diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-02-27 17:50:45 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-03-11 14:49:51 +0100 |
| commit | 9f65355b85c59cea585ac3dce2305a1461c283a4 (patch) | |
| tree | 92fbca5e98f9e6f6a2b5501bdba034375d0128d7 /src/basic/fd-util.c | |
| parent | Merge pull request #31711 from YHNdnzj/gpt-auto-has-node (diff) | |
| download | systemd-9f65355b85c59cea585ac3dce2305a1461c283a4.tar.xz systemd-9f65355b85c59cea585ac3dce2305a1461c283a4.zip | |
fd-util: beef up fd_verify_safe_flags() features
Let's make fd_verify_safe_flags() even more useful:
1. let's return the cleaned up flags (i.e. just the access mode) after
validation, hiding all the noise, such as O_NOFOLLOW, O_LARGEFILE and
similar.
2. let's add a "full" version of the call that allows passing additional
flags that are OK to be set.
Diffstat (limited to 'src/basic/fd-util.c')
| -rw-r--r-- | src/basic/fd-util.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c index c16a2ab658..8372c54918 100644 --- a/src/basic/fd-util.c +++ b/src/basic/fd-util.c @@ -913,21 +913,21 @@ int fd_is_opath(int fd) { return FLAGS_SET(r, O_PATH); } -int fd_verify_safe_flags(int fd) { +int fd_verify_safe_flags_full(int fd, int extra_flags) { int flags, unexpected_flags; /* Check if an extrinsic fd is safe to work on (by a privileged service). This ensures that clients * can't trick a privileged service into giving access to a file the client doesn't already have * access to (especially via something like O_PATH). * - * O_NOFOLLOW: For some reason the kernel will return this flag from fcntl; it doesn't go away + * O_NOFOLLOW: For some reason the kernel will return this flag from fcntl(); it doesn't go away * immediately after open(). It should have no effect whatsoever to an already-opened FD, * and since we refuse O_PATH it should be safe. * * RAW_O_LARGEFILE: glibc secretly sets this and neglects to hide it from us if we call fcntl. * See comment in missing_fcntl.h for more details about this. * - * O_DIRECTORY: this is set for directories, which are totally fine + * If 'extra_flags' is specified as non-zero the included flags are also allowed. */ assert(fd >= 0); @@ -936,13 +936,13 @@ int fd_verify_safe_flags(int fd) { if (flags < 0) return -errno; - unexpected_flags = flags & ~(O_ACCMODE|O_NOFOLLOW|RAW_O_LARGEFILE|O_DIRECTORY); + unexpected_flags = flags & ~(O_ACCMODE|O_NOFOLLOW|RAW_O_LARGEFILE|extra_flags); if (unexpected_flags != 0) return log_debug_errno(SYNTHETIC_ERRNO(EREMOTEIO), "Unexpected flags set for extrinsic fd: 0%o", (unsigned) unexpected_flags); - return 0; + return flags & (O_ACCMODE | extra_flags); /* return the flags variable, but remove the noise */ } int read_nr_open(void) { |