diff options
| author | Christophe Besson <cbesson@redhat.com> | 2019-08-07 14:25:51 +0200 |
|---|---|---|
| committer | Tomáš Mráz <t8m@users.noreply.github.com> | 2019-08-26 15:10:15 +0200 |
| commit | 1b087edc7f05237bf5eccc405704cd82b848e761 (patch) | |
| tree | 01d92828c4cdd96770f28109236dfba16ca0c62d /libpam/pam_modutil_sanitize.c | |
| parent | e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 (diff) | |
| download | pam-1b087edc7f05237bf5eccc405704cd82b848e761.tar.gz pam-1b087edc7f05237bf5eccc405704cd82b848e761.tar.bz2 pam-1b087edc7f05237bf5eccc405704cd82b848e761.zip | |
libpam/pam_modutil_sanitize.c: optimize the way to close fds
Diffstat (limited to 'libpam/pam_modutil_sanitize.c')
| -rw-r--r-- | libpam/pam_modutil_sanitize.c | 73 |
1 files changed, 59 insertions, 14 deletions
diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c index 65f85d01..605c859d 100644 --- a/libpam/pam_modutil_sanitize.c +++ b/libpam/pam_modutil_sanitize.c @@ -10,6 +10,13 @@ #include <fcntl.h> #include <syslog.h> #include <sys/resource.h> +#include <dirent.h> +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif +#ifdef HAVE_LINUX_MAGIC_H +#include <linux/magic.h> +#endif /* * Creates a pipe, closes its write end, redirects fd to its read end. @@ -112,31 +119,69 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, return fd; } +/* Check if path is in a procfs. */ +static int +is_in_procfs(int fd) +{ +#if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC + struct statfs stfs; + + if (fstatfs(fd, &stfs) == 0) { + if (stfs.f_type == PROC_SUPER_MAGIC) + return 1; + } else { + return 0; + } +#endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */ + + return -1; +} + /* Closes all descriptors after stderr. */ static void close_fds(void) { + DIR *dir = NULL; + struct dirent *dent; + int dfd = -1; + int fd; + struct rlimit rlim; + /* * An arbitrary upper limit for the maximum file descriptor number * returned by RLIMIT_NOFILE. */ - const int MAX_FD_NO = 65535; + const unsigned int MAX_FD_NO = 65535; /* The lower limit is the same as for _POSIX_OPEN_MAX. */ - const int MIN_FD_NO = 20; - - int fd; - struct rlimit rlim; - - if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) - fd = MAX_FD_NO; - else if (rlim.rlim_max < MIN_FD_NO) - fd = MIN_FD_NO; - else - fd = rlim.rlim_max - 1; + const unsigned int MIN_FD_NO = 20; + + /* If /proc is mounted, we can optimize which fd can be closed. */ + if ((dir = opendir("/proc/self/fd")) != NULL) { + if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) { + while ((dent = readdir(dir)) != NULL) { + fd = atoi(dent->d_name); + if (fd > STDERR_FILENO && fd != dfd) + close(fd); + } + } else { + dfd = -1; + } + closedir(dir); + } - for (; fd > STDERR_FILENO; --fd) - close(fd); + /* If /proc isn't available, fallback to the previous behavior. */ + if (dfd < 0) { + if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) + fd = MAX_FD_NO; + else if (rlim.rlim_max < MIN_FD_NO) + fd = MIN_FD_NO; + else + fd = rlim.rlim_max - 1; + + for (; fd > STDERR_FILENO; --fd) + close(fd); + } } int |