validate fds --preserve-fds

validate file descriptors passed from podman run and podman exec --preserve-fds.

Signed-off-by: Qi Wang <qiwan@redhat.com>

cmd/podman/containers/exec.go

@@ -10,6 +10,7 @@ import (
 	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/pkg/domain/entities"
 	envLib "github.com/containers/podman/v2/pkg/env"
+	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -110,6 +111,12 @@ func exec(_ *cobra.Command, args []string) error {
 
 	execOpts.Envs = envLib.Join(execOpts.Envs, cliEnv)
 
+	for fd := 3; fd < int(3+execOpts.PreserveFDs); fd++ {
+		if !rootless.IsFdInherited(fd) {
+			return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd)
+		}
+	}
+
 	if !execDetach {
 		streams := define.AttachStreams{}
 		streams.OutputStream = os.Stdout

cmd/podman/containers/run.go

@@ -125,6 +125,11 @@ func run(cmd *cobra.Command, args []string) error {
 	if err := createInit(cmd); err != nil {
 		return err
 	}
+	for fd := 3; fd < int(3+runOpts.PreserveFDs); fd++ {
+		if !rootless.IsFdInherited(fd) {
+			return errors.Errorf("file descriptor %d is not available - the preserve-fds option requires that file descriptors must be passed", fd)
+		}
+	}
 
 	imageName := args[0]
 	if !cliVals.RootFS {

pkg/rootless/rootless_linux.c

@@ -225,6 +225,16 @@ can_use_shortcut ()
   return ret;
 }
 
+int
+is_fd_inherited(int fd)
+{
+  if (open_files_set == NULL || fd > open_files_max_fd || fd < 0)
+  {
+    return 0;
+  }
+  return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0;
+}
+
 static void __attribute__((constructor)) init()
 {
   const char *xdg_runtime_dir;

pkg/rootless/rootless_linux.go

@@ -32,6 +32,7 @@ extern uid_t rootless_gid();
 extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd);
 extern int reexec_in_user_namespace_wait(int pid, int options);
 extern int reexec_userns_join(int pid, char *pause_pid_file_path);
+extern int is_fd_inherited(int fd);
 */
 import "C"
 
@@ -520,3 +521,8 @@ func ConfigurationMatches() (bool, error) {
 
 	return matches(GetRootlessGID(), gids, currentGIDs), nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return int(C.is_fd_inherited(C.int(fd))) > 0
+}

pkg/rootless/rootless_unsupported.go

@@ -64,3 +64,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
 func ReadMappingsProc(path string) ([]idtools.IDMap, error) {
 	return nil, nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return false
+}

test/e2e/run_test.go

@@ -1063,6 +1063,13 @@ USER mail`
 		Expect(session.ExitCode()).To(Equal(0))
 	})
 
+	It("podman run --preserve-fds invalid fd", func() {
+		session := podmanTest.Podman([]string{"run", "--preserve-fds", "2", ALPINE})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Not(Equal(0)))
+		Expect(session.ErrorToString()).To(ContainSubstring("file descriptor 3 is not available"))
+	})
+
 	It("podman run --privileged and --group-add", func() {
 		groupName := "kvm"
 		session := podmanTest.Podman([]string{"run", "-t", "-i", "--group-add", groupName, "--privileged", fedoraMinimal, "groups"})

test/system/030-run.bats

@@ -63,7 +63,6 @@ echo $rand        |   0 | $rand
 
 # 'run --preserve-fds' passes a number of additional file descriptors into the container
 @test "podman run --preserve-fds" {
-    skip "enable this once #6653 is fixed"
     skip_if_remote
 
     content=$(random_string 20)