Merge pull request #3526 from DataDog/anilm3/appsec-fd-fixes

cataphract · web-flow · commit 14dc0a414a48 · 2025-12-11T11:01:34.000Z
[AAP] Minor fixes and improvements to file descriptor reclamation
diff --git a/appsec/.clang-tidy b/appsec/.clang-tidy
@@ -1,7 +1,7 @@
 ---
 # readability-function-cognitive-complexity temporarily disabled until clang-tidy is fixed
 # right now emalloc causes it to misbehave
-Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay'
+Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay,-llvmlibc-*'
 WarningsAsErrors: '*'
 HeaderFilterRegex: ''
 CheckOptions:
diff --git a/appsec/src/helper/main.cpp b/appsec/src/helper/main.cpp
@@ -80,6 +80,7 @@ bool ensure_unique(const std::string &lock_path)
     // If we fail to obtain the lock, for whichever reason, assume we can't
     // run for now.
     if (res == -1) {
+        ::close(fd);
         SPDLOG_INFO("Failed to get exclusive lock on file {}: errno {}",
             lock_path, errno);
         return false;
diff --git a/appsec/src/helper/network/acceptor.cpp b/appsec/src/helper/network/acceptor.cpp
@@ -21,10 +21,10 @@ using namespace std::chrono_literals;
 namespace dds::network::local {
 
 acceptor::acceptor(const std::string_view &sv)
-    // NOLINTNEXTLINE(android-cloexec-socket)
-    : sock_(::socket(AF_UNIX, SOCK_STREAM, 0))
 {
-    if (sock_ == -1) {
+    // NOLINTNEXTLINE(android-cloexec-socket,cppcoreguidelines-prefer-member-initializer)
+    sock_ = owned_fd{::socket(AF_UNIX, SOCK_STREAM, 0)};
+    if (sock_.is_empty()) {
         throw std::system_error(errno, std::generic_category());
     }
 
@@ -45,7 +45,8 @@ acceptor::acceptor(const std::string_view &sv)
 
     res =
         // NOLINTNEXTLINE
-        ::bind(sock_, reinterpret_cast<struct sockaddr *>(&addr), sizeof(addr));
+        ::bind(sock_.get(), reinterpret_cast<struct sockaddr *>(&addr),
+            sizeof(addr));
     if (res == -1) {
         SPDLOG_ERROR(
             "Failed to bind socket to {}: errno {}", addr.sun_path, errno);
@@ -60,7 +61,7 @@ acceptor::acceptor(const std::string_view &sv)
     }
 
     static constexpr int backlog = 50;
-    if (::listen(sock_, backlog) == -1) {
+    if (::listen(sock_.get(), backlog) == -1) {
         throw std::system_error(errno, std::generic_category());
     }
     SPDLOG_INFO("Started listening on {}", sv);
@@ -69,7 +70,8 @@ acceptor::acceptor(const std::string_view &sv)
 void acceptor::set_accept_timeout(std::chrono::seconds timeout)
 {
     struct timeval tv = {timeout.count(), 0};
-    int const res = setsockopt(sock_, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+    int const res =
+        setsockopt(sock_.get(), SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
     if (res == -1) {
         throw std::system_error(errno, std::generic_category());
     }
@@ -80,8 +82,9 @@ std::unique_ptr<base_socket> acceptor::accept()
     struct sockaddr_un addr {};
     socklen_t len = sizeof(addr);
 
-    // NOLINTNEXTLINE
-    int s = ::accept(sock_, reinterpret_cast<struct sockaddr *>(&addr), &len);
+    int s =
+        // NOLINTNEXTLINE
+        ::accept(sock_.get(), reinterpret_cast<struct sockaddr *>(&addr), &len);
     if (s == -1) {
         if (errno == EINTR || errno == EAGAIN) {
             return {};
diff --git a/appsec/src/helper/network/acceptor.hpp b/appsec/src/helper/network/acceptor.hpp
@@ -5,6 +5,7 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
+#include "../utils.hpp"
 #include "socket.hpp"
 #include <chrono>
 #include <string_view>
@@ -28,35 +29,16 @@ namespace local {
 
 class acceptor : public base_acceptor {
 public:
-    explicit acceptor(int fd) : sock_{fd} {};
+    explicit acceptor(owned_fd fd) : sock_{std::move(fd)} {};
     explicit acceptor(const std::string_view &sv);
     acceptor(const acceptor &) = delete;
     acceptor &operator=(const acceptor &) = delete;
 
