linux: initial hardening for /proc paths

[giuseppe]

not an exhaustive list but implement some hardening for opens under /proc

Summary by Sourcery

Harden filesystem interactions under /proc by introducing container-scoped directory file descriptors and replacing all direct /proc path opens and writes with secure openat-based helpers.

Enhancements:

• Add proc_fd to container context and utility functions libcrun_get_cached_proc_fd, libcrun_open_proc_file, and libcrun_open_proc_pid_file for safer /proc access.
• Refactor all direct /proc/* file open and write operations (uid_map, gid_map, setgroups, keycreate, caps, selinux, apparmor, sysctl, oom_score_adj, etc.) to use the new helpers and safe_write to mitigate TOCTOU and path-based vulnerabilities.
• Update APIs across namespace mapping, security labeling, cap initialization, file descriptor management, and mount handling to accept a container parameter and leverage the hardened /proc access model.
• Automatically close the cached /proc directory file descriptor when the container is freed.

[sourcery-ai]

Reviewer's Guide

This patch hardens all /proc interactions by introducing container-aware helpers that cache a /proc directory file descriptor and perform openat calls, replacing ad-hoc path formatting and direct opens/writes; it refactors numerous functions to accept a libcrun_container_t* for secure proc file access and uses safer read/write wrappers.

File-Level Changes

Change	Details	Files
Abstract /proc file operations behind container context	Add container->proc_fd caching for /proc directory Implement libcrun_get_cached_proc_fd, libcrun_open_proc_file, libcrun_open_proc_pid_file helpers Initialize and cleanup proc_fd in container creation/free	src/libcrun/container.c src/libcrun/utils.c src/libcrun/utils.h
Replace manual /proc path building and write_file with safe write via proc fds	Remove snprintf+write_file for uid_map/gid_map, use libcrun_open_proc_pid_file + safe_write Manage fd cleanup and reuse in maybe_create_userns_for_idmapped_mount Update libcrun_set_usernamespace to use proc helpers for maps	src/libcrun/linux.c
Harden various security and namespace operations to use proc helpers	Refactor libcrun_create_keyring, libcrun_init_caps, deny_setgroups, can_setgroups, libcrun_set_selinux_label, libcrun_set_apparmor_profile, libcrun_set_oom, libcrun_set_sysctl to open proc files via helpers Update error reporting to reference canonical /proc/... paths Adjust security attribute functions to call libcrun_open_proc_file instead of open	src/libcrun/linux.c src/libcrun/utils.c src/libcrun/utils.h src/libcrun/linux.h
Refactor FD marking/closing logic to use container and proc fd	Change mark_or_close_fds_ge_than signature to accept container pointer Use libcrun_open_proc_file on self/fd and check_proc_super_magic before scanning Propagate container context to callers of FD cleanup	src/libcrun/utils.c src/libcrun/utils.h

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[giuseppe]

@kolyshkin PTAL

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `src/libcrun/utils.c:2855` </location>
<code_context>
+  if (proc_fd < 0)
+    return proc_fd;
+
+  return TEMP_FAILURE_RETRY (openat (proc_fd, path, flags | O_CLOEXEC));
+}
+
</code_context>

<issue_to_address>
**suggestion:** Always adding O_CLOEXEC may override caller intent.

Check if O_CLOEXEC is already set in flags before adding it, or clarify in documentation that this function enforces O_CLOEXEC regardless of caller intent.

```suggestion
  if (!(flags & O_CLOEXEC))
    flags |= O_CLOEXEC;
  return TEMP_FAILURE_RETRY (openat (proc_fd, path, flags));
```
</issue_to_address>

### Comment 2
<location> `src/libcrun/utils.c:2843` </location>
<code_context>
+      if (container->proc_fd < 0)
+        return crun_make_error (err, errno, "open `/proc`");
+    }
+  return container->proc_fd;
+}
+
</code_context>

<issue_to_address>
**question (bug_risk):** proc_fd lifetime may not match container usage.

If the container is used after fork or exec, proc_fd may be invalid. Please clarify its intended lifetime or ensure it is revalidated as needed.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Always adding O_CLOEXEC may override caller intent.

Check if O_CLOEXEC is already set in flags before adding it, or clarify in documentation that this function enforces O_CLOEXEC regardless of caller intent.

Suggested change

	return TEMP_FAILURE_RETRY (openat (proc_fd, path, flags | O_CLOEXEC));
	if (!(flags & O_CLOEXEC))
	flags |= O_CLOEXEC;
	return TEMP_FAILURE_RETRY (openat (proc_fd, path, flags));

[sourcery-ai]

question (bug_risk): proc_fd lifetime may not match container usage.

If the container is used after fork or exec, proc_fd may be invalid. Please clarify its intended lifetime or ensure it is revalidated as needed.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[giuseppe]

@flouthoc PTAL

[flouthoc]

LGTM