Improve robustness of sanitize_process()

The previous approach was to iterate through the known attached file
descriptors, we now instead iterate through and attempt to close all
possible attached file descriptors. This offers a more robust
and safe implementation.

This fixes a bug which arises in Rust versions >=1.65.0 from a file
descriptor being closed twice.

Signed-off-by: Jonathan Woollett-Light <[email protected]>

Author: Jonathan Woollett-Light

src/jailer/src/main.rs

@@ -354,16 +354,13 @@ pub fn readln_special<T: AsRef<Path>>(file_path: &T) -> Result<String> {
 fn sanitize_process() {
     // First thing to do is make sure we don't keep any inherited FDs
     // other that IN, OUT and ERR.
-    if let Ok(mut paths) = fs::read_dir("/proc/self/fd") {
-        while let Some(Ok(path)) = paths.next() {
-            let file_name = path.file_name();
-            let fd_str = file_name.to_str().unwrap_or("0");
-            let fd = fd_str.parse::<i32>().unwrap_or(0);
-
-            if fd > 2 {
-                // SAFETY: Safe because close() cannot fail when passed a valid parameter.
-                unsafe { libc::close(fd) };
-            }
+    // SAFETY: Always safe.
+    let fd_limit = i32::try_from(unsafe { libc::sysconf(libc::_SC_OPEN_MAX) }).unwrap();
+    // Close all file descriptors excluding 0 (STDIN), 1 (STDOUT) and 2 (STDERR).
+    for fd in 3..fd_limit {
+        // SAFETY: Safe because close() cannot fail when passed a valid parameter.
+        unsafe {
+            libc::close(fd);
         }
     }