I understand why you're opening with O_PATH | O_CLOEXEC but I'm slightly confused by O_NOFOLLOW which prevents opening a symbolic link, which /proc/self/exe is, no?

@ixmatus O_NOFOLLOW prevents following the symlink. So when we later fstat and readlinkat we address the symlink itself, not the target.

From open(2), the section on O_PATH

If pathname is a symbolic link and the O_NOFOLLOW flag is also specified, then the call returns a file descriptor referring to the symbolic link.

@shlevy ah! That was the piece I was missing. Thank you for explaining.

One of my todos after adding setcap wrapper support that got lost in the cracks was to improve error messaging in the wrapper program. What do you think about checking the return and printing the error code to the user? Or perhaps we can do that if the debug env var is set? I think it would be useful if we did that.

Don't consider this a blocking comment, if you agree, we can address it in a refactoring-pass patch.

I do agree, yes. No need for a debug env var I think, the error path is allowed to be slow :)

@shlevy we already support a WRAPPER_DEBUG env var in this program code, so we could use that if you felt that was a slightly nicer way to surface these wrapper-specific errors to the user.

For example, you can turn it on like this:

$ WRAPPER_DEBUG=1 ping google.com
cap_setpcap in set, skipping it
raised cap_net_raw+p into the Ambient capability set
PING google.com(iad23s42-in-x200e.1e100.net (2607:f8b0:4004:80c::200e)) 56 data bytes
64 bytes from iad23s42-in-x200e.1e100.net (2607:f8b0:4004:80c::200e): icmp_seq=1 ttl=51 time=40.1 ms
64 bytes from iad23s42-in-x200e.1e100.net (2607:f8b0:4004:80c::200e): icmp_seq=2 ttl=51 time=39.9 ms

I think WRAPPER_DEBUG makes sense for debug info, but on the error path I don't think it's necessary. Especially since it's often too late to turn on WRAPPER_DEBUG when you hit an issue 😄

Yeah, that is a good point.

By "it's not going to be around for long..." you mean that the operating system will clean this up once the program exits? What is the purpose of purposefully leaking (sorry if I'm being thick)?

@ixmatus Our last use of selfPath is just before execve. If that succeeds, the memory will be freed. If it fails, it will be freed when we exit a few lines later. The only reason to explicitly call free would be to satisfy humans checking for good coding practices, and the explicit comment is easier to find than scanning for the matching free IMO. But happy to throw in a free if that would be better.

The "purposefully" bit is just to say "I know this is leaked, it's not an error" for reviewers :)

@shlevy oh I understand. I think being explicit with a free would be clearer than being implicit and explaining that with a comment.

I like this, I think it's better than the PATH_MAX that I was pretty unhappy about to begin with.

I agree, given that we are sizing selfPathCap correctly this code path is unlikely to be hit since we do not need to be concerned about truncation. I also think it is fine to leave the check in here.

However, would it be too much trouble to explain this a bit more in the comment?

@ixmatus Sure, will do.

Nit: s/pointint/pointing

😄 Caught this simultaneously

Shouldn't this always fail? I mean, selfPathSize is the number of bytes put into the buffer, terminating-zero included, and selfPathCap is the size without terminating zero, plus 1.

No, selfPathSize is the result of readlinkat which also lacks the 0.

I'll update the comments with this though.

Just in case there were not enough ways to start a heap walk… Missed that, yes, my bad.