8:34 a.m.
This is a v2 of:
https://listman.redhat.com/archives/libvir-list/2023-June/240351.html
Hopefully, I've implemented all Dan's suggestions.
Michal Prívozník (5):
virfile: Introduce virCloseRange()
virfile: Introduce virCloseFrom()
vircommand: Unify mass FD closing
vircommand: Introduce virCommandMassCloseRange()
src: Detect close_range syscall during virGlobalInit()
src/libvirt.c | 4 +
src/libvirt_private.syms | 4 +
src/util/vircommand.c | 160 ++++++++++++++++++++++++---------------
src/util/virfile.c | 110 +++++++++++++++++++++++++++
src/util/virfile.h | 5 ++
tests/commandtest.c | 2 +
6 files changed, 222 insertions(+), 63 deletions(-)
--
2.41.0
8:34 a.m.
New subject: [PATCH 1/5] virfile: Introduce virCloseRange()
Linux gained new close_range() syscall (in v5.9) that allows
closing a range of FDs in a single syscall. Ideally, we would use
it to close FDs when spawning a process (e.g. via virCommand
module).
Glibc has close_range() wrapper over the syscall, which falls
back to iterative closing of all FDs inside the range if running
under older kernel. We don't wan that as in that case we might
just close opened FDs (see Linux version of
virCommandMassClose()). And musl doesn't have close_range() at
all. Therefore, call syscall directly.
Now, mass close of FDs happen in a fork()-ed off child. While it
could detect whether the kernel does support close_range(), it
has no way of passing this info back to the parent and thus each
child would need to query it again and again.
Since this can't change while we are running we can cache the
information - hence virCloseRangeInit().
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/libvirt_private.syms | 3 ++
src/util/virfile.c | 89 ++++++++++++++++++++++++++++++++++++++++
src/util/virfile.h | 4 ++
3 files changed, 96 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index da60c965dd..3782f7f3c7 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2269,6 +2269,9 @@ saferead;
safewrite;
safezero;
virBuildPathInternal;
+virCloseRange;
+virCloseRangeInit;
+virCloseRangeIsSupported;
virDirClose;
virDirCreate;
virDirIsEmpty;
diff --git a/src/util/virfile.c b/src/util/virfile.c
index fe456596ae..7696910e00 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -87,6 +87,7 @@
#include "virlog.h"
#include "virprocess.h"
#include "virstring.h"
+#include "virthread.h"
#include "virutil.h"
#include "virsocket.h"
@@ -109,6 +110,9 @@ VIR_LOG_INIT("util.file");
# define O_DIRECT 0
#endif
+static virOnceControl virCloseRangeOnce = VIR_ONCE_CONTROL_INITIALIZER;
+static bool virCloseRangeSupported;
+
int virFileClose(int *fdptr, virFileCloseFlags flags)
{
int saved_errno = 0;
@@ -176,6 +180,91 @@ FILE *virFileFdopen(int *fdptr, const char *mode)
}
+static int
+virCloseRangeImpl(unsigned int first G_GNUC_UNUSED,
+ unsigned int last G_GNUC_UNUSED)
+{
+#if defined(WITH_SYS_SYSCALL_H) && defined(__NR_close_range)
+ return syscall(__NR_close_range, first, last, 0);
+#endif
+
+ errno = ENOSYS;
+ return -1;
+}
+
+
+static void
+virCloseRangeOnceInit(void)
+{
+ int fd[2] = { -1, -1};
+
+ if (virPipeQuiet(fd) < 0)
+ return;
+
+ VIR_FORCE_CLOSE(fd[1]);
+ if (virCloseRangeImpl(fd[0], fd[0]) < 0) {
+ VIR_FORCE_CLOSE(fd[0]);
+ return;
+ }
+
+ virCloseRangeSupported = true;
+}
+
+
+/**
+ * virCloseRange:
+ *
+ * Closes all open file descriptors from @first to @last (included).
+ *
+ * Returns: 0 on success,
+ * -1 on failure (with errno set).
