after dup() is not safe as another thread might fork() meanwhile. Therefore, switch to duplicating with the flag set and only let callers refine this later. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/locking/domain_lock.c | 18 ++++++++++++++++++ src/locking/lock_driver_lockd.c | 2 +- src/rpc/virnetclient.c | 9 +-------- src/rpc/virnetclient.h | 2 +- 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/src/locking/domain_lock.c b/src/locking/domain_lock.c index 705b132457..db20fa86a3 100644 --- a/src/locking/domain_lock.c +++ b/src/locking/domain_lock.c @@ -188,6 +188,24 @@ int virDomainLockProcessStart(virLockManagerPluginPtr plugin, ret = virLockManagerAcquire(lock, NULL, flags, dom->def->onLockFailure, fd); + if (ret >= 0 && fd && *fd >= 0 && virSetInherit(*fd, true) < 0) {

+ int saved_errno = errno; + virErrorPtr origerr; + + virErrorPreserveLast(&origerr); + + if (virLockManagerRelease(lock, NULL, 0) < 0) + VIR_WARN("Unable to release acquired resourced in cleanup path");

+ + virErrorRestore(&origerr); + errno = saved_errno; + + virReportSystemError(errno, "%s", + _("Cannot disable close-on-exec flag")); + + ret = -1; + } +

virLockManagerFree(lock); return ret; diff --git a/src/locking/lock_driver_lockd.c b/src/locking/lock_driver_lockd.c index 0c672b05b1..9b1943daa6 100644 --- a/src/locking/lock_driver_lockd.c +++ b/src/locking/lock_driver_lockd.c @@ -796,7 +796,7 @@ static int virLockManagerLockDaemonAcquire(virLockManagerPtr lock, goto cleanup; if (fd && - (*fd = virNetClientDupFD(client, false)) < 0) + (*fd = virNetClientDupFD(client)) < 0) goto cleanup; if (!(flags & VIR_LOCK_MANAGER_ACQUIRE_REGISTER_ONLY)) { diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c index 40ed3fde6d..6b0ddbeaad 100644 --- a/src/rpc/virnetclient.c +++ b/src/rpc/virnetclient.c @@ -712,19 +712,12 @@ int virNetClientGetFD(virNetClientPtr client) } -int virNetClientDupFD(virNetClientPtr client, bool cloexec) +int virNetClientDupFD(virNetClientPtr client) { int fd; virObjectLock(client); - fd = virNetSocketDupFD(client->sock); - if (!cloexec && fd >= 0 && virSetInherit(fd, true)) { - virReportSystemError(errno, "%s", - _("Cannot disable close-on-exec flag")); - VIR_FORCE_CLOSE(fd); - } - virObjectUnlock(client); return fd; } diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h index 9cf32091f5..3702f7fe5a 100644 --- a/src/rpc/virnetclient.h +++ b/src/rpc/virnetclient.h @@ -95,7 +95,7 @@ void virNetClientSetCloseCallback(virNetClientPtr client, virFreeCallback ff); int virNetClientGetFD(virNetClientPtr client); -int virNetClientDupFD(virNetClientPtr client, bool cloexec); +int virNetClientDupFD(virNetClientPtr client); bool virNetClientHasPassFD(virNetClientPtr client);

On 9/21/18 5:29 AM, Michal Privoznik wrote: > There is this latent bug which can result in virtlockd killing > libvirtd. The problem is when the following steps occur: > > Parent | Child > ------------------------------------------------------+---------------- > 1) virSecurityManagerMetadataLock(path); | > This results in connection FD to virtlockd to be | > dup()-ed and saved for later use. | > | > 2) Another thread calling fork(); | > This results in the FD from step 1) to be cloned | > | > 3) virSecurityManagerMetadataUnlock(path); | > Here, the FD is closed, but the connection is | > still kept open because child process has | > duplicated FD | > | > 4) virSecurityManagerMetadataLock(differentPath); | > Again, new connection is opened, FD is dup()-ed | > | > 5) | exec() or exit() > > Step 5) results in closing the connection from 1) to be closed, > finally. However, at this point virtlockd looks at its internal > records if PID from 1) does not still own any resources. Well it > does - in step 4) it locked differentPath. This results in > virtlockd killing libvirtd. > > Note that this happens because we do some relabelling even before > fork() at which point vm->pid is still -1. When this value is > passed down to transaction code it simply runs the transaction > in parent process (=libvirtd), which means the owner of metadata > locks is the parent process. > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; Always good to double up on the S-o-b's when there's locks and forks involved. That makes sure the fork gets one too ;-) > --- > src/security/security_dac.c | 12 ++++++------ > src/security/security_selinux.c | 12 ++++++------ > 2 files changed, 12 insertions(+), 12 deletions(-) > I read the cover, it's not simpler than the above.

