[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#75810] [PATCH v7 01/16] daemon: Use ‘close_range’ where available.
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#75810] [PATCH v7 01/16] daemon: Use ‘close_range’ where available. |
|
Date: |
Thu, 20 Mar 2025 21:54:34 +0100 |
* nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use
‘close_range’ when ‘exceptions’ is empty.
* config-daemon.ac: Check for <linux/close_range.h> and the
‘close_range’ symbol.
Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359
---
config-daemon.ac | 5 +++--
nix/libutil/util.cc | 23 +++++++++++++++++------
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/config-daemon.ac b/config-daemon.ac
index 6731c68bc3..4e949bc88a 100644
--- a/config-daemon.ac
+++ b/config-daemon.ac
@@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then
dnl Chroot support.
AC_CHECK_FUNCS([chroot unshare])
- AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h])
+ AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \
+ linux/close_range.h])
if test "x$ac_cv_func_chroot" != "xyes"; then
AC_MSG_ERROR(['chroot' function missing, bailing out])
@@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then
dnl strsignal: for error reporting.
dnl statx: fine-grain 'stat' call, new in glibc 2.28.
AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \
- statvfs nanosleep strsignal statx])
+ statvfs nanosleep strsignal statx close_range])
dnl Check for <locale>.
AC_LANG_PUSH(C++)
diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
index 3206dea11b..eb2d16e1cc 100644
--- a/nix/libutil/util.cc
+++ b/nix/libutil/util.cc
@@ -23,6 +23,10 @@
#include <sys/prctl.h>
#endif
+#ifdef HAVE_LINUX_CLOSE_RANGE_H
+# include <linux/close_range.h>
+#endif
+
extern char * * environ;
@@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const
Strings & args)
void closeMostFDs(const set<int> & exceptions)
{
- int maxFD = 0;
- maxFD = sysconf(_SC_OPEN_MAX);
- for (int fd = 0; fd < maxFD; ++fd)
- if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO
- && exceptions.find(fd) == exceptions.end())
- close(fd); /* ignore result */
+#ifdef HAVE_CLOSE_RANGE
+ if (exceptions.empty())
+ close_range(3, ~0U, 0);
+ else
+#endif
+ {
+ int maxFD = 0;
+ maxFD = sysconf(_SC_OPEN_MAX);
+ for (int fd = 0; fd < maxFD; ++fd)
+ if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd !=
STDERR_FILENO
+ && exceptions.find(fd) == exceptions.end())
+ close(fd); /* ignore result */
+ }
}
--
2.48.1
- [bug#75810] [PATCH v7 00/16] Rootless guix-daemon, Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 01/16] daemon: Use ‘close_range’ where available.,
Ludovic Courtès <=
- [bug#75810] [PATCH v7 06/16] daemon: Remount root directory as read-only., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 05/16] daemon: Remount inputs as read-only., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 04/16] daemon: Bind-mount all the inputs, not just directories., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 02/16] daemon: Close the read end of the logging pipe., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 09/16] daemon: Drop Linux ambient capabilities before executing builder., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 12/16] tests: Add missing derivation inputs., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 11/16] linux-container: ‘unprivileged-user-namespace-supported?’ returns #f on non-Linux., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 14/16] etc: systemd services: Run ‘guix-daemon’ as an unprivileged user., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 08/16] daemon: Create /var/guix/profiles/per-user unconditionally., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 13/16] tests: Run in a chroot and unprivileged user namespaces., Ludovic Courtès, 2025/03/20