[musl] [PATCH] add close_range() syscall wrapper

[musl] [PATCH] add close_range() syscall wrapper

[Natanael Copa]

close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
2.34 added a wrapper.

Expose it under _GNU_SOURCE similar to what GNU libc does. Also expose
it under _BSD_SOURCE since it is also a FreeBSD function.
---

This is a re-take of close_range() syscall wrapper. It was previously
discussed in mailing list: https://www.openwall.com/lists/musl/2022/08/18/5

Difference from previous submission:

- Use correct values for CLOSE_RANGE_UNSHARE and CLOSE_RANGE_CLOEXEC.
- Set errno on errors.
- Drop the (unsigned int) cast for flags, as it raised questions last
  time.

I think it is a good idea to add this to musl because it is difficult to
the close before exec properly without it. 

Most workaounrds currently out there are either parsing /proc or try to
close everything to maxfd reported by getrlimit(), sysconf() or
getdtablesize().

opendir("/proc/self/fd") is problematic becase 1) /proc may not be
mounted and 2) some versions of musl hangs on malloc between fork and 
exec.

Trying to close everything between a maxfd is also problematic. On some
systems (under docker for example) the maxfd can be 1G, which
effectively results in a hang. (See https://github.com/k0sproject/k0s/pull/3436)

I think its better to encourage the use of close_range().

See also: https://github.com/OpenRC/openrc/pull/645

 include/unistd.h        | 3 +++
 src/linux/close_range.c | 8 ++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 src/linux/close_range.c

diff --git a/include/unistd.h b/include/unistd.h
index 5bc7f798..d89e3d4c 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
 #define L_INCR 1
 #define L_XTND 2
 int brk(void *);
+#define CLOSE_RANGE_UNSHARE	(1U << 1)
+#define CLOSE_RANGE_CLOEXEC	(1U << 2)
+int close_range(unsigned int, unsigned int, int);
 void *sbrk(intptr_t);
 pid_t vfork(void);
 int vhangup(void);
diff --git a/src/linux/close_range.c b/src/linux/close_range.c
new file mode 100644
index 00000000..258ba8bd
--- /dev/null
+++ b/src/linux/close_range.c
@@ -0,0 +1,8 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include "syscall.h"
+
+int close_range(unsigned int first, unsigned int last, int flags)
+{
+	return __syscall_ret(syscall(SYS_close_range, first, last, flags));
+}
-- 
2.42.0

Re: [musl] [PATCH] add close_range() syscall wrapper

[Rich Felker]

On Fri, Sep 01, 2023 at 10:02:00AM +0200, Natanael Copa wrote:
> close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
> 2.34 added a wrapper.
> 
> Expose it under _GNU_SOURCE similar to what GNU libc does. Also expose
> it under _BSD_SOURCE since it is also a FreeBSD function.
> ---
> 
> This is a re-take of close_range() syscall wrapper. It was previously
> discussed in mailing list: https://www.openwall.com/lists/musl/2022/08/18/5
> 
> Difference from previous submission:
> 
> - Use correct values for CLOSE_RANGE_UNSHARE and CLOSE_RANGE_CLOEXEC.
> - Set errno on errors.
> - Drop the (unsigned int) cast for flags, as it raised questions last
>   time.
> 
> I think it is a good idea to add this to musl because it is difficult to
> the close before exec properly without it. 
> 
> Most workaounrds currently out there are either parsing /proc or try to
> close everything to maxfd reported by getrlimit(), sysconf() or
> getdtablesize().
> 
> opendir("/proc/self/fd") is problematic becase 1) /proc may not be
> mounted and 2) some versions of musl hangs on malloc between fork and 
> exec.
> 
> Trying to close everything between a maxfd is also problematic. On some
> systems (under docker for example) the maxfd can be 1G, which
> effectively results in a hang. (See https://github.com/k0sproject/k0s/pull/3436)
> 
> I think its better to encourage the use of close_range().
> 
> See also: https://github.com/OpenRC/openrc/pull/645
> 
>  include/unistd.h        | 3 +++
>  src/linux/close_range.c | 8 ++++++++
>  2 files changed, 11 insertions(+)
>  create mode 100644 src/linux/close_range.c
> 
> diff --git a/include/unistd.h b/include/unistd.h
> index 5bc7f798..d89e3d4c 100644
> --- a/include/unistd.h
> +++ b/include/unistd.h
> @@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
>  #define L_INCR 1
>  #define L_XTND 2
>  int brk(void *);
> +#define CLOSE_RANGE_UNSHARE	(1U << 1)
> +#define CLOSE_RANGE_CLOEXEC	(1U << 2)
> +int close_range(unsigned int, unsigned int, int);
>  void *sbrk(intptr_t);
>  pid_t vfork(void);
>  int vhangup(void);
> diff --git a/src/linux/close_range.c b/src/linux/close_range.c
> new file mode 100644
> index 00000000..258ba8bd
> --- /dev/null
> +++ b/src/linux/close_range.c
> @@ -0,0 +1,8 @@
> +#define _GNU_SOURCE
> +#include <unistd.h>
> +#include "syscall.h"
> +
> +int close_range(unsigned int first, unsigned int last, int flags)
> +{
> +	return __syscall_ret(syscall(SYS_close_range, first, last, flags));
> +}
> -- 
> 2.42.0