It also indicates that patches 1-3 don't have any bearing. So to me that says - 2 series, one the artsy/fartsy cleanup variety and the second this edge/corner condition chase based on timing and/or other interactions. My first question is - have you bisected your changes? Since this only seems to matter for metadata locking, you don't necessarily have to start too early, but I would assume that prior to commit 8b8aefb3 there is no issue.

My second question is - given my analysis in patch2, was testing of this patch done with or without patch 2 and 3? Hard to review this without having my patch2 analysis rattling around in short term memory that works. At this point, I'm thinking they were in place and may have had an impact especially since that dup() call was removed, but it's mentioned during this commit message, which is really confusing.

Prior to patch2/3, virNetSocketDupFD has 4 callers of which only one calls with 'false' and that's the path having problems. libxlMigrateDstReceive (using true) libxlDomainMigrationSrcPerform (using true) qemuMigrationSrcConnect (using true)

virNetClientDupFD (using false) Since your testing certainly doesn't include the first 3, I'll focus on the last one which has but one caller: virLockManagerLockDaemonAcquire meaning without patches 2-3, we got a "dup()" socket back instead of changing the existing socket to F_DUPFD_CLOEXEC. I think I just talked myself in a circle, but perhaps gives you an understanding of the struggle with all the patches in one series. > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 5aea386e7c..876cca0f2f 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -561,12 +561,12 @@ virSecurityDACTransactionCommit(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, > goto cleanup; > } > > - if ((pid == -1 && > - virSecurityDACTransactionRun(pid, list) < 0) || > - (pid != -1 && > - virProcessRunInMountNamespace(pid, > - virSecurityDACTransactionRun, > - list) < 0)) > + if (pid == -1) > + pid = getpid(); > + > + if (virProcessRunInMountNamespace(pid, > + virSecurityDACTransactionRun, > + list) < 0) Going back to commit d41c1621, it essentially states: "To differentiate whether transaction code should fork() or not the @pid argument now accepts -1 (which means do not fork)." This commit then backtracks or undoes that by using a getpid() causing every transaction to fork. The "logic" for the decision to pass pid == -1 or not is introduced in the subsequent commit 37131ada based on qemuDomainNamespaceEnabled. Thus with this patch every domain w/ or w/o namespace and daemon commit path will fork. So if this logic is to stay, then there's no reason to have the namespace check either, is there? Is the vm->pid different than getpid()? IOW: I think this patch is too big of a leap.

However, the contention from the cover is that this issue only happens when metadata locking is enabled. Thus, rather than getpid() for everyone, maybe it's a getpid() for metadata lock consumers. Seems for pid == -1 we could query @mgr for what it knows, like virSecurityManagerGetPrivateData and then if priv->type == VIR_LOCK_MANAGER_OBJECT_TYPE_DAEMON, use getpid(). Of course then @mgr loses its ATTRIBUTE_UNUSED.

Furthermore, if virLockManagerLockDaemonAcquire knows that we have a daemon type lock, would that virNetClientDupFD need to be altered to use @true instead of @false? Maybe I'm over thinking this part - but with patch2 and patch3 adjustments, it's just not clear in my head anymore...

