open kafel file in each kafel subproc individually to avoid file pos sharing

cmdline.c

@@ -368,7 +368,8 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
 	    .iface_vs_ip = "0.0.0.0",
 	    .iface_vs_nm = "255.255.255.0",
 	    .iface_vs_gw = "0.0.0.0",
-	    .kafel_file = NULL,
+	    .kafel_file_path = NULL,
+	    .kafel_file_ptr = NULL,
 	    .kafel_string = NULL,
 	    .orig_uid = getuid(),
 	    .num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
@@ -740,8 +741,11 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
 			nsjconf->cgroup_net_cls_parent = optarg;
 			break;
 		case 'P':
-			if ((nsjconf->kafel_file = fopen(optarg, "r")) == NULL) {
-				PLOG_F("Couldn't open '%s'", optarg);
+			nsjconf->kafel_file_path = optarg;
+			if (access(nsjconf->kafel_file_path, R_OK) == -1) {
+				PLOG_E("kafel config file '%s' cannot be opened for reading",
+				    nsjconf->kafel_file_path);
+				return false;
 			}
 			break;
 		case 0x0901:

config.cc

@@ -251,10 +251,10 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC
 	}
 
 	if (njc.has_seccomp_policy_file()) {
-		if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) ==
-		    NULL) {
+		nsjconf->kafel_file_path = njc.seccomp_policy_file().c_str();
+		if (access(nsjconf->kafel_file_path, R_OK) == -1) {
 			PLOG_W("Couldn't open file with seccomp policy '%s'",
-			    njc.seccomp_policy_file().c_str());
+			    nsjconf->kafel_file_path);
 			return false;
 		}
 	}

nsjail.h

@@ -173,8 +173,9 @@ struct nsjconf_t {
 	const char* cgroup_net_cls_mount;
 	const char* cgroup_net_cls_parent;
 	unsigned int cgroup_net_cls_classid;
-	FILE* kafel_file;
-	char* kafel_string;
+	const char* kafel_file_path;
+	FILE* kafel_file_ptr;
+	const char* kafel_string;
 	long num_cpus;
 	uid_t orig_uid;
 	TAILQ_HEAD(udmaplist, idmap_t)

sandbox.c

@@ -34,18 +34,15 @@
 #endif /* PR_SET_NO_NEW_PRIVS */
 
 static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
-	if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
+	if (nsjconf->kafel_file_ptr == NULL && nsjconf->kafel_string == NULL) {
 		return true;
 	}
 	struct sock_fprog seccomp_fprog;
 
 	kafel_ctxt_t ctxt = kafel_ctxt_create();
 
-	if (nsjconf->kafel_file != NULL) {
-		if (fseek(nsjconf->kafel_file, 0L, SEEK_SET) == -1) {
-			PLOG_W("fseek(kafel_file, 0, SEEK_SET)");
-		}
-		kafel_set_input_file(ctxt, nsjconf->kafel_file);
+	if (nsjconf->kafel_file_ptr != NULL) {
+		kafel_set_input_file(ctxt, nsjconf->kafel_file_ptr);
 	} else {
 		kafel_set_input_string(ctxt, nsjconf->kafel_string);
 	}
@@ -69,3 +66,14 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
 }
 
 bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); }
+
+bool sandboxPrepare(struct nsjconf_t* nsjconf) {
+	if (nsjconf->kafel_file_path == NULL) {
+		return true;
+	}
+	if ((nsjconf->kafel_file_ptr = fopen(nsjconf->kafel_file_path, "r")) == NULL) {
+		PLOG_W("Couldn't open kafel policy file '%s'", nsjconf->kafel_file_path);
+		return false;
+	}
+	return true;
+}

sandbox.h

@@ -27,5 +27,6 @@
 #include "nsjail.h"
 
 bool sandboxApply(struct nsjconf_t* nsjconf);
+bool sandboxPrepare(struct nsjconf_t* nsjconf);
 
 #endif /* NS_SANDBOX_H */

subproc.c

@@ -130,6 +130,9 @@ static bool subprocReset(void) {
 
 static int subprocNewProc(
     struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
+	if (sandboxPrepare(nsjconf) == false) {
+		_exit(0xff);
+	}
 	if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
 		_exit(0xff);
 	}