pathrs-lite: move Reopen impl to internal/procfs

cyphar · cyphar · commit 2a0e2b69cd9a · 2025-09-15T18:57:36.000+10:00
This lets us make CheckSubpathOvermount a private function again and
lets us clean up the user-facing API a little bit.

Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/pathrs-lite/internal/procfs/procfs_linux.go b/pathrs-lite/internal/procfs/procfs_linux.go
@@ -394,9 +394,9 @@ func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
 	return proc.OpenRoot(strconv.Itoa(pid) + "/" + subpath)
 }
 
-// CheckSubpathOvermount checks if the dirfd and path combination is on the
+// checkSubpathOvermount checks if the dirfd and path combination is on the
 // same mount as the given root.
-func CheckSubpathOvermount(root, dir fd.Fd, path string) error {
+func checkSubpathOvermount(root, dir fd.Fd, path string) error {
 	// Get the mntID of our procfs handle.
 	expectedMountID, err := fd.GetMountID(root, "")
 	if err != nil {
@@ -442,7 +442,7 @@ func (proc *Handle) Readlink(base procfsBase, subpath string) (string, error) {
 	//
 	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
 	// onto targets that reside on shared mounts").
-	if err := CheckSubpathOvermount(proc.Inner, link, ""); err != nil {
+	if err := checkSubpathOvermount(proc.Inner, link, ""); err != nil {
 		return "", fmt.Errorf("check safety of %s/%s magiclink: %w", base, subpath, err)
 	}
 
@@ -483,6 +483,52 @@ func CheckProcSelfFdPath(path string, file fd.Fd) error {
 	return nil
 }
 
+// ReopenFd takes an existing file descriptor and "re-opens" it through
+// /proc/thread-self/fd/<fd>. This allows for O_PATH file descriptors to be
+// upgraded to regular file descriptors, as well as changing the open mode of a
+// regular file descriptor. Some filesystems have unique handling of open(2)
+// which make this incredibly useful (such as /dev/ptmx).
+func ReopenFd(handle fd.Fd, flags int) (*os.File, error) {
+	procRoot, err := OpenProcRoot() // subset=pid
+	if err != nil {
+		return nil, err
+	}
+	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procRoot.OpenThreadSelf("fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close() //nolint:errcheck // close failures aren't critical here
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSubpathOvermount(procRoot.Inner, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping fd.Openat, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
+
 // Test hooks used in the procfs tests to verify that the fallback logic works.
 // See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
 var (
diff --git a/pathrs-lite/internal/procfs/procfs_linux_test.go b/pathrs-lite/internal/procfs/procfs_linux_test.go
@@ -169,14 +169,14 @@ func testProcOvermountSubdir(t *testing.T, procRootFn procRootFunc, expectOvermo
 		defer procExe.Close() //nolint:errcheck // test code
 
 		// no overmount
-		err = CheckSubpathOvermount(procRoot.Inner, procCwd, "")
+		err = checkSubpathOvermount(procRoot.Inner, procCwd, "")
 		assert.NoError(t, err, "checking /proc/self/cwd with no overmount should succeed") //nolint:testifylint // this is an isolated operation so we can continue despite an error
-		err = CheckSubpathOvermount(procRoot.Inner, procSelf, "cwd")
+		err = checkSubpathOvermount(procRoot.Inner, procSelf, "cwd")
 		assert.NoError(t, err, "checking /proc/self/cwd with no overmount should succeed") //nolint:testifylint // this is an isolated operation so we can continue despite an error
 		// basic overmount
-		err = CheckSubpathOvermount(procRoot.Inner, procExe, "")
+		err = checkSubpathOvermount(procRoot.Inner, procExe, "")
 		assert.ErrorIs(t, err, symlinkOvermountErr, "unexpected /proc/self/exe overmount result") //nolint:testifylint // this is an isolated operation so we can continue despite an error
-		err = CheckSubpathOvermount(procRoot.Inner, procSelf, "exe")
+		err = checkSubpathOvermount(procRoot.Inner, procSelf, "exe")
 		assert.ErrorIs(t, err, symlinkOvermountErr, "unexpected /proc/self/exe overmount result") //nolint:testifylint // this is an isolated operation so we can continue despite an error
 