+ */
+int
+virCloseRange(unsigned int first,
+ unsigned int last)
+{
+ if (virCloseRangeInit() < 0)
+ return -1;
+
+ if (!virCloseRangeSupported) {
+ errno = ENOSYS;
+ return -1;
+ }
+
+ return virCloseRangeImpl(first, last);
+}
+
+
+/**
+ * virCloseRangeInit:
+ *
+ * Detects whether close_range() is available and cache the result.
+ */
+int
+virCloseRangeInit(void)
+{
+ if (virOnce(&virCloseRangeOnce, virCloseRangeOnceInit) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+/**
+ * virCloseRangeIsSupported:
+ *
+ * Returns whether close_range() is supported or not.
+ */
+bool
+virCloseRangeIsSupported(void)
+{
+ if (virCloseRangeInit() < 0)
+ return false;
+
+ return virCloseRangeSupported;
+}
+
+
/**
* virFileDirectFdFlag:
*
diff --git a/src/util/virfile.h b/src/util/virfile.h
index 60bb1d64e7..be0b02fdf0 100644
--- a/src/util/virfile.h
+++ b/src/util/virfile.h
@@ -61,6 +61,10 @@ static inline void virForceCloseHelper(int *fd)
ignore_value(virFileClose(fd, VIR_FILE_CLOSE_PRESERVE_ERRNO));
}
+int virCloseRange(unsigned int from, unsigned int to);
+int virCloseRangeInit(void);
+bool virCloseRangeIsSupported(void);
+
/* For use on normal paths; caller must check return value,
and failure sets errno per close. */
#define VIR_CLOSE(FD) virFileClose(&(FD), 0)
--
2.41.0
10:15 a.m.
New subject: [PATCH 1/5] virfile: Introduce virCloseRange()
On a Tuesday in 2023, Michal Privoznik wrote:
Linux gained new close_range() syscall (in v5.9) that allows
closing a range of FDs in a single syscall. Ideally, we would use
it to close FDs when spawning a process (e.g. via virCommand
module).
Glibc has close_range() wrapper over the syscall, which falls
back to iterative closing of all FDs inside the range if running
under older kernel. We don't wan that as in that case we might
want
just close opened FDs (see Linux version of
virCommandMassClose()). And musl doesn't have close_range() at
all. Therefore, call syscall directly.
Now, mass close of FDs happen in a fork()-ed off child. While it
happens
could detect whether the kernel does support close_range(), it
has no way of passing this info back to the parent and thus each
child would need to query it again and again.
Since this can't change while we are running we can cache the
information - hence virCloseRangeInit().
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/libvirt_private.syms | 3 ++
src/util/virfile.c | 89 ++++++++++++++++++++++++++++++++++++++++
src/util/virfile.h | 4 ++
3 files changed, 96 insertions(+)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index fe456596ae..7696910e00 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
+static void
+virCloseRangeOnceInit(void)
+{
+ int fd[2] = { -1, -1};
Uneven spacing.
+
+ if (virPipeQuiet(fd) < 0)
+ return;
+
+ VIR_FORCE_CLOSE(fd[1]);
+ if (virCloseRangeImpl(fd[0], fd[0]) < 0) {
+ VIR_FORCE_CLOSE(fd[0]);
+ return;
+ }
+
+ virCloseRangeSupported = true;
+}
+
+
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
8:34 a.m.
New subject: [PATCH 2/5] virfile: Introduce virCloseFrom()
It is handy to close all FDs from given FD to infinity. On
FreeBSD the libc even has a function for that: closefrom(). It
was ported to glibc too, but not musl. At least glibc
implementation falls back to calling:
close_range(from, ~0U, 0);
Now that we have a wrapper for close_range() we implement
closefrom() trivially.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/virfile.c | 21 +++++++++++++++++++++
src/util/virfile.h | 1 +
3 files changed, 23 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 3782f7f3c7..9477a07834 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2269,6 +2269,7 @@ saferead;
safewrite;
safezero;
virBuildPathInternal;
+virCloseFrom;
virCloseRange;
virCloseRangeInit;
virCloseRangeIsSupported;
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 7696910e00..c74bdd1264 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -265,6 +265,27 @@ virCloseRangeIsSupported(void)
}
+/**
+ * virCloseFrom:
+ *
+ * Closes all open file descriptors greater than or equal to @fromfd.
