From 68e4cd3a8f4f8ab34844140436667f5d47f03279 Mon Sep 17 00:00:00 2001
From: Filip Stedronsky
Date: Mon, 26 Apr 2021 15:01:09 +0200
Subject: [PATCH] Make --inherit-fds accept a list of fd's to inherit
---
TODO | 1 -
isolate.1.txt | 5 ++++-
isolate.c | 39 ++++++++++++++++++++++++++++++++++-----
isolate.h | 2 +-
util.c | 11 +++++++++--
5 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/TODO b/TODO
index f33fa4b..3c2f57e 100644
--- a/TODO
+++ b/TODO
@@ -1,2 +1 @@
- Examine the use of taskstats for measuring memory
-- Make --inherit-fds accept a list of fd's to inherit
diff --git a/isolate.1.txt b/isolate.1.txt
index 7470aa7..9382e6f 100644
--- a/isolate.1.txt
+++ b/isolate.1.txt
@@ -125,12 +125,15 @@ OPTIONS
to permit communication, you can use this switch to keep the child process
in parent's network namespace.
-*--inherit-fds*::
+*--inherit-fds*[*=*'fd1'*,*'fd2'*,...*]::
By default, isolate closes all file descriptors passed from its parent
except for descriptors 0, 1, and 2.
This prevents unintentional descriptor leaks. In some cases, passing extra
descriptors to the sandbox can be desirable, so you can use this switch
to make them survive.
+ If a comma-separated list of file descriptor numbers is provided as an argument,
+ only file descriptors in this list are inherited. If the option is used without
+ an argument, all file descriptors are inherited.
*-v, --verbose*::
Tell the sandbox manager to be verbose and report on what is going on.
diff --git a/isolate.c b/isolate.c
index 68e3f9f..64d411d 100644
--- a/isolate.c
+++ b/isolate.c
@@ -80,6 +80,8 @@ static int redir_stderr_to_stdout;
static char *set_cwd;
static int share_net;
static int inherit_fds;
+static int inherit_fd_num = 0;
+static unsigned inherit_fd_list[100];
static int default_dirs = 1;
static int tty_hack;
@@ -840,8 +842,10 @@ run(char **argv)
if (!dir_exists("box"))
die("Box directory not found, did you run `%s --init'?", self_name());
- if (!inherit_fds)
- close_all_fds();
+ if (inherit_fds == 0)
+ close_all_fds(0, NULL);
+ else if (inherit_fds == 2)
+ close_all_fds(inherit_fd_num, inherit_fd_list);
chowntree("box", box_uid, box_gid);
cleanup_ownership = 1;
@@ -917,7 +921,7 @@ Options:\n\
-x, --extra-time=