From a341bdb0640294a07939670919c56cbfa7a861c4 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Tue, 1 Oct 2024 18:56:19 +0400 Subject: [PATCH] fix: prevent file descriptors leaks to child processes See #9412 I'll keep the issue open to track upstream PR status and remove replace directives. Signed-off-by: Andrey Smirnov --- .golangci.yml | 4 ++++ go.mod | 12 ++++++++++++ go.sum | 14 +++++++------- .../internal/server/v1alpha1/v1alpha1_server.go | 1 + internal/pkg/logind/logind.go | 2 +- internal/pkg/mount/switchroot/switchroot.go | 2 +- 6 files changed, 26 insertions(+), 9 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 6160e770be..cd89b614a7 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -105,6 +105,10 @@ linters-settings: - golang.zx2c4.com/wireguard - golang.zx2c4.com/wireguard/wgctrl - cloud.google.com/go + # fd-leak related replacements: https://github.com/siderolabs/talos/issues/9412 + - github.com/insomniacslk/dhcp + - github.com/safchain/ethtool + - github.com/vishvananda/netlink retract-allow-no-explanation: false exclude-forbidden: false diff --git a/go.mod b/go.mod index 666544b441..4c065089a7 100644 --- a/go.mod +++ b/go.mod @@ -26,6 +26,18 @@ replace ( gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c ) +// fd-leak related replacements: https://github.com/siderolabs/talos/issues/9412 +replace ( + // https://github.com/insomniacslk/dhcp/pull/550 + github.com/insomniacslk/dhcp => github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016 + + // https://github.com/safchain/ethtool/pull/88 + github.com/safchain/ethtool => github.com/smira/ethtool v0.0.0-20241001133415-4d519940893f + + // https://github.com/vishvananda/netlink/pull/1023 + github.com/vishvananda/netlink => github.com/smira/netlink v0.0.0-20241001134714-cf141a3c404c +) + // Kubernetes dependencies sharing the same version. require ( k8s.io/api v0.31.1 diff --git a/go.sum b/go.sum index e998c17a15..9387e080d9 100644 --- a/go.sum +++ b/go.sum @@ -373,8 +373,6 @@ github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475 h1:hxST5pwMBEOWmxpkX20w9oZG+hXdhKmAIPQ3NGGAxas= -github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= github.com/jeromer/syslogparser v1.1.0 h1:HES0EviO9iPvCu56LjVFVhbM3o0BckDlIbQfkkaRJAw= github.com/jeromer/syslogparser v1.1.0/go.mod h1:zfowyus/j2SEgW31bIntTvEBE2zCSndtFsCC6NcW4S4= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= @@ -569,8 +567,6 @@ github.com/ryanuber/columnize v2.1.2+incompatible h1:C89EOx/XBWwIXl8wm8OPJBd7kPF github.com/ryanuber/columnize v2.1.2+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/safchain/ethtool v0.4.1 h1:S6mEleTADqgynileXoiapt/nKnatyR6bmIHoF+h2ADo= -github.com/safchain/ethtool v0.4.1/go.mod h1:XLLnZmy4OCRTkksP/UiMjij96YmIsBfmBQcs7H6tA48= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY= github.com/scaleway/scaleway-sdk-go v1.0.0-beta.30 h1:yoKAVkEVwAqbGbR8n87rHQ1dulL25rKloGadb3vm770= @@ -643,8 +639,14 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016 h1:pImpynwlfelZICjeAVIj4OdNsS+RadE4D+KC+RzpUt8= +github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= +github.com/smira/ethtool v0.0.0-20241001133415-4d519940893f h1:zDEBezq1KUHS62PXzdQV/XBgSXvDUghHatcYFL6M4cM= +github.com/smira/ethtool v0.0.0-20241001133415-4d519940893f/go.mod h1:yrBZ31QKMz6l8UbF0JuY3WVMVNPbsdwQNeGDugZ8ZMc= github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389 h1:f/5NRv5IGZxbjBhc5MnlbNmyuXBPxvekhBAUzyKWyLY= github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389/go.mod h1:+SexPO1ZvdbbWUdUnyXEWv3+4NwHZjKhxOmQqHY4Pqc= +github.com/smira/netlink v0.0.0-20241001134714-cf141a3c404c h1:r4BykEoD09elM2R0eLikJJDMAceAMsvSQRu0ugHpTPg= +github.com/smira/netlink v0.0.0-20241001134714-cf141a3c404c/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY= github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= @@ -685,8 +687,6 @@ github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= -github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk= -github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs= github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/vmware/vmw-guestinfo v0.0.0-20220317130741-510905f0efa3 h1:v6jG/tdl4O07LNVp74Nt7/OyL+1JsIW1M2f/nSvQheY= @@ -894,7 +894,7 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= diff --git a/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go b/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go index 05a494e885..b6980159f8 100644 --- a/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go +++ b/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go @@ -2207,6 +2207,7 @@ func (s *Server) PacketCapture(in *machine.PacketCaptureRequest, srv machine.Mac handle, err := afpacket.NewTPacket( afpacket.OptInterface(in.Interface), afpacket.OptPollTimeout(100*time.Millisecond), + afpacket.OptSocketType(unix.SOCK_RAW|unix.SOCK_CLOEXEC), ) if err != nil { return fmt.Errorf("error creating afpacket handle: %w", err) diff --git a/internal/pkg/logind/logind.go b/internal/pkg/logind/logind.go index f8545ae6a2..d0960d3664 100644 --- a/internal/pkg/logind/logind.go +++ b/internal/pkg/logind/logind.go @@ -49,7 +49,7 @@ func (mock *logindMock) Inhibit(what, who, why, mode string) (dbus.UnixFD, *dbus } mock.inhibitPipe = make([]int, 2) - if err := syscall.Pipe(mock.inhibitPipe); err != nil { + if err := syscall.Pipe2(mock.inhibitPipe, syscall.O_CLOEXEC); err != nil { return dbus.UnixFD(0), dbus.MakeFailedError(err) } diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go index e6dbe8e5bb..23e0ccd4a8 100644 --- a/internal/pkg/mount/switchroot/switchroot.go +++ b/internal/pkg/mount/switchroot/switchroot.go @@ -128,7 +128,7 @@ func recusiveDeleteInner(parentFd int, parentDev uint64, childName, path string) return preserved, nil } - childFd, err := unix.Openat(parentFd, childName, unix.O_DIRECTORY|unix.O_NOFOLLOW, unix.O_RDWR) + childFd, err := unix.Openat(parentFd, childName, unix.O_DIRECTORY|unix.O_NOFOLLOW|unix.O_CLOEXEC, unix.O_RDWR) if err != nil { return false, unix.Unlinkat(parentFd, childName, 0) }