From c7b2118b1d44cf41fd6babd3620e1b85c01ac72f Mon Sep 17 00:00:00 2001
From: Hwankyu Jhun <h.jhun@samsung.com>
Date: Wed, 20 Dec 2023 10:27:20 +0900
Subject: [PATCH] Except file descriptors from closing list

There is a smack issue by closing fds in the process-pool.
In launchpad-process-pool, when using dlog, create a file descriptor
with vlog_init().
 - When creating a process-pool, close all file descriptors except for
   the dlog fd (at this time, the vlog fd is closed).
 - When using the security-manager, attempt to output dlog. Attempt to write
   using the vlog fd by calling vlog_write(), but at this time, actually use
   the fd created by the security-manager.
 - This fd points to /sys/fs/smackfs.
 - SMACK error occurred.

Change-Id: I50b3f4860454f002dd550311bf48e7ef5a2916dc
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
---
 src/launchpad-process-pool/process_pool.cc | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/launchpad-process-pool/process_pool.cc b/src/launchpad-process-pool/process_pool.cc
index d91bc58..82456cc 100644
--- a/src/launchpad-process-pool/process_pool.cc
+++ b/src/launchpad-process-pool/process_pool.cc
@@ -19,6 +19,7 @@
 #include <dlog-redirect-stdout.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <linux/limits.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -40,7 +41,24 @@ namespace {
 
 constexpr const char kProcessPool[] = "process-pool";
 
-std::vector<int> GetDlogFds() {
+bool IsExceptable(const std::string& path) {
+  static char buf[PATH_MAX];
+  ssize_t len = readlink(path.c_str(), buf, sizeof(buf));
+  if (len < 0) {
+    _E("readlink() is failed. errno: %d", errno);
+    return false;
+  }
+
+  buf[len] = '\0';
+  if (strstr(buf, "log") != nullptr ||
+      strstr(buf, "trace") != nullptr ||
+      strstr(buf, "dev") != nullptr)
+    return true;
+
+  return false;
+}
+
+std::vector<int> GetExceptableFds() {
   std::vector<int> fds;
   try {
     fs::path proc_path("/proc/self/fd");
@@ -49,7 +67,7 @@ std::vector<int> GetDlogFds() {
         continue;
 
       int fd = std::stoi(entry.path().filename().string());
-      if (dlog_is_log_fd(fd))
+      if (dlog_is_log_fd(fd) || IsExceptable(entry.path().string()))
         fds.push_back(fd);
     }
   } catch (const fs::filesystem_error& e) {
@@ -136,7 +154,7 @@ void ProcessPool::OnExecution() {
   snprintf(args[0], length, "/usr/bin/%s <%s>", kProcessPool, name_.c_str());
 
   close(pipe_fd_[1]);
-  std::vector<int> except_fds = GetDlogFds();
+  std::vector<int> except_fds = GetExceptableFds();
   except_fds.push_back(pipe_fd_[0]);
   Util::CloseAllFds(except_fds);
   int ret = WaitForRequest(std::make_unique<Socket>(pipe_fd_[0]));
-- 
2.7.4