summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-09-05 18:05:59 -0700
committerShentubot <shentubot@google.com>2018-09-05 18:07:11 -0700
commit41b56696c4923276c6269812bb3dfa7643dab65d (patch)
tree3aa1afbe82e66b74efe97d6685449a956dd906d9 /pkg/sentry
parent5685d6b5add2acce9618aa908b846f5ce3658346 (diff)
Imported FD in exec was leaking
Imported file needs to be closed after it's been imported. PiperOrigin-RevId: 211732472 Change-Id: Ia9249210558b77be076bcce465b832a22eed301f
Diffstat (limited to 'pkg/sentry')
-rw-r--r--pkg/sentry/control/proc.go4
-rw-r--r--pkg/sentry/fs/host/BUILD1
-rw-r--r--pkg/sentry/fs/host/descriptor.go6
-rw-r--r--pkg/sentry/fs/host/descriptor_test.go78
4 files changed, 86 insertions, 3 deletions
diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go
index 2493c5175..4848a5d2b 100644
--- a/pkg/sentry/control/proc.go
+++ b/pkg/sentry/control/proc.go
@@ -119,6 +119,10 @@ func (proc *Proc) Exec(args *ExecArgs, waitStatus *uint32) error {
return err
}
defer file.DecRef()
+
+ // We're done with this file.
+ f.Close()
+
if err := fdm.NewFDAt(kdefs.FD(appFD), file, kernel.FDFlags{}, l); err != nil {
return err
}
diff --git a/pkg/sentry/fs/host/BUILD b/pkg/sentry/fs/host/BUILD
index f1252b0f2..d1a6eaf6e 100644
--- a/pkg/sentry/fs/host/BUILD
+++ b/pkg/sentry/fs/host/BUILD
@@ -55,6 +55,7 @@ go_test(
name = "host_test",
size = "small",
srcs = [
+ "descriptor_test.go",
"fs_test.go",
"inode_test.go",
"socket_test.go",
diff --git a/pkg/sentry/fs/host/descriptor.go b/pkg/sentry/fs/host/descriptor.go
index 3aee4d11c..148291ba6 100644
--- a/pkg/sentry/fs/host/descriptor.go
+++ b/pkg/sentry/fs/host/descriptor.go
@@ -31,9 +31,9 @@ type descriptor struct {
// donated is true if the host fd was donated by another process.
donated bool
- // If origFD >= 0, it is the host fd that this file was
- // originally created from, which must be available at time
- // of restore. Only valid if donated is true.
+ // If origFD >= 0, it is the host fd that this file was originally created
+ // from, which must be available at time of restore. The FD can be closed
+ // after descriptor is created. Only set if donated is true.
origFD int
// wouldBlock is true if value (below) points to a file that can
diff --git a/pkg/sentry/fs/host/descriptor_test.go b/pkg/sentry/fs/host/descriptor_test.go
new file mode 100644
index 000000000..f393a8b54
--- /dev/null
+++ b/pkg/sentry/fs/host/descriptor_test.go
@@ -0,0 +1,78 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package host
+
+import (
+ "io/ioutil"
+ "path/filepath"
+ "syscall"
+ "testing"
+
+ "gvisor.googlesource.com/gvisor/pkg/waiter"
+ "gvisor.googlesource.com/gvisor/pkg/waiter/fdnotifier"
+)
+
+func TestDescriptorRelease(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ saveable bool
+ wouldBlock bool
+ }{
+ {name: "all false"},
+ {name: "saveable", saveable: true},
+ {name: "wouldBlock", wouldBlock: true},
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ dir, err := ioutil.TempDir("", "descriptor_test")
+ if err != nil {
+ t.Fatal("ioutil.TempDir() failed:", err)
+ }
+
+ fd, err := syscall.Open(filepath.Join(dir, "file"), syscall.O_RDWR|syscall.O_CREAT, 0666)
+ if err != nil {
+ t.Fatal("failed to open temp file:", err)
+ }
+
+ // FD ownership is transferred to the descritor.
+ queue := &waiter.Queue{}
+ d, err := newDescriptor(fd, false /* donated*/, tc.saveable, tc.wouldBlock, queue)
+ if err != nil {
+ syscall.Close(fd)
+ t.Fatalf("newDescriptor(%d, %t, false, %t, queue) failed, err: %v", fd, tc.saveable, tc.wouldBlock, err)
+ }
+ if tc.saveable {
+ if d.origFD < 0 {
+ t.Errorf("saveable descriptor must preserve origFD, desc: %+v", d)
+ }
+ }
+ if tc.wouldBlock {
+ if !fdnotifier.HasFD(int32(d.value)) {
+ t.Errorf("FD not registered with notifier, desc: %+v", d)
+ }
+ }
+
+ oldVal := d.value
+ d.Release()
+ if d.value != -1 {
+ t.Errorf("d.value want: -1, got: %d", d.value)
+ }
+ if tc.wouldBlock {
+ if fdnotifier.HasFD(int32(oldVal)) {
+ t.Errorf("FD not unregistered with notifier, desc: %+v", d)
+ }
+ }
+ })
+ }
+}