This is double-processing errno. You need either return
__syscall_ret(__syscall(...)) (note the second __) or just return
syscall(...) (the syscall macro without __ automatically does the
__syscall_ret).

Aside from that, I think there's a question whether, if we support
this as a function rather than leaving it to the application to use
the syscall, we should provide a fallback for ENOSYS. I'm not sure,
but it's something that should be considered before adding it.

Rich

Re: [musl] [PATCH] add close_range() syscall wrapper

[Natanael Copa]

On Fri, 1 Sep 2023 09:57:34 -0400
Rich Felker <dalias@libc.org> wrote:


> > +int close_range(unsigned int first, unsigned int last, int flags)
> > +{
> > +	return __syscall_ret(syscall(SYS_close_range, first, last, flags));
> > +}
> > -- 
> > 2.42.0  
> 
> This is double-processing errno. You need either return
> __syscall_ret(__syscall(...)) (note the second __) or just return
> syscall(...) (the syscall macro without __ automatically does the
> __syscall_ret).

Ah, ok, I'll send a v2 patch.

> Aside from that, I think there's a question whether, if we support
> this as a function rather than leaving it to the application to use
> the syscall, we should provide a fallback for ENOSYS. I'm not sure,
> but it's something that should be considered before adding it.

It was mentioned earlier that CPython expects close_range() to
async-safe, and that glibc does not provide fallback. I would prefer
that musl does not provide fallback.

https://www.openwall.com/lists/musl/2022/08/18/4

-nc

[musl] [PATCH v2] add close_range() syscall wrapper

[Natanael Copa]

close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
2.34 added a wrapper.

Expose it under _GNU_SOURCE similar to what GNU libc does. Also expose
it under _BSD_SOURCE since it is also a FreeBSD function.
---

v2: use syscall without __syscall_ret

 include/unistd.h        | 3 +++
 src/linux/close_range.c | 8 ++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 src/linux/close_range.c

diff --git a/include/unistd.h b/include/unistd.h
index 5bc7f798..d89e3d4c 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
 #define L_INCR 1
 #define L_XTND 2
 int brk(void *);
+#define CLOSE_RANGE_UNSHARE	(1U << 1)
+#define CLOSE_RANGE_CLOEXEC	(1U << 2)
+int close_range(unsigned int, unsigned int, int);
 void *sbrk(intptr_t);
 pid_t vfork(void);
 int vhangup(void);
diff --git a/src/linux/close_range.c b/src/linux/close_range.c
new file mode 100644
index 00000000..3f1378a0
--- /dev/null
+++ b/src/linux/close_range.c
@@ -0,0 +1,8 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include "syscall.h"
+
+int close_range(unsigned int first, unsigned int last, int flags)
+{
+	return syscall(SYS_close_range, first, last, flags);
+}
-- 
2.42.0