+ *
+ * Returns: 0 on success,
+ * -1 on error (with errno set).
+ */
+int
+virCloseFrom(int fromfd)
+{
+#ifdef __FreeBSD__
+ /* FreeBSD has closefrom() since FreeBSD-8.0, i.e. since 2009. */
+ closefrom(fromfd);
+ return 0;
+#else /* !__FreeBSD__ */
+ return virCloseRange(fromfd, ~0U);
+#endif /* !__FreeBSD__ */
+}
+
+
/**
* virFileDirectFdFlag:
*
diff --git a/src/util/virfile.h b/src/util/virfile.h
index be0b02fdf0..adc032ba33 100644
--- a/src/util/virfile.h
+++ b/src/util/virfile.h
@@ -64,6 +64,7 @@ static inline void virForceCloseHelper(int *fd)
int virCloseRange(unsigned int from, unsigned int to);
int virCloseRangeInit(void);
bool virCloseRangeIsSupported(void);
+int virCloseFrom(int fromfd);
/* For use on normal paths; caller must check return value,
and failure sets errno per close. */
--
2.41.0
8:34 a.m.
New subject: [PATCH 3/5] vircommand: Unify mass FD closing
We have two version of mass FD closing: one for FreeBSD (because
it has closefrom()) and the other for everything else. But now
that we have closefrom() wrapper even for Linux, we can unify
these two.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/util/vircommand.c | 85 +++++++++++++------------------------------
1 file changed, 25 insertions(+), 60 deletions(-)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 49abb53c28..867f45b57b 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -526,60 +526,6 @@ virCommandMassCloseGetFDsGeneric(virCommand *cmd G_GNUC_UNUSED,
}
# endif /* !__linux__ */
-# ifdef __FreeBSD__
-
-static int
-virCommandMassClose(virCommand *cmd,
- int childin,
- int childout,
- int childerr)
-{
- int lastfd = -1;
- int fd = -1;
- size_t i;
-
- /*
- * Two phases of closing.
- *
- * The first (inefficient) phase iterates over FDs,
- * preserving certain FDs we need to pass down, and
- * closing others. The number of iterations is bounded
- * to the number of the biggest FD we need to preserve.
- *
- * The second (speedy) phase uses closefrom() to cull
- * all remaining FDs in the process.
- *
- * Usually the first phase will be fairly quick only
- * processing a handful of low FD numbers, and thus using
- * closefrom() is a massive win for high ulimit() NFILES
- * values.
- */
- lastfd = MAX(lastfd, childin);
- lastfd = MAX(lastfd, childout);
- lastfd = MAX(lastfd, childerr);
-
- for (i = 0; i < cmd->npassfd; i++)
- lastfd = MAX(lastfd, cmd->passfd[i].fd);
-
- for (fd = 0; fd <= lastfd; fd++) {
- if (fd == childin || fd == childout || fd == childerr)
- continue;
- if (!virCommandFDIsSet(cmd, fd)) {
- int tmpfd = fd;
- VIR_MASS_CLOSE(tmpfd);
- } else if (virSetInherit(fd, true) < 0) {
- virReportSystemError(errno, _("failed to preserve fd %1$d"), fd);
- return -1;
- }
- }
-
- closefrom(lastfd + 1);
-
- return 0;
-}
-
-# else /* ! __FreeBSD__ */
-
static int
virCommandMassClose(virCommand *cmd,
int childin,
@@ -588,7 +534,9 @@ virCommandMassClose(virCommand *cmd,
{
g_autoptr(virBitmap) fds = NULL;
int openmax = sysconf(_SC_OPEN_MAX);
+ int lastfd = -1;
int fd = -1;
+ size_t i;
/* In general, it is not safe to call malloc() between fork() and exec()
* because the child might have forked at the worst possible time, i.e.