 		// fd no overmount
diff --git a/pathrs-lite/internal/procfs/procfs_lookup_linux.go b/pathrs-lite/internal/procfs/procfs_lookup_linux.go
@@ -164,7 +164,7 @@ func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ e
 			_ = nextDir.Close()
 			return nil, fmt.Errorf("check %q component is on procfs: %w", part, err)
 		}
-		if err := CheckSubpathOvermount(procRoot, nextDir, ""); err != nil {
+		if err := checkSubpathOvermount(procRoot, nextDir, ""); err != nil {
 			_ = nextDir.Close()
 			return nil, fmt.Errorf("check %q component is not overmounted: %w", part, err)
 		}
@@ -215,7 +215,7 @@ func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ e
 	if err := verifyProcHandle(currentDir); err != nil {
 		return nil, fmt.Errorf("check final handle is on procfs: %w", err)
 	}
-	if err := CheckSubpathOvermount(procRoot, currentDir, ""); err != nil {
+	if err := checkSubpathOvermount(procRoot, currentDir, ""); err != nil {
 		return nil, fmt.Errorf("check final handle is not overmounted: %w", err)
 	}
 	return currentDir, nil
diff --git a/pathrs-lite/open_linux.go b/pathrs-lite/open_linux.go
@@ -12,9 +12,7 @@
 package pathrs
 
 import (
-	"fmt"
 	"os"
-	"strconv"
 
 	"golang.org/x/sys/unix"
 
@@ -72,42 +70,5 @@ func OpenInRoot(root, unsafePath string) (*os.File, error) {
 //
 // [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
 func Reopen(handle *os.File, flags int) (*os.File, error) {
-	procRoot, err := procfs.OpenProcRoot() // subset=pid
-	if err != nil {
-		return nil, err
-	}
-	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
-
-	// We can't operate on /proc/thread-self/fd/$n directly when doing a
-	// re-open, so we need to open /proc/thread-self/fd and then open a single
-	// final component.
-	procFdDir, closer, err := procRoot.OpenThreadSelf("fd/")
-	if err != nil {
-		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
-	}
-	defer procFdDir.Close() //nolint:errcheck // close failures aren't critical here
-	defer closer()
-
-	// Try to detect if there is a mount on top of the magic-link we are about
-	// to open. If we are using unsafeHostProcRoot(), this could change after
-	// we check it (and there's nothing we can do about that) but for
-	// privateProcRoot() this should be guaranteed to be safe (at least since
-	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
-	// from external mounts including mount propagation events).
-	//
-	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
-	// onto targets that reside on shared mounts").
-	fdStr := strconv.Itoa(int(handle.Fd()))
-	if err := procfs.CheckSubpathOvermount(procRoot.Inner, procFdDir, fdStr); err != nil {
-		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
-	}
-
-	flags |= unix.O_CLOEXEC
-	// Rather than just wrapping fd.Openat, open-code it so we can copy
-	// handle.Name().
-	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
-	if err != nil {
-		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
-	}
-	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+	return procfs.ReopenFd(handle, flags)
 }

Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ e`
`164`	`164`	`_ = nextDir.Close()`
`165`	`165`	`return nil, fmt.Errorf("check %q component is on procfs: %w", part, err)`
`166`	`166`	`}`
`167`		`- if err := CheckSubpathOvermount(procRoot, nextDir, ""); err != nil {`
	`167`	`+ if err := checkSubpathOvermount(procRoot, nextDir, ""); err != nil {`
`168`	`168`	`_ = nextDir.Close()`
`169`	`169`	`return nil, fmt.Errorf("check %q component is not overmounted: %w", part, err)`
`170`	`170`	`}`
`@@ -215,7 +215,7 @@ func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ e`
`215`	`215`	`if err := verifyProcHandle(currentDir); err != nil {`
`216`	`216`	`return nil, fmt.Errorf("check final handle is on procfs: %w", err)`
`217`	`217`	`}`
`218`		`- if err := CheckSubpathOvermount(procRoot, currentDir, ""); err != nil {`
	`218`	`+ if err := checkSubpathOvermount(procRoot, currentDir, ""); err != nil {`
`219`	`219`	`return nil, fmt.Errorf("check final handle is not overmounted: %w", err)`
`220`	`220`	`}`
`221`	`221`	`return currentDir, nil`