Re: [musl] [PATCH] add close_range() syscall wrapper

[Rich Felker]

On Fri, Sep 01, 2023 at 04:55:53PM +0200, Natanael Copa wrote:
> On Fri, 1 Sep 2023 09:57:34 -0400
> Rich Felker <dalias@libc.org> wrote:
> 
> 
> > > +int close_range(unsigned int first, unsigned int last, int flags)
> > > +{
> > > +	return __syscall_ret(syscall(SYS_close_range, first, last, flags));
> > > +}
> > > -- 
> > > 2.42.0  
> > 
> > This is double-processing errno. You need either return
> > __syscall_ret(__syscall(...)) (note the second __) or just return
> > syscall(...) (the syscall macro without __ automatically does the
> > __syscall_ret).
> 
> Ah, ok, I'll send a v2 patch.
> 
> > Aside from that, I think there's a question whether, if we support
> > this as a function rather than leaving it to the application to use
> > the syscall, we should provide a fallback for ENOSYS. I'm not sure,
> > but it's something that should be considered before adding it.
> 
> It was mentioned earlier that CPython expects close_range() to
> async-safe, and that glibc does not provide fallback. I would prefer
> that musl does not provide fallback.
> 
> https://www.openwall.com/lists/musl/2022/08/18/4

If musl were to provide a fallback it would be AS-safe.

Rich

Re: [musl] [PATCH] add close_range() syscall wrapper

[Alexey Izbyshev]

On 2022-08-18 17:42, James Y Knight wrote:
> On Thu, Aug 18, 2022 at 6:40 AM Alexey Izbyshev <izbyshev@ispras.ru>
> wrote:
> 
>> Glibc doesn't implement a fallback and explicitly says it in the
>> manual.
>> Using a different implementation in musl seems undesirable.
> 
> True. I would note, however, that glibc also implements another
> function "closefrom", which first calls close_range, and if it fails,
> falls back to iterating /proc/self/fd.

Yes, but glibc's closefrom() *aborts* if there is no /proc, so it's not 
suitable for all use cases (and would not be suitable for CPython's 
subprocess or "os.closerange()", for instance).

Alexey

Re: [musl] [PATCH] add close_range() syscall wrapper

[James Y Knight]

[-- Attachment #1: Type: text/plain, Size: 389 bytes --]

On Thu, Aug 18, 2022 at 6:40 AM Alexey Izbyshev <izbyshev@ispras.ru> wrote:

> Glibc doesn't implement a fallback and explicitly says it in the manual.
> Using a different implementation in musl seems undesirable.


True. I would note, however, that glibc also implements another function
"closefrom", which first calls close_range, and if it fails, falls back to
iterating /proc/self/fd.

[-- Attachment #2: Type: text/html, Size: 687 bytes --]

Re: [musl] [PATCH] add close_range() syscall wrapper

[Guilherme Janczak]

Please let me know if you need any changes, thanks.

On Wed, Aug 17, 2022 at 08:35:32PM -0400, Rich Felker wrote:
> On Wed, Aug 10, 2022 at 01:03:11PM +0000, Guilherme Janczak wrote:
> > close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
> > 2.34 added a wrapper.
> > ---
>
> The existence of this operation has been controversial, and it's
> arguable that it should be excluded by policy not to support UB (it's
> UB to close fds you don't own that might be used internally by the
> implementation) though I'm not sure it really helps since folks who
> want to use it will just make the syscall directly. We should probably
> at least consider it for inclusion.
>

The Linux pull request has more information on the syscall:
https://lkml.iu.edu/hypermail/linux/kernel/2008.0/02649.html