On 9/26/18 5:46 AM, Michal Privoznik wrote: > On 09/25/2018 10:52 PM, John Ferlan wrote: >> >> >> On 9/21/18 5:29 AM, Michal Privoznik wrote: >>> There is this latent bug which can result in virtlockd killing >>> libvirtd. The problem is when the following steps occur: >>> >>> Parent | Child >>> ------------------------------------------------------+---------------- >>> 1) virSecurityManagerMetadataLock(path); | >>> This results in connection FD to virtlockd to be | >>> dup()-ed and saved for later use. | >>> | >>> 2) Another thread calling fork(); | >>> This results in the FD from step 1) to be cloned | >>> | >>> 3) virSecurityManagerMetadataUnlock(path); | >>> Here, the FD is closed, but the connection is | >>> still kept open because child process has | >>> duplicated FD | >>> | >>> 4) virSecurityManagerMetadataLock(differentPath); | >>> Again, new connection is opened, FD is dup()-ed | >>> | >>> 5) | exec() or exit() >>> >>> Step 5) results in closing the connection from 1) to be closed, >>> finally. However, at this point virtlockd looks at its internal >>> records if PID from 1) does not still own any resources. Well it >>> does - in step 4) it locked differentPath. This results in >>> virtlockd killing libvirtd. >>> >>> Note that this happens because we do some relabelling even before >>> fork() at which point vm->pid is still -1. When this value is >>> passed down to transaction code it simply runs the transaction >>> in parent process (=libvirtd), which means the owner of metadata >>> locks is the parent process. >>> >>> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; >>> >>> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; >> >> Always good to double up on the S-o-b's when there's locks and forks >> involved. That makes sure the fork gets one too ;-) >> >> >>> --- >>> src/security/security_dac.c | 12 ++++++------ >>> src/security/security_selinux.c | 12 ++++++------ >>> 2 files changed, 12 insertions(+), 12 deletions(-) >>> >> >> I read the cover, it's not simpler than the above. > > Yeah, this is not that simple bug. I'll try to explain it differently: > > On fork(), all FDs of the parent are duplicated to child. So even if > parent closes one of them, the connection is not closed until child > closes the same FD. And since metadata locking is very fragile when it > comes to connection to virtlockd, this fork() behaviour actually plays > against us because it violates our assumption that connection is closed > at the end of metadataUnlock(). In fact it is not - child has it still open. > > If there was a flag like DONT_DUP_ON_FORK I could just set it on > virtlockd connection in metadataLock() and be done. Avoid the forking exec's works too ;-} OK - instead of talking in generalities - which forking dup'd fd is in play here? I don't want to assume or guess any more.

> > Perhaps I could use pthread_atfork() but that might be very tricky - I > am not sure if some library that we are linking with does not use it and > it pthreads are capable of dealing with us and the library registering > their own callbacks. > >> It also indicates >> that patches 1-3 don't have any bearing. So to me that says - 2 series, >> one the artsy/fartsy cleanup variety and the second this edge/corner >> condition chase based on timing and/or other interactions. >> >> My first question is - have you bisected your changes? Since this only >> seems to matter for metadata locking, you don't necessarily have to >> start too early, but I would assume that prior to commit 8b8aefb3 there >> is no issue. > > I haven't. I'm not quite sure why would I do that. I already know the > problem and yes, it's in metadata locking. From quick skim through git > log: 7a9ca0fa and 6d855abc14338 look like the result of bisect. > Um, well I'd include c34f11998e into that list since that's where metadata locking API's were introduced. The problem space described there is I think exactly what you've been describing as the problem you were trying to avoid. >> >> My second question is - given my analysis in patch2, was testing of this >> patch done with or without patch 2 and 3? Hard to review this without >> having my patch2 analysis rattling around in short term memory that >> works. At this point, I'm thinking they were in place and may have had >> an impact especially since that dup() call was removed, but it's >> mentioned during this commit message, which is really confusing. > > I've tested the whole series not individual patches. So this patch was > tested with 2 and 3 applied. > > However, it's true that since we will spawn a separate process for every > transaction (and dup() is called only from there) it is not possible to > actually have FD leak (because the transaction code does not fork() > further). Having said that, there are other callers that duplicate > socket FD and the problem is real (even though after this patch metadata > locking is not affected). > >> >> Prior to patch2/3, virNetSocketDupFD has 4 callers of which only one >> calls with 'false' and that's the path having problems. >> >> libxlMigrateDstReceive (using true) >> libxlDomainMigrationSrcPerform (using true) >> qemuMigrationSrcConnect (using true) > > Since these were calling virNetSocketDupFD(cloexec=true) anyway, nothing > changed for them. > >> virNetClientDupFD (using false) >> >> Since your testing certainly doesn't include the first 3, I'll focus on >> the last one which has but one caller: >> >> virLockManagerLockDaemonAcquire >> >> meaning without patches 2-3, we got a "dup()" socket back instead of >> changing the existing socket to F_DUPFD_CLOEXEC. I think I just talked >> myself in a circle, but perhaps gives you an understanding of the >> struggle with all the patches in one series. >> >>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c >>> index 5aea386e7c..876cca0f2f 100644 >>> --- a/src/security/security_dac.c >>> +++ b/src/security/security_dac.c >>> @@ -561,12 +561,12 @@ virSecurityDACTransactionCommit(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, >>> goto cleanup; >>> } >>> >>> - if ((pid == -1 && >>> - virSecurityDACTransactionRun(pid, list) < 0) || >>> - (pid != -1 && >>> - virProcessRunInMountNamespace(pid, >>> - virSecurityDACTransactionRun, >>> - list) < 0)) >>> + if (pid == -1) >>> + pid = getpid(); >>> + >>> + if (virProcessRunInMountNamespace(pid, >>> + virSecurityDACTransactionRun, >>> + list) < 0) >> >> Going back to commit d41c1621, it essentially states: >> >> "To differentiate whether transaction code should fork() or not the @pid >> argument now accepts -1 (which means do not fork)." >> >> This commit then backtracks or undoes that by using a getpid() causing >> every transaction to fork. >> >> The "logic" for the decision to pass pid == -1 or not is introduced in >> the subsequent commit 37131ada based on qemuDomainNamespaceEnabled. >> >> Thus with this patch every domain w/ or w/o namespace and daemon commit >> path will fork. So if this logic is to stay, then there's no reason to >> have the namespace check either, is there? Is the vm->pid different than >> getpid()? IOW: I think this patch is too big of a leap. > > Yes, vm->pid is different to getpid(). If there is a domain running with > namespaces enabled then we definitely wants to use vm->pid to enter the > qemu's namespace and relabel /dev/blah there instead of the namespace > that libvirtd (=getpid()) is running. However, some labelling is done > prior to running qemu (and setting up its namespace). For instance: > qemuDomainWriteMasterKeyFile, qemuProcessStartManagedPRDaemon, > qemuProcessMakeDir - they all call qemuSecurityDomainSetPathLabel() at > the time when no namespace was built yet. > > But since we initialize vm->pid to -1 then the namspace check feels > redundant. I agree with that. In virSecurityDACTransactionCommit() it > does not matter if pid = -1 because vm->pid is -1 or because no > namespaces are used and therefore -1 comes from variable initialization > in qemuSecurityDomainSetPathLabel(). > My point here was setup towards the subsequent point of rather than doing the forks for domain's always just because daemon's now need to do that. Why can't we figure a way to get that pid for the subsequent fork for the narrower case which is the metadata lock or daemon lock. >> >> However, the contention from the cover is that this issue only happens >> when metadata locking is enabled. >> >> Thus, rather than getpid() for everyone, maybe it's a getpid() for >> metadata lock consumers. Seems for pid == -1 we could query @mgr for >> what it knows, like virSecurityManagerGetPrivateData and then if >> priv->type == VIR_LOCK_MANAGER_OBJECT_TYPE_DAEMON, use getpid(). Of >> course then @mgr loses its ATTRIBUTE_UNUSED. > > The whole point of always fork()-ing is to avoid leaking FD even into > child process. Patches 2 and 3 are trying to avoid leaking FD into > exec(), this one is trying to avoid leaking it into fork(). I mean, if > the connection FD is cloned into child, we can't be sure when child > decides to close it. It may close it at the worst possible moment - when > libvirtd holds some locks (in virtlockd). And because virtlockd locks > are not associated with connection (only with PID) from virtlockd > perspective it looks like libvirtd has closed connection and yet is > still holding some locks. BANG! that's where virtlockd kills libvirtd. This still says to me not using the getpid() for domain locks when namespaces aren't in play isn't a problem. IOW: If !namespace, then pid == -1 is perfectly fine for domain locks. It's just this new daemon path where we need to fork, IIUC. > > I don't think there is any other way to prevent fork() cloning an FD. > OpenVMS (hahaha)

