Spawn seccomp_unotify handler thread after forking

Author: bjorn3

src/exec/mod.rs

@@ -82,15 +82,17 @@ pub fn run_command(
         command.arg0(OsStr::from_bytes(&process_name));
     }
 
-    if options.noexec {
-        #[cfg(target_os = "linux")]
-        noexec::add_noexec_filter(&mut command, &mut file_closer);
-
+    let spawn_noexec_handler = if options.noexec {
         #[cfg(not(target_os = "linux"))]
         return Err(io::Error::other(
             "NOEXEC is currently only supported on Linux",
         ));
-    }
+
+        #[cfg(target_os = "linux")]
+        Some(noexec::add_noexec_filter(&mut command, &mut file_closer))
+    } else {
+        None
+    };
 
     // Decide if the pwd should be changed. `--chdir` takes precedence over `-i`.
     let path = options
@@ -126,14 +128,20 @@ pub fn run_command(
 
     if options.use_pty {
         match UserTerm::open() {
-            Ok(user_tty) => exec_pty(sudo_pid, file_closer, command, user_tty),
+            Ok(user_tty) => exec_pty(
+                sudo_pid,
+                file_closer,
+                spawn_noexec_handler,
+                command,
+                user_tty,
+            ),
             Err(err) => {
                 dev_info!("Could not open user's terminal, not allocating a pty: {err}");
-                exec_no_pty(sudo_pid, file_closer, command)
+                exec_no_pty(sudo_pid, file_closer, spawn_noexec_handler, command)
             }
         }
     } else {
-        exec_no_pty(sudo_pid, file_closer, command)
+        exec_no_pty(sudo_pid, file_closer, spawn_noexec_handler, command)
     }
 }
 

src/exec/no_pty.rs

@@ -14,7 +14,7 @@ use crate::{
     },
 };
 use crate::{
-    exec::{exec_command, handle_sigchld, signal_fmt},
+    exec::{exec_command, handle_sigchld, noexec::SpawnNoexecHandler, signal_fmt},
     log::{dev_error, dev_info, dev_warn},
     system::{
         fork, getpgid, getpgrp,
@@ -29,6 +29,7 @@ use crate::{
 pub(super) fn exec_no_pty(
     sudo_pid: ProcessId,
     mut file_closer: FileCloser,
+    spawn_noexec_handler: Option<SpawnNoexecHandler>,
     command: Command,
 ) -> io::Result<ExitReason> {
     // FIXME (ogsudo): Initialize the policy plugin's session here.
@@ -61,6 +62,10 @@ pub(super) fn exec_no_pty(
         exec_command(file_closer, command, original_set, errpipe_tx);
     };
 
+    if let Some(spawner) = spawn_noexec_handler {
+        spawner.spawn();
+    }
+
     dev_info!("executed command with pid {command_pid}");
 
     let mut registry = EventRegistry::new();

src/exec/noexec.rs

@@ -255,14 +255,23 @@ fn send_fd(tx_fd: UnixStream, notify_fd: RawFd) -> io::Result<()> {
     }
 }
 
-pub(crate) fn add_noexec_filter(command: &mut Command, file_closer: &mut FileCloser) {
-    let (tx_fd, rx_fd) = UnixStream::pair().unwrap();
+pub(super) struct SpawnNoexecHandler(UnixStream);
+
+impl SpawnNoexecHandler {
+    pub(super) fn spawn(self) {
+        thread::spawn(move || {
+            let notify_fd = receive_fd(self.0);
+            // SAFETY: notify_fd is a valid seccomp_unotify fd.
+            unsafe { handle_notifications(OwnedFd::from_raw_fd(notify_fd)) };
+        });
+    }
+}
 
-    thread::spawn(move || {
-        let notify_fd = receive_fd(rx_fd);
-        // SAFETY: notify_fd is a valid seccomp_unotify fd.
-        unsafe { handle_notifications(OwnedFd::from_raw_fd(notify_fd)) };
-    });
+pub(crate) fn add_noexec_filter(
+    command: &mut Command,
+    file_closer: &mut FileCloser,
+) -> SpawnNoexecHandler {
+    let (tx_fd, rx_fd) = UnixStream::pair().unwrap();
 
     file_closer.except(&tx_fd);
 
@@ -327,4 +336,6 @@ pub(crate) fn add_noexec_filter(command: &mut Command, file_closer: &mut FileClo
             Ok(())
         });
     }
+
+    SpawnNoexecHandler(rx_fd)
 }

src/exec/use_pty/parent.rs

@@ -4,6 +4,7 @@ use std::io;
 use std::process::{Command, Stdio};
 
 use crate::exec::event::{EventHandle, EventRegistry, PollEvent, Process, StopReason};
+use crate::exec::noexec::SpawnNoexecHandler;
 use crate::exec::use_pty::monitor::exec_monitor;
 use crate::exec::use_pty::SIGCONT_FG;
 use crate::exec::{cond_fmt, handle_sigchld, signal_fmt, terminate_process, HandleSigchld};
@@ -30,6 +31,7 @@ use super::{CommandStatus, SIGCONT_BG};
 pub(in crate::exec) fn exec_pty(
     sudo_pid: ProcessId,
     mut file_closer: FileCloser,
+    spawn_noexec_handler: Option<SpawnNoexecHandler>,
     mut command: Command,
     user_tty: UserTerm,
 ) -> io::Result<ExitReason> {
@@ -205,6 +207,10 @@ pub(in crate::exec) fn exec_pty(
         _exit(1);
     };
 
+    if let Some(spawner) = spawn_noexec_handler {
+        spawner.spawn();
+    }
+
     // Close the file descriptors that we don't access
     drop(pty.follower);
     drop(backchannels.monitor);