mirror of
https://github.com/xemu-project/xemu.git
synced 2024-11-25 04:30:02 +00:00
4751fd5328
This function has to ensure it doesn't follow a symlink that could be used to escape the virtfs directory. This could be easily achieved if fchmodat() on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but it doesn't. There was a tentative to implement a new fchmodat2() syscall with the correct semantics: https://patchwork.kernel.org/patch/9596301/ but it didn't gain much momentum. Also it was suggested to look at an O_PATH based solution in the first place. The current implementation covers most use-cases, but it notably fails if: - the target path has access rights equal to 0000 (openat() returns EPERM), => once you've done chmod(0000) on a file, you can never chmod() again - the target path is UNIX domain socket (openat() returns ENXIO) => bind() of UNIX domain sockets fails if the file is on 9pfs The solution is to use O_PATH: openat() now succeeds in both cases, and we can ensure the path isn't a symlink with fstat(). The associated entry in "/proc/self/fd" can hence be safely passed to the regular chmod() syscall. The previous behavior is kept for older systems that don't have O_PATH. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Zhi Yong Wu <zhiyong.wu@ucloud.cn> Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
||
|---|---|---|
| .. | ||
| 9p-handle.c | ||
| 9p-local.c | ||
| 9p-local.h | ||
| 9p-posix-acl.c | ||
| 9p-proxy.c | ||
| 9p-proxy.h | ||
| 9p-synth.c | ||
| 9p-synth.h | ||
| 9p-util.c | ||
| 9p-util.h | ||
| 9p-xattr-user.c | ||
| 9p-xattr.c | ||
| 9p-xattr.h | ||
| 9p.c | ||
| 9p.h | ||
| codir.c | ||
| cofile.c | ||
| cofs.c | ||
| coth.c | ||
| coth.h | ||
| coxattr.c | ||
| Makefile.objs | ||
| trace-events | ||
| virtio-9p-device.c | ||
| virtio-9p.h | ||
| xen-9p-backend.c | ||
| xen-9pfs.h | ||