The situation right now is that everyone who wants to do this has their
own fallback:
https://github.com/FreeRADIUS/freeradius-server/blob/a8f7670a15b0d135e82d7029ad8202403b88e3f3/src/lib/server/exec.c#L312
https://github.com/openssh/openssh-portable/blob/715c892f0a5295b391ae92c26ef4d6a86ea96e8e/openbsd-compat/bsd-closefrom.c#L123-L134
https://gitlab.freedesktop.org/dbus/dbus/-/blob/7e0c51d8000a467a153700420a35a18d1b580c51/NEWS#L49-L50

I myself have been writing my own this past week. One thing I noticed is
that they all suffer from subtle bugs. For instance, usually the last
fallback is calling getrlimit() or sysconf() and closing everything
between the desired number and the maximum reported by either function
as done by libbsd:
https://cgit.freedesktop.org/libbsd/tree/src/closefrom.c#n78
However, POSIX allows having a fd numbered above that limit. Here's a
test program:

```
#define _POSIX_C_SOURCE 200809L

#include <sys/resource.h>

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int
main(void)
{
	struct rlimit rl;
	int fd;

	getrlimit(RLIMIT_NOFILE, &rl);
	if (rl.rlim_cur == RLIM_INFINITY)
		rl.rlim_cur = 20;

	if ((fd = dup2(STDOUT_FILENO, rl.rlim_cur+1)) == -1) {
		if (errno != EBADF) {
			perror(NULL);
			return 1;
		}

		printf(
		    "Failed to open file descriptor %d because it's over the\n"
		    "default RLIM_NOFILE limit of %d.\n", (int)rl.rlim_cur+1,
		    (int)rl.rlim_cur);
		if ((fd = dup2(STDOUT_FILENO, rl.rlim_cur-1)) == -1) {
			perror(NULL);
			return 1;
		}
	}

	rl.rlim_max = rl.rlim_cur /= 2;
	if (setrlimit(RLIMIT_NOFILE, &rl) == -1) {
		fputs("failed to set the open file descriptor limit below"
		    " the highest open fd\n", stderr);
		perror(NULL);
		return 1;
	} else {
		printf(
		    "I have fd %d open and I've reduced the fd limit.\n"
		    "getrlimit() says the hard limit on open fds is %d.\n"
		    "sysconf(_SC_OPEN_MAX) reports a limit of %ld.\n", fd,
		    (int)rl.rlim_max, sysconf(_SC_OPEN_MAX));
	}
}
```

Alpine Linux (musl) and Hyperbola Linux (glibc) give the same output:
Failed to open file descriptor 1025 because it's over the
default RLIM_NOFILE limit of 1024.
I have fd 1023 open and I've reduced the fd limit.
getrlimit() says the hard limit on open fds is 512.
sysconf(_SC_OPEN_MAX) reports a limit of 512.

That bug can only be fixed by guaranteeing this last fallback is not
reached.

> >  include/unistd.h        | 3 +++
> >  src/linux/close_range.c | 8 ++++++++
> >  2 files changed, 11 insertions(+)
> >  create mode 100644 src/linux/close_range.c
> >
> > diff --git a/include/unistd.h b/include/unistd.h
> > index 80be3b26..e4b8cbb1 100644
> > --- a/include/unistd.h
> > +++ b/include/unistd.h
> > @@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
> >  #define L_INCR 1
> >  #define L_XTND 2
> >  int brk(void *);
> > +#define CLOSE_RANGE_UNSHARE 0x01
> > +#define CLOSE_RANGE_CLOEXEC 0x02
> > +int close_range(unsigned int, unsigned int, int);
> >  void *sbrk(intptr_t);
> >  pid_t vfork(void);
> >  int vhangup(void);
> > diff --git a/src/linux/close_range.c b/src/linux/close_range.c
> > new file mode 100644
> > index 00000000..4c5cd68c
> > --- /dev/null
> > +++ b/src/linux/close_range.c
> > @@ -0,0 +1,8 @@
> > +#define _GNU_SOURCE
>
> This should probably be _BSD_SOURCE if it's exposed under _BSD_SOURCE.

glibc exposes it under _GNU_SOURCE:
https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/unistd.h;h=764d914cea1d22ed1a9d0d60b00d9c97f4560a0f;hb=HEAD#l1202

It might be more correct to expose it under both because it's also a
FreeBSD function, I was just thinking about doing the same thing as
glibc here.

