New submission from Alexey Izbyshev <[email protected]>:
After #40422 _Py_closerange() assumes that close_range() closes all file
descriptors even if it returns an error (other than ENOSYS):
if (close_range(first, last, 0) == 0 || errno != ENOSYS) {
/* Any errors encountered while closing file descriptors are ignored;
* ENOSYS means no kernel support, though,
* so we'll fallback to the other methods. */
}
else
/* fallbacks */
This assumption can be wrong on Linux if a seccomp sandbox denies the
underlying syscall, pretending that it returns EPERM or EACCES. In this case
_Py_closerange() won't close any descriptors at all, which in the worst case
can be a security issue.
I propose to fix this by falling back to other methods in case of *any*
close_range() error. Note that fallbacks will not be triggered on any problems
with closing individual file descriptors because close_range() is documented to
ignore such errors on both Linux[1] and FreeBSD[2].
[1] https://man7.org/linux/man-pages/man2/close_range.2.html
[2] https://www.freebsd.org/cgi/man.cgi?query=close_range&sektion=2
----------
assignee: izbyshev
components: Library (Lib)
keywords: 3.10regression
messages: 416986
nosy: gregory.p.smith, izbyshev, kevans, kevans91
priority: normal
severity: normal
status: open
title: os.closerange() can be no-op in a seccomp sandbox
type: behavior
versions: Python 3.10, Python 3.11
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue47260>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