On Tue, Sep 25, 2018 at 09:34:50AM +0200, Michal Privoznik wrote: > It may happen that in the list of paths/disk sources to relabel > there is a disk source. If that is the case, the path is NULL. In Is there a way to prevent to such a source would not make it into the list in the first place?

> that case, we shouldn't try to lock the path. It's likely a > network disk anyway and therefore there is nothing to lock. > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > --- > src/security/security_dac.c | 3 ++- > src/security/security_selinux.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 876cca0f2f..04168feb3d 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -216,7 +216,8 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED, > for (i = 0; i < list->nItems; i++) { > const char *p = list->items[i]->path; > > - if (virFileIsDir(p)) > + if (!p || > + virFileIsDir(p)) ^this easily fits on the same line...

It may happen that in the list of paths/disk sources to relabel there is a disk source. If that is the case, the path is NULL. In that case, we shouldn't try to lock the path. It's likely a network disk anyway and therefore there is nothing to lock.

Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/security/security_dac.c | 3 ++- src/security/security_selinux.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 876cca0f2f..04168feb3d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -216,7 +216,8 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED, for (i = 0; i < list->nItems; i++) { const char *p = list->items[i]->path; - if (virFileIsDir(p)) + if (!p || + virFileIsDir(p)) continue; VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p); diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 3c847d8dcb..3adbeada14 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -227,7 +227,8 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED, for (i = 0; i < list->nItems; i++) { const char *p = list->items[i]->path; - if (virFileIsDir(p)) + if (!p || + virFileIsDir(p)) continue; VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);