>
> > +#include <unistd.h>
> > +#include "syscall.h"
> > +
> > +int close_range(unsigned int first, unsigned int last, int flags)
> > +{
> > +	return syscall(SYS_close_range, first, last, (unsigned int)flags);
> > +}
> > --
> > 2.35.1
>
> Can you elaborate on what the cast to unsigned is for?
>
> Rich

The Linux syscall wants the flags parameter to be unsigned int, but the
libc function uses int. syscall() would pun it and that's the same
thing as a cast, but it seemed to make sense to show it's intentional.

Re: [musl] [PATCH] add close_range() syscall wrapper

[Alexey Izbyshev]

On 2022-08-18 13:11, Érico Nogueira wrote:
> On Wed Aug 17, 2022 at 9:35 PM -03, Rich Felker wrote:
>> On Wed, Aug 10, 2022 at 01:03:11PM +0000, Guilherme Janczak wrote:
>> > close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
>> > 2.34 added a wrapper.
>> > ---
>> 
>> The existence of this operation has been controversial, and it's
>> arguable that it should be excluded by policy not to support UB (it's
>> UB to close fds you don't own that might be used internally by the
>> implementation) though I'm not sure it really helps since folks who
>> want to use it will just make the syscall directly. We should probably
>> at least consider it for inclusion.
> 
> I remember an idea to implement fallback logic, in case the syscall is
> unavailable, had been mentioned. It would then avoid whatever fallback
> code the application tried to implement, which might not be as 
> relevant,
> now that opendir() can be called in a forked child. And I don't know if
> there's interest in implementing anything more complex at all.
> 
Glibc doesn't implement a fallback and explicitly says it in the manual. 
Using a different implementation in musl seems undesirable.

Note that CPython since 3.10 can use close_range() in fork/vfork child 
for subprocess.Popen(close_fds=True) (which is the default), so it 
expects close_range() to be async-signal-safe.

Alexey

Re: [musl] [PATCH] add close_range() syscall wrapper

[Érico Nogueira]

On Wed Aug 17, 2022 at 9:35 PM -03, Rich Felker wrote:
> On Wed, Aug 10, 2022 at 01:03:11PM +0000, Guilherme Janczak wrote:
> > close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
> > 2.34 added a wrapper.
> > ---
>
> The existence of this operation has been controversial, and it's
> arguable that it should be excluded by policy not to support UB (it's
> UB to close fds you don't own that might be used internally by the
> implementation) though I'm not sure it really helps since folks who
> want to use it will just make the syscall directly. We should probably
> at least consider it for inclusion.

I remember an idea to implement fallback logic, in case the syscall is
unavailable, had been mentioned. It would then avoid whatever fallback
code the application tried to implement, which might not be as relevant,
now that opendir() can be called in a forked child. And I don't know if
there's interest in implementing anything more complex at all.

>
>
> >  include/unistd.h        | 3 +++
> >  src/linux/close_range.c | 8 ++++++++
> >  2 files changed, 11 insertions(+)
> >  create mode 100644 src/linux/close_range.c
> > 
> > diff --git a/include/unistd.h b/include/unistd.h
> > index 80be3b26..e4b8cbb1 100644
> > --- a/include/unistd.h
> > +++ b/include/unistd.h
> > @@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
> >  #define L_INCR 1
> >  #define L_XTND 2
> >  int brk(void *);
> > +#define CLOSE_RANGE_UNSHARE 0x01
> > +#define CLOSE_RANGE_CLOEXEC 0x02
> > +int close_range(unsigned int, unsigned int, int);
> >  void *sbrk(intptr_t);
> >  pid_t vfork(void);
> >  int vhangup(void);
> > diff --git a/src/linux/close_range.c b/src/linux/close_range.c
> > new file mode 100644
> > index 00000000..4c5cd68c
> > --- /dev/null
> > +++ b/src/linux/close_range.c
> > @@ -0,0 +1,8 @@
> > +#define _GNU_SOURCE
>
> This should probably be _BSD_SOURCE if it's exposed under _BSD_SOURCE.
>
> > +#include <unistd.h>
> > +#include "syscall.h"
> > +
> > +int close_range(unsigned int first, unsigned int last, int flags)
> > +{
> > +	return syscall(SYS_close_range, first, last, (unsigned int)flags);
> > +}
> > -- 
> > 2.35.1
>
> Can you elaborate on what the cast to unsigned is for?
>
> Rich