@@ -605,16 +553,23 @@ virCommandMassClose(virCommand *cmd,
fds = virBitmapNew(openmax);
-# ifdef __linux__
+# ifdef __linux__
if (virCommandMassCloseGetFDsLinux(cmd, fds) < 0)
return -1;
-# else
+# else
if (virCommandMassCloseGetFDsGeneric(cmd, fds) < 0)
return -1;
-# endif
+# endif
+
+ lastfd = MAX(lastfd, childin);
+ lastfd = MAX(lastfd, childout);
+ lastfd = MAX(lastfd, childerr);
+
+ for (i = 0; i < cmd->npassfd; i++)
+ lastfd = MAX(lastfd, cmd->passfd[i].fd);
fd = virBitmapNextSetBit(fds, 2);
- for (; fd >= 0; fd = virBitmapNextSetBit(fds, fd)) {
+ for (; fd >= 0 && fd <= lastfd; fd = virBitmapNextSetBit(fds, fd)) {
if (fd == childin || fd == childout || fd == childerr)
continue;
if (!virCommandFDIsSet(cmd, fd)) {
@@ -626,11 +581,21 @@ virCommandMassClose(virCommand *cmd,
}
}
+ if (virCloseFrom(lastfd + 1) < 0) {
+ if (errno != ENOSYS)
+ return -1;
+
+ if (fd > 0) {
+ for (; fd >= 0; fd = virBitmapNextSetBit(fds, fd)) {
+ int tmpfd = fd;
+ VIR_MASS_CLOSE(tmpfd);
+ }
+ }
+ }
+
return 0;
}
-# endif /* ! __FreeBSD__ */
-
/*
* virExec:
--
2.41.0
8:34 a.m.
New subject: [PATCH 4/5] vircommand: Introduce virCommandMassCloseRange()
This is brand new way of closing FDs before exec(). We need to
close all FDs except those we want to explicitly pass to avoid
leaking FDs into the child. Historically, we've done this by
either iterating over all opened FDs and closing them one by one
(or preserving them), or by iterating over an FD interval [2 ...
N] and closing them one by one followed by calling closefrom(N +
1). This is a lot of syscalls.
That's why Linux kernel developers introduced new close_from
syscall. It closes all FDs within given range, in a single
syscall. Since we keep list of FDs we want to preserve and pass
to the child process, we can use this syscall to close all FDs
in between. We don't even need to care about opened FDs.
Of course, we have to check whether the syscall is available and
fall back to the old implementation if it isn't.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/util/vircommand.c | 77 ++++++++++++++++++++++++++++++++++++++++---
tests/commandtest.c | 2 ++
2 files changed, 75 insertions(+), 4 deletions(-)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 867f45b57b..5f094c625a 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -527,10 +527,10 @@ virCommandMassCloseGetFDsGeneric(virCommand *cmd G_GNUC_UNUSED,
# endif /* !__linux__ */
static int
-virCommandMassClose(virCommand *cmd,
- int childin,
- int childout,
- int childerr)
+virCommandMassCloseFrom(virCommand *cmd,
+ int childin,
+ int childout,
+ int childerr)
{
g_autoptr(virBitmap) fds = NULL;
int openmax = sysconf(_SC_OPEN_MAX);
@@ -597,6 +597,75 @@ virCommandMassClose(virCommand *cmd,
}
+static int
+virCommandMassCloseRange(virCommand *cmd,
+ int childin,
+ int childout,
+ int childerr)
+{
+ g_autoptr(virBitmap) fds = virBitmapNew(0);
+ ssize_t first;
+ ssize_t last;
+ size_t i;
+
+ virBitmapSetBitExpand(fds, childin);
+ virBitmapSetBitExpand(fds, childout);
+ virBitmapSetBitExpand(fds, childerr);
+
+ for (i = 0; i < cmd->npassfd; i++) {
+ int fd = cmd->passfd[i].fd;
+
+ virBitmapSetBitExpand(fds, fd);
+
+ if (virSetInherit(fd, true) < 0) {
+ virReportSystemError(errno, _("failed to preserve fd %1$d"), fd);
+ return -1;
+ }
+ }
+
+ first = 2;
+ while ((last = virBitmapNextSetBit(fds, first)) >= 0) {
+ if (first + 1 == last) {
+ first = last;
+ continue;
+ }
+
+ /* Preserve @first and @last and close everything in between. */
+ if (virCloseRange(first + 1, last - 1) < 0) {
+ virReportSystemError(errno,
+ _("Unable to mass close FDs (first=%1$zd,
last=%2$zd)"),
+ first + 1, last - 1);
+ return -1;
+ }
+
