Check that the sandbox process does not have open directory FDs.

This is important because with directfs, the sandbox process can now make openat(2) calls. We want to ensure we didn't leak any host filesystem file descriptor which could be used by a compromised sentry to potentially escape. PiperOrigin-RevId: 537123941

Author: ayushr2

runsc/cmd/boot.go

@@ -20,8 +20,10 @@ import (
 "io/ioutil"
 "os"
 "os/exec"
+"path/filepath"
 "runtime"
 "runtime/debug"
+"strconv"
 "strings"
 
 "github.com/google/subcommands"
@@ -419,6 +421,8 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 
 ifb.procMountSyncFD!=-1 {
 l.PreSeccompCallback=func() {
+// Call validateOpenFDs() before umounting /proc.
+validateOpenFDs(bootArgs.PassFDs)
 // Umount /proc right before installing seccomp filters.
 umountProc(b.procMountSyncFD)
  }
@@ -525,3 +529,50 @@ func umountProc(syncFD int) {
 util.Fatalf("/proc is still accessible")
  }
 }
+
+// validateOpenFDs checks that the sandbox process does not have any open
+// directory FDs.
+funcvalidateOpenFDs(passFDs []boot.FDMapping) {
+passHostFDs:=make(map[int]struct{})
+for_, passFD:=rangepassFDs {
+passHostFDs[passFD.Host] =struct{}{}
+ }
+constselfFDDir="/proc/self/fd"
+iferr:=filepath.WalkDir(selfFDDir, func(pathstring, d os.DirEntry, errerror) error {
+iferr!=nil {
+returnerr
+ }
+ifd.Type() !=os.ModeSymlink {
+// All entries are symlinks. Ignore the callback for fd directory itself.
+returnnil
+ }
+iffdInfo, err:=os.Stat(path); err!=nil {
+ifos.IsNotExist(err) {
+// Ignore FDs that are now closed. For example, the FD to selfFDDir that
+// was opened by filepath.WalkDir() to read dirents.
+returnnil
+ }
+returnfmt.Errorf("os.Stat(%s) failed: %v", path, err)
+ } elseif!fdInfo.IsDir() {
+returnnil
+ }
+// Uh-oh. This is a directory FD.
+fdNo, err:=strconv.Atoi(d.Name())
+iferr!=nil {
+returnfmt.Errorf("strconv.Atoi(%s) failed: %v", d.Name(), err)
+ }
+dirLink, err:=os.Readlink(path)
+iferr!=nil {
+returnfmt.Errorf("os.Readlink(%s) failed: %v", path, err)
+ }
+if_, ok:=passHostFDs[fdNo]; ok {
+// Passed FDs are allowed to be directories. The user must be knowing
+// what they are doing. Log a warning regardless.
+log.Warningf("Sandbox has access to FD %d, which is a directory for %s", fdNo, dirLink)
+returnnil
+ }
+returnfmt.Errorf("FD %d is a directory for %s", fdNo, dirLink)
+ }); err!=nil {
+util.Fatalf("WalkDir(%s) failed: %v", selfFDDir, err)
+ }
+}