Re: [musl] [PATCH] add close_range() syscall wrapper

[Rich Felker]

On Wed, Aug 10, 2022 at 01:03:11PM +0000, Guilherme Janczak wrote:
> close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
> 2.34 added a wrapper.
> ---

The existence of this operation has been controversial, and it's
arguable that it should be excluded by policy not to support UB (it's
UB to close fds you don't own that might be used internally by the
implementation) though I'm not sure it really helps since folks who
want to use it will just make the syscall directly. We should probably
at least consider it for inclusion.


>  include/unistd.h        | 3 +++
>  src/linux/close_range.c | 8 ++++++++
>  2 files changed, 11 insertions(+)
>  create mode 100644 src/linux/close_range.c
> 
> diff --git a/include/unistd.h b/include/unistd.h
> index 80be3b26..e4b8cbb1 100644
> --- a/include/unistd.h
> +++ b/include/unistd.h
> @@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
>  #define L_INCR 1
>  #define L_XTND 2
>  int brk(void *);
> +#define CLOSE_RANGE_UNSHARE 0x01
> +#define CLOSE_RANGE_CLOEXEC 0x02
> +int close_range(unsigned int, unsigned int, int);
>  void *sbrk(intptr_t);
>  pid_t vfork(void);
>  int vhangup(void);
> diff --git a/src/linux/close_range.c b/src/linux/close_range.c
> new file mode 100644
> index 00000000..4c5cd68c
> --- /dev/null
> +++ b/src/linux/close_range.c
> @@ -0,0 +1,8 @@
> +#define _GNU_SOURCE

This should probably be _BSD_SOURCE if it's exposed under _BSD_SOURCE.

> +#include <unistd.h>
> +#include "syscall.h"
> +
> +int close_range(unsigned int first, unsigned int last, int flags)
> +{
> +	return syscall(SYS_close_range, first, last, (unsigned int)flags);
> +}
> -- 
> 2.35.1

Can you elaborate on what the cast to unsigned is for?

Rich

[musl] [PATCH] add close_range() syscall wrapper

[Guilherme Janczak]

close_range() is a syscall present in FreeBSD 8.0 and Linux 5.9. glibc
2.34 added a wrapper.
---
 include/unistd.h        | 3 +++
 src/linux/close_range.c | 8 ++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 src/linux/close_range.c

diff --git a/include/unistd.h b/include/unistd.h
index 80be3b26..e4b8cbb1 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -161,6 +161,9 @@ unsigned ualarm(unsigned, unsigned);
 #define L_INCR 1
 #define L_XTND 2
 int brk(void *);
+#define CLOSE_RANGE_UNSHARE 0x01
+#define CLOSE_RANGE_CLOEXEC 0x02
+int close_range(unsigned int, unsigned int, int);
 void *sbrk(intptr_t);
 pid_t vfork(void);
 int vhangup(void);
diff --git a/src/linux/close_range.c b/src/linux/close_range.c
new file mode 100644
index 00000000..4c5cd68c
--- /dev/null
+++ b/src/linux/close_range.c
@@ -0,0 +1,8 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include "syscall.h"
+
+int close_range(unsigned int first, unsigned int last, int flags)
+{
+	return syscall(SYS_close_range, first, last, (unsigned int)flags);
+}
-- 
2.35.1