diff options
| author | Greg Kurz | 2017-08-10 14:21:04 +0200 |
|---|---|---|
| committer | Greg Kurz | 2017-08-10 14:36:11 +0200 |
| commit | 4751fd5328dfcd4fe2f9055728a72a0e3ae56512 (patch) | |
| tree | 31dc8f1adcd726b7a08d92c057a6ee91d15a88f0 /include/exec | |
| parent | Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.10-20170809' int... (diff) | |
| download | qemu-4751fd5328dfcd4fe2f9055728a72a0e3ae56512.tar.gz qemu-4751fd5328dfcd4fe2f9055728a72a0e3ae56512.tar.xz qemu-4751fd5328dfcd4fe2f9055728a72a0e3ae56512.zip | |
9pfs: local: fix fchmodat_nofollow() limitations
This function has to ensure it doesn't follow a symlink that could be used
to escape the virtfs directory. This could be easily achieved if fchmodat()
on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but
it doesn't. There was a tentative to implement a new fchmodat2() syscall
with the correct semantics:
https://patchwork.kernel.org/patch/9596301/
but it didn't gain much momentum. Also it was suggested to look at an O_PATH
based solution in the first place.
The current implementation covers most use-cases, but it notably fails if:
- the target path has access rights equal to 0000 (openat() returns EPERM),
=> once you've done chmod(0000) on a file, you can never chmod() again
- the target path is UNIX domain socket (openat() returns ENXIO)
=> bind() of UNIX domain sockets fails if the file is on 9pfs
The solution is to use O_PATH: openat() now succeeds in both cases, and we
can ensure the path isn't a symlink with fstat(). The associated entry in
"/proc/self/fd" can hence be safely passed to the regular chmod() syscall.
The previous behavior is kept for older systems that don't have O_PATH.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Zhi Yong Wu <zhiyong.wu@ucloud.cn>
Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Diffstat (limited to 'include/exec')
0 files changed, 0 insertions, 0 deletions