Reject directory stdio fds unless explicitly passed

[Vincent550102]

Summary

Reject directory file descriptors on the default stdio fds before executing the jailed process.

nsjail keeps fd 0, 1, and 2 open by default. If one of those descriptors is a directory fd, the jailed process can still use it as a filesystem capability after execve with calls such as fchdir(2) or openat(2).

This change fails closed when a default stdio fd is a directory. Explicit --pass_fd / config pass_fd behavior is preserved, so users who intentionally pass a directory fd can still do so explicitly.

Changes

• Track fds that were explicitly requested through --pass_fd or config pass_fd.
• Reject directory fds on default stdio descriptors 0, 1, and 2 unless explicitly passed.
• Document the stdio directory-fd behavior in the --pass_fd help text.
• Add regression coverage for rejecting default directory stdin while allowing explicit --pass_fd 0.

Testing

make -j$(nproc)

Passed.

./nsjail -q -Mo --chroot / --user 99999 --group 99999 -- /bin/true < /tmp

Returned 255 as expected and rejected default directory stdin.

./nsjail -q -Mo --chroot / --user 99999 --group 99999 --pass_fd 0 -- /bin/true < /tmp

Returned 0 as expected and preserved explicit --pass_fd 0 behavior.

timeout 180 make test

The newly added stdio-fd regression tests passed. The full test run stopped later at the existing tests/pasta-nat.cfg case because ping inside the pasta NAT test returned 1 instead of the expected 77. I reproduced the same tests/pasta-nat.cfg failure on an unmodified HEAD worktree in this environment, so it is not introduced by this change.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.