+ first = last;
+ }
+
+ if (virCloseRange(first + 1, ~0U) < 0) {
+ virReportSystemError(errno,
+ _("Unable to mass close FDs (first=%1$zd,
last=%2$d"),
+ first + 1, ~0U);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+
+static int
+virCommandMassClose(virCommand *cmd,
+ int childin,
+ int childout,
+ int childerr)
+{
+ if (virCloseRangeIsSupported())
+ return virCommandMassCloseRange(cmd, childin, childout, childerr);
+
+ return virCommandMassCloseFrom(cmd, childin, childout, childerr);
+}
+
+
/*
* virExec:
* @cmd virCommand * containing all information about the program to
diff --git a/tests/commandtest.c b/tests/commandtest.c
index 688cf59160..aa108ce583 100644
--- a/tests/commandtest.c
+++ b/tests/commandtest.c
@@ -1247,6 +1247,8 @@ mymain(void)
setpgid(0, 0);
ignore_value(setsid());
+ virCloseRangeInit();
+
/* Our test expects particular fd values; to get that, we must not
* leak fds that we inherited from a lazy parent. At the same
* time, virInitialize may open some fds (perhaps via third-party
--
2.41.0
8:34 a.m.
New subject: [PATCH 5/5] src: Detect close_range syscall during virGlobalInit()
The whole purpose of virCloseRangeInit() is to be called
somewhere during initialization (ideally before first virExec()
or virCommandRun()), so that the rest of the code already knows
kernel capabilities. While I can put the call somewhere into
remote_daemon.c (when a daemon initializes), we might call
virCommand*() even from client library (i.e. no daemon).
Therefore, put it into virGlobalInit() with the rest of
initialization code.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/libvirt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/libvirt.c b/src/libvirt.c
index 69d5b13bff..26c3fe454f 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -231,6 +231,10 @@ virGlobalInit(void)
goto error;
}
+ /* Do this upfront rather than every time a child is spawned. */
+ if (virCloseRangeInit() < 0)
+ goto error;
+
if (virLogSetFromEnv() < 0)
goto error;
--
2.41.0
10:28 a.m.
On a Tuesday in 2023, Michal Privoznik wrote:
This is a v2 of:
https://listman.redhat.com/archives/libvir-list/2023-June/240351.html
Hopefully, I've implemented all Dan's suggestions.
Michal Prívozník (5):
virfile: Introduce virCloseRange()
virfile: Introduce virCloseFrom()
vircommand: Unify mass FD closing
vircommand: Introduce virCommandMassCloseRange()
src: Detect close_range syscall during virGlobalInit()
src/libvirt.c | 4 +
src/libvirt_private.syms | 4 +
src/util/vircommand.c | 160 ++++++++++++++++++++++++---------------
src/util/virfile.c | 110 +++++++++++++++++++++++++++
src/util/virfile.h | 5 ++
tests/commandtest.c | 2 +
6 files changed, 222 insertions(+), 63 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
3:15 a.m.
On Tue, Aug 22, 2023 at 3:35 PM Michal Privoznik <mprivozn(a)redhat.com>
wrote:
This is a v2 of:
https://listman.redhat.com/archives/libvir-list/2023-June/240351.html
Hopefully, I've implemented all Dan's suggestions.
Michal Prívozník (5):
virfile: Introduce virCloseRange()
virfile: Introduce virCloseFrom()
vircommand: Unify mass FD closing
vircommand: Introduce virCommandMassCloseRange()
src: Detect close_range syscall during virGlobalInit()
src/libvirt.c | 4 +
src/libvirt_private.syms | 4 +
src/util/vircommand.c | 160 ++++++++++++++++++++++++---------------
src/util/virfile.c | 110 +++++++++++++++++++++++++++
src/util/virfile.h | 5 ++
tests/commandtest.c | 2 +
6 files changed, 222 insertions(+), 63 deletions(-)
Reviewed-by: Kristina Hanicova <khanicov(a)redhat.com>
Kristina
456
days inactive
458
days old
8 comments
3 participants
participants (3)
-
Ján Tomko -
Kristina Hanicova -
Michal Privoznik