-    acceptor(acceptor &&other) noexcept : sock_(other.sock_)
-    {
-        other.sock_ = -1;
-    }
-
-    acceptor &operator=(acceptor &&other) noexcept
-    {
-        sock_ = other.sock_;
-        other.sock_ = -1;
-        return *this;
-    }
-
-    ~acceptor() override
-    {
-        if (sock_ != -1) {
-            close(sock_);
-        }
-    }
-
     void set_accept_timeout(std::chrono::seconds timeout) override;
     [[nodiscard]] std::unique_ptr<base_socket> accept() override;
 
 private:
-    int sock_{-1};
+    owned_fd sock_;
 };
 
 } // namespace local
diff --git a/appsec/src/helper/runner.cpp b/appsec/src/helper/runner.cpp
@@ -44,7 +44,7 @@ std::unique_ptr<network::base_acceptor> acceptor_from_config(
             throw std::invalid_argument{
                 "fd specified on config is invalid or no socket"};
         }
-        return std::make_unique<network::local::acceptor>(fd);
+        return std::make_unique<network::local::acceptor>(dds::owned_fd{fd});
     }
 
     return std::make_unique<network::local::acceptor>(sock_path);
diff --git a/appsec/src/helper/utils.hpp b/appsec/src/helper/utils.hpp
@@ -65,4 +65,31 @@ inline std::string strerror_ts(int errnum)
     return buf;
 }
 
+class owned_fd {
+public:
+    owned_fd() = default;
+    explicit owned_fd(int fd) : fd_{fd} {}
+    owned_fd(const owned_fd &) = delete;
+    owned_fd &operator=(const owned_fd &) = delete;
+    owned_fd(owned_fd &&other) noexcept : fd_{other.fd_} { other.fd_ = -1; }
+    owned_fd &operator=(owned_fd &&other) noexcept
+    {
+        fd_ = other.fd_;
+        other.fd_ = -1;
+        return *this;
+    }
+    ~owned_fd()
+    {
+        if (fd_ != -1) {
+            ::close(fd_);
+        }
+    }
+
+    int get() const { return fd_; }
+    bool is_empty() const { return fd_ == -1; }
+
+private:
+    int fd_{-1};
+};
+
 } // namespace dds
diff --git a/appsec/src/helper/worker_pool.cpp b/appsec/src/helper/worker_pool.cpp
@@ -22,6 +22,10 @@ void work_handler(queue_consumer &&q, std::optional<runnable> &&opt_r)
         // NOLINTNEXTLINE(bugprone-unchecked-optional-access)
         opt_r.value()(q);
 
+        // Clear the optional to reclaim any "resources", such as file
+        // descriptors
+        opt_r.reset();
+
         opt_r = q.pop(consumer_timeout);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ std::unique_ptr<network::base_acceptor> acceptor_from_config(`
`44`	`44`	`throw std::invalid_argument{`
`45`	`45`	`"fd specified on config is invalid or no socket"};`
`46`	`46`	`}`
`47`		`- return std::make_unique<network::local::acceptor>(fd);`
	`47`	`+ return std::make_unique<network::local::acceptor>(dds::owned_fd{fd});`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`return std::make_unique<network::local::acceptor>(sock_path);`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ void work_handler(queue_consumer &&q, std::optional<runnable> &&opt_r)`
`22`	`22`	`// NOLINTNEXTLINE(bugprone-unchecked-optional-access)`
`23`	`23`	`opt_r.value()(q);`
`24`	`24`
	`25`	`+ // Clear the optional to reclaim any "resources", such as file`
	`26`	`+ // descriptors`
	`27`	`+ opt_r.reset();`
	`28`	`+`
`25`	`29`	`opt_r = q.pop(consumer_timeout);`
`26`	`30`	`}`
`27`	`31`	`}`