b003fc0d8a
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
61 lines
1.5 KiB
C
61 lines
1.5 KiB
C
/*
|
|
* 9p utilities
|
|
*
|
|
* Copyright IBM, Corp. 2017
|
|
*
|
|
* Authors:
|
|
* Greg Kurz <groug@kaod.org>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
* See the COPYING file in the top-level directory.
|
|
*/
|
|
|
|
#ifndef QEMU_9P_UTIL_H
|
|
#define QEMU_9P_UTIL_H
|
|
|
|
static inline void close_preserve_errno(int fd)
|
|
{
|
|
int serrno = errno;
|
|
close(fd);
|
|
errno = serrno;
|
|
}
|
|
|
|
static inline int openat_dir(int dirfd, const char *name)
|
|
{
|
|
#ifdef O_PATH
|
|
#define OPENAT_DIR_O_PATH O_PATH
|
|
#else
|
|
#define OPENAT_DIR_O_PATH 0
|
|
#endif
|
|
return openat(dirfd, name,
|
|
O_DIRECTORY | O_RDONLY | O_NOFOLLOW | OPENAT_DIR_O_PATH);
|
|
}
|
|
|
|
static inline int openat_file(int dirfd, const char *name, int flags,
|
|
mode_t mode)
|
|
{
|
|
int fd, serrno, ret;
|
|
|
|
fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
|
|
mode);
|
|
if (fd == -1) {
|
|
return -1;
|
|
}
|
|
|
|
serrno = errno;
|
|
/* O_NONBLOCK was only needed to open the file. Let's drop it. */
|
|
ret = fcntl(fd, F_SETFL, flags);
|
|
assert(!ret);
|
|
errno = serrno;
|
|
return fd;
|
|
}
|
|
|
|
int relative_openat_nofollow(int dirfd, const char *path, int flags,
|
|
mode_t mode);
|
|
ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name,
|
|
void *value, size_t size);
|
|
int fsetxattrat_nofollow(int dirfd, const char *path, const char *name,
|
|
void *value, size_t size, int flags);
|
|
|
|
#endif
|