pam_namespace: close unnecessary file descriptors before exec()

Currently the `rm` subprocess and the namespace init script inherit a
random set of open file descriptors from the process running PAM.
Depending on the actual PAM stack configuration these can even be
security sensitive files. In any case it is unclean to inherit
unexpected open file descriptors to child processes like this.

To address this close all file descriptors except stdio before executing
a new program.

1 files changed, 11 insertions, 0 deletions

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 40edc9f7..92372ab4 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -53,6 +53,14 @@ compare_filename(const void *a, const void *b)
 		      base_name(* (char * const *) b));
 }
 
+static void close_fds_pre_exec(struct instance_data *idata)
+{
+	if (pam_modutil_sanitize_helper_fds(idata->pamh, PAM_MODUTIL_IGNORE_FD,
+			PAM_MODUTIL_IGNORE_FD, PAM_MODUTIL_IGNORE_FD) < 0) {
+		_exit(1);
+	}
+}
+
 /* Evaluating a list of files which have to be parsed in the right order:
  *
  * - If etc/security/namespace.d/@filename@.conf exists, then
@@ -1379,6 +1387,8 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
 					/* ignore failures, they don't matter */
 				}
 
+				close_fds_pre_exec(idata);
+
 				if (execle(init_script, init_script,
 					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
 					_exit(1);
@@ -1817,6 +1827,7 @@ static int cleanup_tmpdirs(struct instance_data *idata)
 			_exit(1);
 		}
 #endif
+		close_fds_pre_exec(idata);
 		if (execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp) < 0)
 			_exit(1);
 	    } else if (pid > 0) {