4751fd5328
This function has to ensure it doesn't follow a symlink that could be used to escape the virtfs directory. This could be easily achieved if fchmodat() on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but it doesn't. There was a tentative to implement a new fchmodat2() syscall with the correct semantics: https://patchwork.kernel.org/patch/9596301/ but it didn't gain much momentum. Also it was suggested to look at an O_PATH based solution in the first place. The current implementation covers most use-cases, but it notably fails if: - the target path has access rights equal to 0000 (openat() returns EPERM), => once you've done chmod(0000) on a file, you can never chmod() again - the target path is UNIX domain socket (openat() returns ENXIO) => bind() of UNIX domain sockets fails if the file is on 9pfs The solution is to use O_PATH: openat() now succeeds in both cases, and we can ensure the path isn't a symlink with fstat(). The associated entry in "/proc/self/fd" can hence be safely passed to the regular chmod() syscall. The previous behavior is kept for older systems that don't have O_PATH. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Zhi Yong Wu <zhiyong.wu@ucloud.cn> Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
65 lines
1.5 KiB
C
65 lines
1.5 KiB
C
/*
|
|
* 9p utilities
|
|
*
|
|
* Copyright IBM, Corp. 2017
|
|
*
|
|
* Authors:
|
|
* Greg Kurz <groug@kaod.org>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
* See the COPYING file in the top-level directory.
|
|
*/
|
|
|
|
#ifndef QEMU_9P_UTIL_H
|
|
#define QEMU_9P_UTIL_H
|
|
|
|
#ifdef O_PATH
|
|
#define O_PATH_9P_UTIL O_PATH
|
|
#else
|
|
#define O_PATH_9P_UTIL 0
|
|
#endif
|
|
|
|
static inline void close_preserve_errno(int fd)
|
|
{
|
|
int serrno = errno;
|
|
close(fd);
|
|
errno = serrno;
|
|
}
|
|
|
|
static inline int openat_dir(int dirfd, const char *name)
|
|
{
|
|
return openat(dirfd, name,
|
|
O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_PATH_9P_UTIL);
|
|
}
|
|
|
|
static inline int openat_file(int dirfd, const char *name, int flags,
|
|
mode_t mode)
|
|
{
|
|
int fd, serrno, ret;
|
|
|
|
fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
|
|
mode);
|
|
if (fd == -1) {
|
|
return -1;
|
|
}
|
|
|
|
serrno = errno;
|
|
/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
|
|
* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
|
|
* ignored it anyway.
|
|
*/
|
|
if (!(flags & O_PATH_9P_UTIL)) {
|
|
ret = fcntl(fd, F_SETFL, flags);
|
|
assert(!ret);
|
|
}
|
|
errno = serrno;
|
|
return fd;
|
|
}
|
|
|
|
ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name,
|
|
void *value, size_t size);
|
|
int fsetxattrat_nofollow(int dirfd, const char *path, const char *name,
|
|
void *value, size_t size, int flags);
|
|
|
|
#endif
|