Add proper duplicates of stdout/stderr and make it possible to add stdin

fwsGonzo · fwsGonzo · commit d8298c30c362 · 2025-09-12T22:35:03.000+02:00
diff --git a/lib/tinykvm/linux/fds.cpp b/lib/tinykvm/linux/fds.cpp
@@ -32,11 +32,14 @@ namespace tinykvm
 		: m_machine(machine),
 		  m_current_working_directory_fd(AT_FDCWD)
 	{
-		// XXX: TODO: Create proper redirects for stdout/stderr by
-		// for example providing a pipe to stdout/stderr.
-		m_fds[0] = Entry{ .real_fd = 0, .is_writable = false }; // stdin
-		m_fds[1] = Entry{ .real_fd = 1, .is_writable = true };  // stdout
-		m_fds[2] = Entry{ .real_fd = 2, .is_writable = true };  // stderr
+		// Create proper redirects for stdin/stdout/stderr
+		const int stdout_fd = dup(1);
+		const int stderr_fd = dup(2);
+		if (stdout_fd < 0 || stderr_fd < 0) {
+			throw std::runtime_error("TinyKVM: Failed to duplicate stdout/stderr");
+		}
+		m_fds[1] = Entry{ .real_fd = stdout_fd, .is_writable = true };  // stdout
+		m_fds[2] = Entry{ .real_fd = stderr_fd, .is_writable = true };  // stderr
 	}
 
 	FileDescriptors::~FileDescriptors()
@@ -48,6 +51,16 @@ namespace tinykvm
 		}
 	}
 
+	void FileDescriptors::duplicate_and_add_stdin()
+	{
+		// Create a duplicate of stdin (0) and add it to the list of managed FDs.
+		const int stdin_fd = dup(0);
+		if (stdin_fd < 0) {
+			throw std::runtime_error("TinyKVM: Failed to duplicate stdin");
+		}
+		m_fds[0] = Entry{ .real_fd = stdin_fd, .is_writable = false }; // stdin
+	}
+
 	void FileDescriptors::reset_to(const FileDescriptors& other)
 	{
 		// Close all current file descriptors, except if forked
@@ -166,7 +179,8 @@ namespace tinykvm
 
 	int FileDescriptors::manage(int fd, bool is_socket, bool is_writable)
 	{
-		if (fd < 0) {
+		(void)is_socket; // Unused
+		if (fd <= 2) {
 			throw std::runtime_error("TinyKVM: Invalid file descriptor in FileDescriptors::add()");
 		}
 		if (this->m_max_total_fds_opened != 0 && this->m_total_fds_opened >= this->m_max_total_fds_opened) {
@@ -213,7 +227,7 @@ namespace tinykvm
 	FileDescriptors::Entry& FileDescriptors::manage_as(int vfd, int fd, bool is_socket, bool is_writable)
 	{
 		(void)is_socket; // Unused
-		if (fd < 0) {
+		if (fd <= 2) {
 			throw std::runtime_error("TinyKVM: Invalid fd in FileDescriptors::manage_as()");
 		}
 		if (this->m_max_total_fds_opened != 0 &&
diff --git a/lib/tinykvm/linux/fds.hpp b/lib/tinykvm/linux/fds.hpp
@@ -43,6 +43,12 @@ namespace tinykvm
 		~FileDescriptors();
 		void reset_to(const FileDescriptors& other);
 
+		/// @brief Create a duplicate of, and insert stdin (0)
+		/// @warning stdin is dangerous to add to a sandbox, as it allows
+		/// interaction with the user (and the possibility of accidentally
+		/// pasting something into the terminal).
+		void duplicate_and_add_stdin();
+
 		/// @brief Add a file descriptor to the list of managed FDs.
 		/// @param fd The real file descriptor.
 		/// @param is_socket True if the file descriptor is a socket.
@@ -183,7 +189,7 @@ namespace tinykvm
 		/// @brief Get the number of sockets that are currently open.
 		/// @return The number of sockets that are currently open.
 		uint16_t get_current_sockets_opened() const noexcept {
-			return m_fds.size() - m_stdout_redirects.size();
+			return m_fds.size();
 		}
 
 		/// @brief Set a callback for connecting a socket. This is used to check if a
@@ -295,7 +301,6 @@ namespace tinykvm
 		Machine& m_machine;
 		std::map<int, Entry> m_fds;
 		int m_next_fd = VFD_START;
-		std::array<int, 3> m_stdout_redirects { 0, 1, 2 };
 		std::string m_current_working_directory;
 		int m_current_working_directory_fd = -1;
 		bool m_verbose = false;
diff --git a/lib/tinykvm/linux/system_calls.cpp b/lib/tinykvm/linux/system_calls.cpp
@@ -102,7 +102,7 @@ void Machine::setup_linux_system_calls(bool unsafe_syscalls)
 				if (UNLIKELY(bytes > 1024*64)) {
 					regs.rax = -1;
 					cpu.set_registers(regs);
-					SYSPRINT("write(fd=%d (%d), data=0x%llX, size=%zu) = %lld\n",
+					SYSPRINT("write(fd=%d (%d), data=0x%llX, size=%zu) = %lld (overflow)\n",
 						vfd, vfd, regs.rsi, bytes, regs.rax);
 					return;
 				}
@@ -138,6 +138,8 @@ void Machine::setup_linux_system_calls(bool unsafe_syscalls)
 						cpu.machine().print(buffer.begin(), buffer.size());
 					});
 				regs.rax = bytes;
+				SYSPRINT("write(fd=%d (%d), data=0x%llX, size=%zu) = %lld (stdio)\n",
+					vfd, vfd, regs.rsi, bytes, regs.rax);
 			}
 			cpu.set_registers(regs);
 		});
@@ -2516,7 +2518,7 @@ void Machine::setup_linux_system_calls(bool unsafe_syscalls)
 			const int fd = cpu.machine().fds().translate(vfd);
 			const uint64_t g_event = regs.r10;
 			struct epoll_event event {};
-			if (epollfd > 0 && fd >= 0)
+			if (epollfd > 0 && fd >= 0 && epollfd != fd)
 			{
 				if (g_event != 0x0) {
 					cpu.machine().copy_from_guest(&event, g_event, sizeof(event));
@@ -2534,8 +2536,10 @@ void Machine::setup_linux_system_calls(bool unsafe_syscalls)
 					}
 					regs.rax = 0;
 				}
+			} else if (epollfd < 0 || fd < 0) {
+				regs.rax = -EBADF;
 			} else {
-				regs.rax = -ENOENT;
+				regs.rax = -EINVAL;
 			}
 			cpu.set_registers(regs);
 			if (UNLIKELY(cpu.machine().m_verbose_system_calls))
