[PATCH v2 3/4] io: Add closefrom [BZ #10353]

Wed Dec 23 13:28:31 GMT 2020

* Adhemerval Zanella:

> The symbol closes all open file descriptors greater than or equal to
> input argument.  Negative values are campled to 0, i.e, it will close
> all file descriptors.

“The function”?

Typo: “campled”.

> diff --git a/io/tst-closefrom.c b/io/tst-closefrom.c
> new file mode 100644
> index 0000000000..47b50b74b6
> --- /dev/null
> +++ b/io/tst-closefrom.c

> +#define NFDS 100
> +
> +static int
> +closefrom_test (void)
> +{
> +  struct support_descriptors *descrs = support_descriptors_list ();
> +
> +  int lowfd = xopen ("/dev/null", O_RDONLY | O_CLOEXEC, 0600);
> +  for (int i = 0; i < NFDS; i++)
> +    xopen ("/dev/null", O_RDONLY | O_CLOEXEC, 0600);

See the previous comments about checking for contiguous allocation and
the meaning of NFDS.

> +  const int maximum_fd = lowfd + NFDS;
> +  const int half_fd = maximum_fd / 2;
> +  const int gap = maximum_fd / 4;
> +
> +  /* Close half of the descriptors and check result.  */
> +  closefrom (half_fd);
> +
> +  for (int i = half_fd; i <= maximum_fd; i++)
> +    {
> +      TEST_COMPARE (fcntl (i, F_GETFL), -1);
> +      TEST_COMPARE (errno, EBADF);
> +    }
> +  for (int i = 0; i < half_fd; i++)
> +    TEST_VERIFY (fcntl (i, F_GETFL) > -1);
> +
> +  /* Create some gaps, close up to a threshold, and check result.  */
> +  xclose (35);
> +  xclose (38);
> +  xclose (42);
> +  xclose (46);

lowfd + 35 etc., please.

> +/* Check if closefrom works even when no new file descriptors can be
> +   created.  */
> +static int
> +closefrom_test_file_desc_limit (void)
> +{
> +  int max_fd = NFDS;
> +  {
> +    struct rlimit rl;
> +    if (getrlimit (RLIMIT_NOFILE, &rl) == -1)
> +      FAIL_EXIT1 ("getrlimit (RLIMIT_NOFILE): %m");
> +
> +    max_fd = (rl.rlim_cur < max_fd ? rl.rlim_cur : max_fd);
> +    rl.rlim_cur = max_fd;
> +
> +    if (setrlimit (RLIMIT_NOFILE, &rl) == 1)
> +      FAIL_EXIT1 ("setrlimit (RLIMIT_NOFILE): %m");
> +  }
> +
> +  /* Exhauste the file descriptor limit.  */
> +  int lowfd = xopen ("/dev/null", O_RDONLY | O_CLOEXEC, 0600);
> +  for (;;)
> +    {
> +      int fd = open ("/dev/null", O_RDONLY | O_CLOEXEC, 0600);
> +      if (fd == -1)
> +	{
> +	  if (errno != EMFILE)
> +	    FAIL_EXIT1 ("create_temp_file: %m");
> +	  break;
> +	}
> +    }
> +
> +  closefrom (lowfd);
> +  for (int i = lowfd; i < NFDS; i++)
> +    {
> +      TEST_COMPARE (fcntl (i, F_GETFL), -1);
> +      TEST_COMPARE (errno, EBADF);
> +    }
> +
> +  return 0;
> +}

Good test, thanks.

> diff --git a/manual/llio.texi b/manual/llio.texi
> index 018e7933de..d2cf7bbabd 100644
> --- a/manual/llio.texi
> +++ b/manual/llio.texi
> @@ -314,6 +314,20 @@ is used.
>  @end table
>  @end deftypefun
>  
> +@deftypefun void closefrom (int @var{lowfd})
> +@standards{GNU, unistd.h}
> +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{@acsfd{}}}
> +
> +The function @code{closefrom} closes all file descriptors large or equal
> +then @var{lowfd}.  This function is similar to call @code{close} in specified
> +file descriptor range.
> +
> +@table @code
> +@item EINVAL
> +The @var{lowfd} value is larger than @var{maxfd} or an unsupported @var{flag}
> +is used.
> +@end table
> +@end deftypefun

I think this function cannot fail.

>  @node I/O Primitives
>  @section Input and Output Primitives
> diff --git a/posix/unistd.h b/posix/unistd.h
> index 32b8161619..652fed4616 100644
> --- a/posix/unistd.h
> +++ b/posix/unistd.h
> @@ -352,6 +352,12 @@ extern __off64_t lseek64 (int __fd, __off64_t __offset, int __whence)
>     __THROW.  */
>  extern int close (int __fd);
>  
> +#ifdef __USE_GNU
> +/* Close all open file descriptors greater than or equal to LOWFD.
> +   Negative LOWFD is clamped to 0.  */
> +extern void closefrom (int __lowfd) __THROW;
> +#endif

__USE_MISC instead of GNU?  Given that this is so widely implemented.

> diff --git a/sysdeps/unix/sysv/linux/closefrom_fallback.c b/sysdeps/unix/sysv/linux/closefrom_fallback.c
> new file mode 100644
> index 0000000000..461582792d
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/closefrom_fallback.c

> +/* Fallback code: iterates over /proc/self/fd, closing each file descriptor
> +   that fall on the criteria.  */
> +_Bool
> +__closefrom_fallback (int from)
> +{
> +  bool ret = false;
> +
> +  int dirfd = __open_nocancel (FD_TO_FILENAME_PREFIX, O_RDONLY | O_DIRECTORY,
> +			       0);
> +  if (dirfd == -1)
> +    {
> +      /* The closefrom should work even when process can't open new files.
> +	 In this case it loops over RLIMIT_NOFILE / rlim_cur until it frees
> +	 a file descriptor to iterate over /proc.  */
> +      if (errno != EMFILE)
> +	goto err;

As explained, this should be errno == ENOENT.  There are a few more
calls that could take the shortcut, but I don't think they can occur in
practice.

> +  char buffer[1024];
> +  while (true)
> +    {
> +      ssize_t ret = __getdents64 (dirfd, buffer, sizeof (buffer));
> +      if (ret == -1)
> +        goto err;
> +      else if (ret == 0)
> +        break;
> +
> +      char *begin = buffer, *end = buffer + ret;
> +      while (begin != end)
> +	{
> +          unsigned short int d_reclen;
> +	  memcpy (&d_reclen, begin + offsetof (struct dirent64, d_reclen),
> +		  sizeof (d_reclen));
> +	  const char *dname = begin + offsetof (struct dirent64, d_name);
> +	  begin += d_reclen;
> +
> +	  if (dname[0] == '.')
> +	    continue;
> +
> +	  int fd = 0;
> +	  for (const char *s = dname; (unsigned int) (*s) - '0' < 10; s++)
> +	    fd = 10 * fd + (*s - '0');
> +
> +	  if (fd == dirfd || fd < from)
> +	    continue;
> +
> +	  __close_nocancel (fd);
> +	}
> +    }

Do you object to the idea of the rewind?  The implementation above
encodes very specific /proc/self/fd behavior.

With containers and seccomp filters, we can't assume that a future
behavioral change will not matter because we have close_range.

Thanks,
Florian
-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill